./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor337749383 <...> DUID 00:04:7c:8f:25:e4:1e:61:d4:15:b8:1c:50:2a:7f:f5:0b:01 forked to background, child pid 3209 [ 29.612953][ T3210] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.622222][ T3210] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.165' (ECDSA) to the list of known hosts. execve("./syz-executor337749383", ["./syz-executor337749383"], 0x7ffe486f0390 /* 10 vars */) = 0 brk(NULL) = 0x55555635f000 brk(0x55555635fc40) = 0x55555635fc40 arch_prctl(ARCH_SET_FS, 0x55555635f300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x55555635f5d0) = 3630 set_robust_list(0x55555635f5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7fc8867c3430, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fc8867c3b00}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7fc8867c34d0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fc8867c3b00}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor337749383", 4096) = 27 brk(0x555556380c40) = 0x555556380c40 brk(0x555556381000) = 0x555556381000 mprotect(0x7fc886897000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 3630 mkdir("./syzkaller.bRJiuG", 0700) = 0 chmod("./syzkaller.bRJiuG", 0777) = 0 chdir("./syzkaller.bRJiuG") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3631 ./strace-static-x86_64: Process 3631 attached [pid 3631] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3631] chdir("./0") = 0 [pid 3631] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3631] setpgid(0, 0) = 0 [pid 3631] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3631] write(3, "1000", 4) = 4 [pid 3631] close(3) = 0 [pid 3631] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3631] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3631] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3631] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3631] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3633], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3633 [pid 3631] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3631] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3633 attached [pid 3633] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3633] memfd_create("syzkaller", 0) = 3 [pid 3633] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3633] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3633] munmap(0x7fc87e392000, 16777216) = 0 [pid 3633] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3633] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3633] close(3) = 0 [pid 3633] mkdir("./file0", 0777) = 0 syzkaller login: [ 50.909102][ T3633] loop0: detected capacity change from 0 to 32768 [ 50.921858][ T3633] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 50.930213][ T3633] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 50.943022][ T3633] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 50.952785][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 50.959609][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [ 50.994342][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 51.002613][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [pid 3633] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3633] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3633] chdir("./file0") = 0 [pid 3633] ioctl(4, LOOP_CLR_FD) = 0 [pid 3633] close(4) = 0 [pid 3633] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3631] <... futex resumed>) = 0 [pid 3631] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3631] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3633] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3633] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3631] <... futex resumed>) = 0 [pid 3631] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3631] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3633] <... futex resumed>) = 1 [ 51.008330][ T3633] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 51.032572][ T3633] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 51.041195][ T3633] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 51.041195][ T3633] inode = 12 2341 [ 51.041195][ T3633] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [pid 3633] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3631] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3631] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3631] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3631] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3631] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3634], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3634 [pid 3631] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3634 attached [pid 3634] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3634] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3634] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 51.060319][ T3633] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 51.069500][ T3633] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3633 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 51.079722][ T3633] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 51.090877][ T3633] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 51.098787][ T3633] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 51.107691][ T3633] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 51.116215][ T3633] gfs2: fsid=syz:syz.0: File system withdrawn [ 51.122497][ T3633] CPU: 0 PID: 3633 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 51.132915][ T3633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 51.142962][ T3633] Call Trace: [ 51.146232][ T3633] [ 51.149171][ T3633] dump_stack_lvl+0x1b1/0x28e [ 51.153860][ T3633] ? nf_tcp_handle_invalid+0x62e/0x62e [ 51.159333][ T3633] ? panic+0x710/0x710 [ 51.163418][ T3633] ? kobject_uevent_env+0x46b/0x8e0 [ 51.168628][ T3633] gfs2_withdraw+0xf33/0x1540 [ 51.173326][ T3633] ? gfs2_lm+0x220/0x220 [ 51.177583][ T3633] ? gfs2_dirent_scan+0xb6/0x650 [ 51.182533][ T3633] ? panic+0x710/0x710 [ 51.186591][ T3633] ? gfs2_permission+0x2ff/0x430 [ 51.191524][ T3633] ? gfs2_consist_inode_i+0xf3/0x110 [ 51.196808][ T3633] gfs2_dirent_scan+0x535/0x650 [ 51.201655][ T3633] ? gfs2_dirent_search+0xb10/0xb10 [ 51.206850][ T3633] gfs2_dirent_search+0x2ea/0xb10 [ 51.211872][ T3633] ? gfs2_dirent_search+0xb10/0xb10 [ 51.217067][ T3633] ? gfs2_dir_search+0x2a0/0x2a0 [ 51.222001][ T3633] ? gfs2_permission+0x3bf/0x430 [ 51.226937][ T3633] gfs2_dir_search+0x8c/0x2a0 [ 51.231610][ T3633] ? do_filldir_main+0x530/0x530 [ 51.236537][ T3633] ? inode_go_held+0xe4/0x1f0 [ 51.241210][ T3633] ? gfs2_glock_wait+0x213/0x2a0 [ 51.246139][ T3633] gfs2_lookupi+0x465/0x650 [ 51.250642][ T3633] ? gfs2_lookup_simple+0x170/0x170 [ 51.255834][ T3633] ? __gfs2_lookup+0x8c/0x260 [ 51.260509][ T3633] __gfs2_lookup+0x8c/0x260 [ 51.265007][ T3633] ? gfs2_atomic_open+0x230/0x230 [ 51.270029][ T3633] ? __d_lookup+0x6a4/0x770 [ 51.274535][ T3633] ? d_hash_and_lookup+0x1c0/0x1c0 [ 51.279635][ T3633] gfs2_atomic_open+0xa4/0x230 [ 51.284393][ T3633] path_openat+0xf39/0x2df0 [ 51.288894][ T3633] ? gfs2_rename2+0x3000/0x3000 [ 51.293751][ T3633] ? do_filp_open+0x4f0/0x4f0 [ 51.298432][ T3633] do_filp_open+0x264/0x4f0 [ 51.302924][ T3633] ? vfs_tmpfile+0x490/0x490 [ 51.307514][ T3633] ? do_raw_spin_unlock+0x134/0x8a0 [ 51.312710][ T3633] ? _raw_spin_unlock+0x24/0x40 [ 51.317554][ T3633] ? alloc_fd+0x5a7/0x640 [ 51.321896][ T3633] do_sys_openat2+0x124/0x4e0 [ 51.326568][ T3633] ? print_irqtrace_events+0x220/0x220 [ 51.332017][ T3633] ? ptrace_stop+0x74d/0x970 [ 51.336603][ T3633] ? do_sys_open+0x220/0x220 [ 51.341194][ T3633] ? lockdep_hardirqs_on+0x8d/0x130 [ 51.346385][ T3633] ? _raw_spin_unlock_irq+0x2a/0x40 [ 51.351578][ T3633] ? ptrace_notify+0x245/0x340 [ 51.356335][ T3633] __x64_sys_openat+0x243/0x290 [ 51.361186][ T3633] ? __ia32_sys_open+0x270/0x270 [ 51.366135][ T3633] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 51.372115][ T3633] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 51.378268][ T3633] do_syscall_64+0x3d/0xb0 [ 51.382686][ T3633] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.388575][ T3633] RIP: 0033:0x7fc8868064d9 [ 51.392984][ T3633] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 51.412581][ T3633] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 51.420987][ T3633] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 51.428951][ T3633] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 51.436916][ T3633] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 51.444877][ T3633] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 51.452838][ T3633] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [pid 3634] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3633] <... openat resumed>) = -1 EIO (Input/output error) [pid 3633] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3633] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3631] exit_group(0 [pid 3634] <... futex resumed>) = ? [pid 3633] <... futex resumed>) = ? [pid 3631] <... exit_group resumed>) = ? [pid 3633] +++ exited with 0 +++ [pid 3634] +++ exited with 0 +++ [pid 3631] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3631, si_uid=0, si_status=0, si_utime=2, si_stime=28} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./0/binderfs") = 0 [ 51.460823][ T3633] umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3635 ./strace-static-x86_64: Process 3635 attached [pid 3635] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3635] chdir("./1") = 0 [pid 3635] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3635] setpgid(0, 0) = 0 [pid 3635] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3635] write(3, "1000", 4) = 4 [pid 3635] close(3) = 0 [pid 3635] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3635] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3635] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3635] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3635] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3636 attached , parent_tid=[3636], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3636 [pid 3635] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3635] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3636] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3636] memfd_create("syzkaller", 0) = 3 [pid 3636] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3636] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3636] munmap(0x7fc87e392000, 16777216) = 0 [pid 3636] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3636] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3636] close(3) = 0 [pid 3636] mkdir("./file0", 0777) = 0 [ 51.781396][ T3636] loop0: detected capacity change from 0 to 32768 [ 51.791942][ T3636] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 51.800205][ T3636] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 51.811169][ T3636] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 51.819728][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 51.826910][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3636] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3636] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3636] chdir("./file0") = 0 [pid 3636] ioctl(4, LOOP_CLR_FD) = 0 [pid 3636] close(4) = 0 [pid 3636] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3635] <... futex resumed>) = 0 [pid 3635] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3635] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3636] <... futex resumed>) = 1 [pid 3636] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3636] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3635] <... futex resumed>) = 0 [pid 3635] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3635] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3636] <... futex resumed>) = 1 [ 51.865106][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 51.872696][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 51.877954][ T3636] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 51.895023][ T3636] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 51.903941][ T3636] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 51.903941][ T3636] inode = 12 2341 [pid 3636] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3635] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3635] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3635] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [ 51.903941][ T3636] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 51.924060][ T3636] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 51.934165][ T3636] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3636 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 51.944685][ T3636] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 51.953506][ T3636] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 51.961294][ T3636] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 51.970158][ T3636] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 51.976900][ T3636] gfs2: fsid=syz:syz.0: File system withdrawn [ 51.983453][ T3636] CPU: 0 PID: 3636 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 51.993865][ T3636] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 52.003912][ T3636] Call Trace: [ 52.007195][ T3636] [ 52.010134][ T3636] dump_stack_lvl+0x1b1/0x28e [ 52.014817][ T3636] ? nf_tcp_handle_invalid+0x62e/0x62e [ 52.020262][ T3636] ? panic+0x710/0x710 [ 52.024339][ T3636] ? kobject_uevent_env+0x46b/0x8e0 [ 52.029547][ T3636] ? do_raw_spin_unlock+0x134/0x8a0 [ 52.034759][ T3636] gfs2_withdraw+0xf33/0x1540 [ 52.039447][ T3636] ? gfs2_lm+0x220/0x220 [ 52.043693][ T3636] ? gfs2_dirent_scan+0xb6/0x650 [ 52.048642][ T3636] ? panic+0x710/0x710 [ 52.052695][ T3636] ? gfs2_permission+0x2ff/0x430 [ 52.057638][ T3636] ? gfs2_consist_inode_i+0xf3/0x110 [ 52.062943][ T3636] gfs2_dirent_scan+0x535/0x650 [ 52.067809][ T3636] ? gfs2_dirent_search+0xb10/0xb10 [ 52.073000][ T3636] gfs2_dirent_search+0x2ea/0xb10 [ 52.078029][ T3636] ? gfs2_dirent_search+0xb10/0xb10 [ 52.083239][ T3636] ? gfs2_dir_search+0x2a0/0x2a0 [ 52.088166][ T3636] ? gfs2_permission+0x3bf/0x430 [ 52.093202][ T3636] gfs2_dir_search+0x8c/0x2a0 [ 52.097882][ T3636] ? do_filldir_main+0x530/0x530 [ 52.102814][ T3636] ? inode_go_held+0xe4/0x1f0 [ 52.107487][ T3636] ? gfs2_glock_wait+0x213/0x2a0 [ 52.112418][ T3636] gfs2_lookupi+0x465/0x650 [ 52.116923][ T3636] ? gfs2_lookup_simple+0x170/0x170 [ 52.122118][ T3636] ? __gfs2_lookup+0x8c/0x260 [ 52.126798][ T3636] __gfs2_lookup+0x8c/0x260 [ 52.131305][ T3636] ? gfs2_atomic_open+0x230/0x230 [ 52.136327][ T3636] ? __d_lookup+0x6a4/0x770 [ 52.140819][ T3636] ? d_hash_and_lookup+0x1c0/0x1c0 [ 52.145923][ T3636] gfs2_atomic_open+0xa4/0x230 [ 52.150681][ T3636] path_openat+0xf39/0x2df0 [ 52.155180][ T3636] ? gfs2_rename2+0x3000/0x3000 [ 52.160037][ T3636] ? do_filp_open+0x4f0/0x4f0 [ 52.164717][ T3636] do_filp_open+0x264/0x4f0 [ 52.169211][ T3636] ? vfs_tmpfile+0x490/0x490 [ 52.173803][ T3636] ? do_raw_spin_unlock+0x134/0x8a0 [ 52.178999][ T3636] ? _raw_spin_unlock+0x24/0x40 [ 52.183844][ T3636] ? alloc_fd+0x5a7/0x640 [ 52.188172][ T3636] do_sys_openat2+0x124/0x4e0 [ 52.192840][ T3636] ? print_irqtrace_events+0x220/0x220 [ 52.198288][ T3636] ? ptrace_stop+0x74d/0x970 [ 52.202875][ T3636] ? do_sys_open+0x220/0x220 [ 52.207462][ T3636] ? lockdep_hardirqs_on+0x8d/0x130 [ 52.212655][ T3636] ? _raw_spin_unlock_irq+0x2a/0x40 [ 52.217849][ T3636] ? ptrace_notify+0x245/0x340 [ 52.222604][ T3636] __x64_sys_openat+0x243/0x290 [ 52.227450][ T3636] ? __ia32_sys_open+0x270/0x270 [ 52.232381][ T3636] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 52.238357][ T3636] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 52.244331][ T3636] do_syscall_64+0x3d/0xb0 [ 52.248738][ T3636] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.254636][ T3636] RIP: 0033:0x7fc8868064d9 [ 52.259042][ T3636] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 52.278638][ T3636] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 52.287043][ T3636] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 52.295006][ T3636] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 52.302969][ T3636] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3635] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE [pid 3636] <... openat resumed>) = -1 EIO (Input/output error) [pid 3635] <... mprotect resumed>) = 0 [pid 3636] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3635] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 3636] <... futex resumed>) = 0 [pid 3636] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3635] <... clone resumed>, parent_tid=[3637], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3637 [pid 3635] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3637 attached [pid 3637] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3637] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3637] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3637] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3635] exit_group(0 [pid 3637] <... futex resumed>) = ? [pid 3636] <... futex resumed>) = ? [pid 3635] <... exit_group resumed>) = ? [pid 3637] +++ exited with 0 +++ [pid 3636] +++ exited with 0 +++ [pid 3635] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3635, si_uid=0, si_status=0, si_utime=3, si_stime=25} --- umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./1/binderfs") = 0 [ 52.310931][ T3636] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 52.318890][ T3636] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 52.326864][ T3636] umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3638 ./strace-static-x86_64: Process 3638 attached [pid 3638] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3638] chdir("./2") = 0 [pid 3638] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3638] setpgid(0, 0) = 0 [pid 3638] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3638] write(3, "1000", 4) = 4 [pid 3638] close(3) = 0 [pid 3638] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3638] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3638] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3638] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3638] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3639 attached , parent_tid=[3639], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3639 [pid 3639] set_robust_list(0x7fc8867b29e0, 24 [pid 3638] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3639] <... set_robust_list resumed>) = 0 [pid 3638] <... futex resumed>) = 0 [pid 3638] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3639] memfd_create("syzkaller", 0) = 3 [pid 3639] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3639] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3639] munmap(0x7fc87e392000, 16777216) = 0 [pid 3639] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3639] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3639] close(3) = 0 [pid 3639] mkdir("./file0", 0777) = 0 [ 52.641442][ T3639] loop0: detected capacity change from 0 to 32768 [ 52.654927][ T3639] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 52.663234][ T3639] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 52.673142][ T3639] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 52.681735][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 52.688509][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3639] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3639] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3639] chdir("./file0") = 0 [pid 3639] ioctl(4, LOOP_CLR_FD) = 0 [pid 3639] close(4) = 0 [pid 3639] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3638] <... futex resumed>) = 0 [pid 3638] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3638] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3639] <... futex resumed>) = 1 [pid 3639] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3639] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3638] <... futex resumed>) = 0 [pid 3638] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3638] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3639] <... futex resumed>) = 1 [ 52.721734][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 52.731127][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 52.736350][ T3639] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3639] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3638] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3638] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3638] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 52.772025][ T3639] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 52.781415][ T3639] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 52.781415][ T3639] inode = 12 2341 [ 52.781415][ T3639] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 52.800247][ T3639] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 52.809788][ T3639] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3639 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3638] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3638] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3638] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3640], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3640 [pid 3638] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3640 attached [pid 3640] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 52.820286][ T3639] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 52.829070][ T3640] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 52.829101][ T3640] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 52.829101][ T3640] inode = 12 2341 [ 52.829101][ T3640] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 52.829123][ T3640] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 52.829147][ T3640] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3639 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 52.829299][ T3640] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3640 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 52.829331][ T3640] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 52.829351][ T3640] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 52.829363][ T3640] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 52.829373][ T3640] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 52.830824][ T3640] gfs2: fsid=syz:syz.0: File system withdrawn [ 52.923046][ T3640] CPU: 0 PID: 3640 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 52.933462][ T3640] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 52.943518][ T3640] Call Trace: [ 52.946802][ T3640] [ 52.949722][ T3640] dump_stack_lvl+0x1b1/0x28e [ 52.954438][ T3640] ? nf_tcp_handle_invalid+0x62e/0x62e [ 52.959902][ T3640] ? panic+0x710/0x710 [ 52.963986][ T3640] ? kobject_uevent_env+0x46b/0x8e0 [ 52.969190][ T3640] ? do_raw_spin_unlock+0x134/0x8a0 [ 52.974387][ T3640] gfs2_withdraw+0xf33/0x1540 [ 52.979075][ T3640] ? gfs2_lm+0x220/0x220 [ 52.983314][ T3640] ? gfs2_dirent_scan+0xb6/0x650 [ 52.988249][ T3640] ? panic+0x710/0x710 [ 52.992334][ T3640] ? lockdep_hardirqs_on_prepare+0x428/0x790 [ 52.998312][ T3640] ? gfs2_consist_inode_i+0xf3/0x110 [ 53.003852][ T3640] gfs2_dirent_scan+0x535/0x650 [ 53.008702][ T3640] ? gfs2_dirent_search+0xb10/0xb10 [ 53.013897][ T3640] gfs2_dirent_search+0x2ea/0xb10 [ 53.018917][ T3640] ? gfs2_dirent_search+0xb10/0xb10 [ 53.024114][ T3640] ? gfs2_dir_search+0x2a0/0x2a0 [ 53.029045][ T3640] ? gfs2_permission+0x3bf/0x430 [ 53.033982][ T3640] gfs2_dir_search+0x8c/0x2a0 [ 53.038667][ T3640] ? do_filldir_main+0x530/0x530 [ 53.043598][ T3640] ? inode_go_held+0xe4/0x1f0 [ 53.048286][ T3640] ? gfs2_glock_wait+0x213/0x2a0 [ 53.053222][ T3640] gfs2_lookupi+0x465/0x650 [ 53.057726][ T3640] ? gfs2_lookup_simple+0x170/0x170 [ 53.062942][ T3640] ? __gfs2_lookup+0x8c/0x260 [ 53.067611][ T3640] ? d_alloc_parallel+0x1144/0x1240 [ 53.072799][ T3640] ? memset+0x1f/0x40 [ 53.076776][ T3640] __gfs2_lookup+0x8c/0x260 [ 53.081273][ T3640] ? gfs2_atomic_open+0x230/0x230 [ 53.086295][ T3640] ? d_hash_and_lookup+0x1c0/0x1c0 [ 53.091399][ T3640] ? __init_waitqueue_head+0xa6/0x140 [ 53.096766][ T3640] __lookup_slow+0x266/0x3a0 [ 53.101348][ T3640] ? lookup_one_len+0x690/0x690 [ 53.106192][ T3640] ? try_to_unlazy+0x687/0xb80 [ 53.110948][ T3640] ? crc32_le_base+0x589/0xd00 [ 53.115705][ T3640] ? __down_read_common+0x156/0x2a0 [ 53.120906][ T3640] lookup_slow+0x53/0x70 [ 53.125141][ T3640] link_path_walk+0xa06/0xf00 [ 53.129820][ T3640] ? handle_lookup_down+0x130/0x130 [ 53.135017][ T3640] path_lookupat+0xab/0x450 [ 53.139525][ T3640] do_o_path+0x84/0x240 [ 53.143674][ T3640] ? do_tmpfile+0x330/0x330 [ 53.148176][ T3640] path_openat+0x2812/0x2df0 [ 53.152762][ T3640] ? stack_trace_save+0x104/0x1e0 [ 53.157786][ T3640] ? stack_trace_snprint+0xf0/0xf0 [ 53.162883][ T3640] ? rcu_read_lock_sched_held+0x87/0x110 [ 53.168507][ T3640] ? __stack_depot_save+0x36/0x4a0 [ 53.173616][ T3640] ? mark_lock+0x9a/0x350 [ 53.177944][ T3640] ? do_filp_open+0x4f0/0x4f0 [ 53.182612][ T3640] ? rcu_read_lock_sched_held+0x87/0x110 [ 53.188234][ T3640] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 53.194215][ T3640] do_filp_open+0x264/0x4f0 [ 53.198731][ T3640] ? vfs_tmpfile+0x490/0x490 [ 53.203322][ T3640] ? do_raw_spin_unlock+0x134/0x8a0 [ 53.208517][ T3640] ? _raw_spin_unlock+0x24/0x40 [ 53.213378][ T3640] ? alloc_fd+0x5a7/0x640 [ 53.217731][ T3640] do_sys_openat2+0x124/0x4e0 [ 53.222404][ T3640] ? print_irqtrace_events+0x220/0x220 [ 53.227852][ T3640] ? ptrace_stop+0x74d/0x970 [ 53.232436][ T3640] ? do_sys_open+0x220/0x220 [ 53.237020][ T3640] ? lockdep_hardirqs_on+0x8d/0x130 [ 53.242218][ T3640] ? _raw_spin_unlock_irq+0x2a/0x40 [ 53.247408][ T3640] ? ptrace_notify+0x245/0x340 [ 53.252171][ T3640] __x64_sys_openat+0x243/0x290 [ 53.257022][ T3640] ? __ia32_sys_open+0x270/0x270 [ 53.261956][ T3640] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 53.267929][ T3640] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 53.273903][ T3640] do_syscall_64+0x3d/0xb0 [ 53.278314][ T3640] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 53.284198][ T3640] RIP: 0033:0x7fc8868064d9 [ 53.288731][ T3640] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 53.308586][ T3640] RSP: 002b:00007fc87f391318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 53.316990][ T3640] RAX: ffffffffffffffda RBX: 00007fc88689d7b8 RCX: 00007fc8868064d9 [pid 3640] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3638] exit_group(0) = ? [pid 3640] <... openat resumed>) = ? [pid 3639] <... openat resumed>) = ? [pid 3640] +++ exited with 0 +++ [pid 3639] +++ exited with 0 +++ [pid 3638] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3638, si_uid=0, si_status=0, si_utime=2, si_stime=33} --- umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./2/binderfs") = 0 [ 53.324950][ T3640] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 53.332911][ T3640] RBP: 00007fc88689d7b0 R08: 00007fc87f391700 R09: 0000000000000000 [ 53.340872][ T3640] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 53.348832][ T3640] R13: 00007ffe2e4164af R14: 00007fc87f391400 R15: 0000000000022000 [ 53.356806][ T3640] umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3641 ./strace-static-x86_64: Process 3641 attached [pid 3641] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3641] chdir("./3") = 0 [pid 3641] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3641] setpgid(0, 0) = 0 [pid 3641] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3641] write(3, "1000", 4) = 4 [pid 3641] close(3) = 0 [pid 3641] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3641] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3641] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3641] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3641] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3642], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3642 [pid 3641] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3641] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3642 attached [pid 3642] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3642] memfd_create("syzkaller", 0) = 3 [pid 3642] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3642] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3642] munmap(0x7fc87e392000, 16777216) = 0 [pid 3642] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3642] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3642] close(3) = 0 [pid 3642] mkdir("./file0", 0777) = 0 [ 53.645144][ T3642] loop0: detected capacity change from 0 to 32768 [ 53.657008][ T3642] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 53.665595][ T3642] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 53.675537][ T3642] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 53.684893][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 53.691828][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3642] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3642] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3642] chdir("./file0") = 0 [pid 3642] ioctl(4, LOOP_CLR_FD) = 0 [pid 3642] close(4) = 0 [pid 3642] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3641] <... futex resumed>) = 0 [pid 3642] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3641] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3642] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3641] <... futex resumed>) = 0 [pid 3642] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3641] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 3642] <... futex resumed>) = 0 [pid 3642] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3641] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 53.730171][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 53.737863][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 53.743209][ T3642] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 53.781623][ T3642] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 53.790015][ T3642] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 53.790015][ T3642] inode = 12 2341 [ 53.790015][ T3642] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 53.809012][ T3642] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 53.818445][ T3642] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3642 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3641] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3641] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3641] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3641] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3641] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3643], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3643 ./strace-static-x86_64: Process 3643 attached [pid 3641] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3643] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3643] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3643] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 53.828876][ T3642] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 53.840360][ T3642] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 53.847972][ T3642] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 53.857266][ T3642] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 53.864841][ T3642] gfs2: fsid=syz:syz.0: File system withdrawn [ 53.871586][ T3642] CPU: 0 PID: 3642 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 53.882013][ T3642] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 53.892057][ T3642] Call Trace: [ 53.895330][ T3642] [ 53.898249][ T3642] dump_stack_lvl+0x1b1/0x28e [ 53.902922][ T3642] ? nf_tcp_handle_invalid+0x62e/0x62e [ 53.908369][ T3642] ? panic+0x710/0x710 [ 53.912426][ T3642] ? kobject_uevent_env+0x46b/0x8e0 [ 53.917717][ T3642] ? do_raw_spin_unlock+0x134/0x8a0 [ 53.922946][ T3642] gfs2_withdraw+0xf33/0x1540 [ 53.927647][ T3642] ? gfs2_lm+0x220/0x220 [ 53.931890][ T3642] ? gfs2_dirent_scan+0xb6/0x650 [ 53.936822][ T3642] ? panic+0x710/0x710 [ 53.940879][ T3642] ? gfs2_permission+0x2ff/0x430 [ 53.945815][ T3642] ? gfs2_consist_inode_i+0xf3/0x110 [ 53.951104][ T3642] gfs2_dirent_scan+0x535/0x650 [ 53.955971][ T3642] ? gfs2_dirent_search+0xb10/0xb10 [ 53.961174][ T3642] gfs2_dirent_search+0x2ea/0xb10 [ 53.966193][ T3642] ? gfs2_dirent_search+0xb10/0xb10 [ 53.971387][ T3642] ? gfs2_dir_search+0x2a0/0x2a0 [ 53.976412][ T3642] ? gfs2_permission+0x3bf/0x430 [ 53.981374][ T3642] gfs2_dir_search+0x8c/0x2a0 [ 53.986059][ T3642] ? do_filldir_main+0x530/0x530 [ 53.990993][ T3642] ? inode_go_held+0xe4/0x1f0 [ 53.995669][ T3642] ? gfs2_glock_wait+0x213/0x2a0 [ 54.000687][ T3642] gfs2_lookupi+0x465/0x650 [ 54.005190][ T3642] ? gfs2_lookup_simple+0x170/0x170 [ 54.010382][ T3642] ? __gfs2_lookup+0x8c/0x260 [ 54.015062][ T3642] __gfs2_lookup+0x8c/0x260 [ 54.019561][ T3642] ? gfs2_atomic_open+0x230/0x230 [ 54.024579][ T3642] ? __d_lookup+0x6a4/0x770 [ 54.029080][ T3642] ? d_hash_and_lookup+0x1c0/0x1c0 [ 54.034186][ T3642] gfs2_atomic_open+0xa4/0x230 [ 54.038962][ T3642] path_openat+0xf39/0x2df0 [ 54.043467][ T3642] ? gfs2_rename2+0x3000/0x3000 [ 54.048329][ T3642] ? do_filp_open+0x4f0/0x4f0 [ 54.053016][ T3642] do_filp_open+0x264/0x4f0 [ 54.057522][ T3642] ? vfs_tmpfile+0x490/0x490 [ 54.062123][ T3642] ? do_raw_spin_unlock+0x134/0x8a0 [ 54.067320][ T3642] ? _raw_spin_unlock+0x24/0x40 [ 54.072164][ T3642] ? alloc_fd+0x5a7/0x640 [ 54.076497][ T3642] do_sys_openat2+0x124/0x4e0 [ 54.081170][ T3642] ? print_irqtrace_events+0x220/0x220 [ 54.086624][ T3642] ? ptrace_stop+0x74d/0x970 [ 54.091211][ T3642] ? do_sys_open+0x220/0x220 [ 54.095794][ T3642] ? lockdep_hardirqs_on+0x8d/0x130 [ 54.100984][ T3642] ? _raw_spin_unlock_irq+0x2a/0x40 [ 54.106197][ T3642] ? ptrace_notify+0x245/0x340 [ 54.111129][ T3642] __x64_sys_openat+0x243/0x290 [ 54.115975][ T3642] ? __ia32_sys_open+0x270/0x270 [ 54.120996][ T3642] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 54.126976][ T3642] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 54.132951][ T3642] do_syscall_64+0x3d/0xb0 [ 54.137358][ T3642] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 54.143242][ T3642] RIP: 0033:0x7fc8868064d9 [ 54.147649][ T3642] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 54.167244][ T3642] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 54.175650][ T3642] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3643] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3642] <... openat resumed>) = -1 EIO (Input/output error) [pid 3642] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3642] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3641] exit_group(0 [pid 3643] <... futex resumed>) = ? [pid 3642] <... futex resumed>) = ? [pid 3641] <... exit_group resumed>) = ? [pid 3643] +++ exited with 0 +++ [pid 3642] +++ exited with 0 +++ [pid 3641] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3641, si_uid=0, si_status=0, si_utime=3, si_stime=28} --- umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./3/binderfs") = 0 [ 54.183614][ T3642] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 54.191578][ T3642] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 54.199540][ T3642] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 54.207519][ T3642] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 54.215498][ T3642] umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3644 attached , child_tidptr=0x55555635f5d0) = 3644 [pid 3644] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3644] chdir("./4") = 0 [pid 3644] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3644] setpgid(0, 0) = 0 [pid 3644] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3644] write(3, "1000", 4) = 4 [pid 3644] close(3) = 0 [pid 3644] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3644] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3644] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3644] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3644] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3645], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3645 ./strace-static-x86_64: Process 3645 attached [pid 3645] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3645] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3644] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3645] <... futex resumed>) = 0 [pid 3644] <... futex resumed>) = 1 [pid 3644] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3645] memfd_create("syzkaller", 0) = 3 [pid 3645] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3645] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3645] munmap(0x7fc87e392000, 16777216) = 0 [pid 3645] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3645] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3645] close(3) = 0 [pid 3645] mkdir("./file0", 0777) = 0 [ 54.557110][ T3645] loop0: detected capacity change from 0 to 32768 [ 54.569238][ T3645] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 54.577471][ T3645] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 54.587345][ T3645] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 54.596209][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 54.603239][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3645] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3645] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3645] chdir("./file0") = 0 [pid 3645] ioctl(4, LOOP_CLR_FD) = 0 [pid 3645] close(4) = 0 [pid 3645] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3644] <... futex resumed>) = 0 [pid 3644] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3644] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3645] <... futex resumed>) = 1 [pid 3645] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3645] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3644] <... futex resumed>) = 0 [pid 3644] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3644] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3645] <... futex resumed>) = 1 [ 54.641761][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 54.649381][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 54.654848][ T3645] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 54.675007][ T3645] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 54.683828][ T3645] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3645] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3644] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 54.683828][ T3645] inode = 12 2341 [ 54.683828][ T3645] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 54.702667][ T3645] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 54.711927][ T3645] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3645 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 54.722299][ T3645] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 54.730860][ T3645] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3644] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3644] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3644] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3644] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3646], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3646 ./strace-static-x86_64: Process 3646 attached [pid 3644] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3646] set_robust_list(0x7fc87f3919e0, 24 [pid 3644] <... futex resumed>) = 0 [pid 3646] <... set_robust_list resumed>) = 0 [pid 3646] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3646] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 54.738413][ T3645] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 54.750636][ T3645] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 54.757605][ T3645] gfs2: fsid=syz:syz.0: File system withdrawn [ 54.763889][ T3645] CPU: 0 PID: 3645 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 54.774325][ T3645] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 54.784387][ T3645] Call Trace: [ 54.787657][ T3645] [ 54.790576][ T3645] dump_stack_lvl+0x1b1/0x28e [ 54.795256][ T3645] ? nf_tcp_handle_invalid+0x62e/0x62e [ 54.800730][ T3645] ? panic+0x710/0x710 [ 54.804819][ T3645] ? kobject_uevent_env+0x46b/0x8e0 [ 54.810029][ T3645] ? do_raw_spin_unlock+0x134/0x8a0 [ 54.815251][ T3645] gfs2_withdraw+0xf33/0x1540 [ 54.819963][ T3645] ? gfs2_lm+0x220/0x220 [ 54.824200][ T3645] ? gfs2_dirent_scan+0xb6/0x650 [ 54.829163][ T3645] ? panic+0x710/0x710 [ 54.833249][ T3645] ? gfs2_permission+0x2ff/0x430 [ 54.838204][ T3645] ? gfs2_consist_inode_i+0xf3/0x110 [ 54.843496][ T3645] gfs2_dirent_scan+0x535/0x650 [ 54.848371][ T3645] ? gfs2_dirent_search+0xb10/0xb10 [ 54.853587][ T3645] gfs2_dirent_search+0x2ea/0xb10 [ 54.858627][ T3645] ? gfs2_dirent_search+0xb10/0xb10 [ 54.863839][ T3645] ? gfs2_dir_search+0x2a0/0x2a0 [ 54.868783][ T3645] ? gfs2_permission+0x3bf/0x430 [ 54.873734][ T3645] gfs2_dir_search+0x8c/0x2a0 [ 54.878425][ T3645] ? do_filldir_main+0x530/0x530 [ 54.883381][ T3645] ? inode_go_held+0xe4/0x1f0 [ 54.888051][ T3645] ? gfs2_glock_wait+0x213/0x2a0 [pid 3646] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3644] exit_group(0 [pid 3646] <... futex resumed>) = ? [pid 3644] <... exit_group resumed>) = ? [pid 3646] +++ exited with 0 +++ [ 54.892985][ T3645] gfs2_lookupi+0x465/0x650 [ 54.897496][ T3645] ? gfs2_lookup_simple+0x170/0x170 [ 54.902689][ T3645] ? __gfs2_lookup+0x8c/0x260 [ 54.907360][ T3645] __gfs2_lookup+0x8c/0x260 [ 54.911870][ T3645] ? gfs2_atomic_open+0x230/0x230 [ 54.916904][ T3645] ? __d_lookup+0x6a4/0x770 [ 54.921392][ T3645] ? d_hash_and_lookup+0x1c0/0x1c0 [ 54.926492][ T3645] gfs2_atomic_open+0xa4/0x230 [ 54.931259][ T3645] path_openat+0xf39/0x2df0 [ 54.935771][ T3645] ? gfs2_rename2+0x3000/0x3000 [ 54.940639][ T3645] ? do_filp_open+0x4f0/0x4f0 [ 54.945331][ T3645] do_filp_open+0x264/0x4f0 [ 54.949834][ T3645] ? vfs_tmpfile+0x490/0x490 [ 54.954454][ T3645] ? do_raw_spin_unlock+0x134/0x8a0 [ 54.959646][ T3645] ? _raw_spin_unlock+0x24/0x40 [ 54.964494][ T3645] ? alloc_fd+0x5a7/0x640 [ 54.968834][ T3645] do_sys_openat2+0x124/0x4e0 [ 54.973502][ T3645] ? print_irqtrace_events+0x220/0x220 [ 54.979035][ T3645] ? ptrace_stop+0x74d/0x970 [ 54.983625][ T3645] ? do_sys_open+0x220/0x220 [ 54.988223][ T3645] ? lockdep_hardirqs_on+0x8d/0x130 [ 54.993414][ T3645] ? _raw_spin_unlock_irq+0x2a/0x40 [ 54.998611][ T3645] ? ptrace_notify+0x245/0x340 [ 55.003380][ T3645] __x64_sys_openat+0x243/0x290 [ 55.008230][ T3645] ? __ia32_sys_open+0x270/0x270 [ 55.013175][ T3645] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 55.019144][ T3645] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 55.025114][ T3645] do_syscall_64+0x3d/0xb0 [ 55.029520][ T3645] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 55.035398][ T3645] RIP: 0033:0x7fc8868064d9 [ 55.039806][ T3645] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 55.059414][ T3645] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 55.067815][ T3645] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 55.075789][ T3645] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 55.083763][ T3645] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3645] <... openat resumed>) = ? [pid 3645] +++ exited with 0 +++ [pid 3644] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3644, si_uid=0, si_status=0, si_utime=2, si_stime=28} --- umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./4/binderfs") = 0 [ 55.091731][ T3645] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 55.099690][ T3645] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 55.107685][ T3645] umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./4/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3647 ./strace-static-x86_64: Process 3647 attached [pid 3647] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3647] chdir("./5") = 0 [pid 3647] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3647] setpgid(0, 0) = 0 [pid 3647] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3647] write(3, "1000", 4) = 4 [pid 3647] close(3) = 0 [pid 3647] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3647] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3647] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3647] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3647] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3648 attached , parent_tid=[3648], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3648 [pid 3648] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3648] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3647] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3648] <... futex resumed>) = 0 [pid 3647] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3648] memfd_create("syzkaller", 0) = 3 [pid 3648] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3648] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3648] munmap(0x7fc87e392000, 16777216) = 0 [pid 3648] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3648] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3648] close(3) = 0 [pid 3648] mkdir("./file0", 0777) = 0 [ 55.417791][ T3648] loop0: detected capacity change from 0 to 32768 [ 55.428775][ T3648] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 55.437158][ T3648] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 55.447189][ T3648] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 55.456055][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 55.463093][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3648] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3648] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3648] chdir("./file0") = 0 [pid 3648] ioctl(4, LOOP_CLR_FD) = 0 [pid 3648] close(4) = 0 [pid 3648] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3647] <... futex resumed>) = 0 [pid 3647] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3647] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3648] <... futex resumed>) = 1 [pid 3648] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3648] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3647] <... futex resumed>) = 0 [pid 3647] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3647] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3648] <... futex resumed>) = 1 [ 55.503094][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 55.510796][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 55.516096][ T3648] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 55.537468][ T3648] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3648] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3647] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3647] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3647] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3647] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3647] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3649], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3649 [pid 3647] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 55.546518][ T3648] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 55.546518][ T3648] inode = 12 2341 [ 55.546518][ T3648] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 55.567222][ T3648] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 55.576705][ T3648] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3648 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 55.588548][ T3648] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 ./strace-static-x86_64: Process 3649 attached [pid 3649] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3649] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3649] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 55.597326][ T3648] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 55.604683][ T3648] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 55.613490][ T3648] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 55.620025][ T3648] gfs2: fsid=syz:syz.0: File system withdrawn [ 55.626209][ T3648] CPU: 0 PID: 3648 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 55.636639][ T3648] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 55.646703][ T3648] Call Trace: [ 55.649975][ T3648] [ 55.652897][ T3648] dump_stack_lvl+0x1b1/0x28e [ 55.657589][ T3648] ? nf_tcp_handle_invalid+0x62e/0x62e [ 55.663131][ T3648] ? panic+0x710/0x710 [ 55.667209][ T3648] ? kobject_uevent_env+0x46b/0x8e0 [ 55.672403][ T3648] ? do_raw_spin_unlock+0x134/0x8a0 [ 55.677607][ T3648] gfs2_withdraw+0xf33/0x1540 [ 55.682292][ T3648] ? gfs2_lm+0x220/0x220 [ 55.686524][ T3648] ? gfs2_dirent_scan+0xb6/0x650 [ 55.691458][ T3648] ? panic+0x710/0x710 [ 55.695516][ T3648] ? gfs2_permission+0x2ff/0x430 [ 55.700456][ T3648] ? gfs2_consist_inode_i+0xf3/0x110 [ 55.705740][ T3648] gfs2_dirent_scan+0x535/0x650 [ 55.710594][ T3648] ? gfs2_dirent_search+0xb10/0xb10 [ 55.715792][ T3648] gfs2_dirent_search+0x2ea/0xb10 [ 55.720813][ T3648] ? gfs2_dirent_search+0xb10/0xb10 [ 55.726010][ T3648] ? gfs2_dir_search+0x2a0/0x2a0 [ 55.730941][ T3648] ? gfs2_permission+0x3bf/0x430 [ 55.735882][ T3648] gfs2_dir_search+0x8c/0x2a0 [ 55.740562][ T3648] ? do_filldir_main+0x530/0x530 [ 55.745496][ T3648] ? inode_go_held+0xe4/0x1f0 [ 55.750184][ T3648] ? gfs2_glock_wait+0x213/0x2a0 [ 55.755120][ T3648] gfs2_lookupi+0x465/0x650 [ 55.759647][ T3648] ? gfs2_lookup_simple+0x170/0x170 [ 55.764847][ T3648] ? __gfs2_lookup+0x8c/0x260 [ 55.769531][ T3648] __gfs2_lookup+0x8c/0x260 [ 55.774068][ T3648] ? gfs2_atomic_open+0x230/0x230 [ 55.779123][ T3648] ? __d_lookup+0x6a4/0x770 [ 55.783642][ T3648] ? d_hash_and_lookup+0x1c0/0x1c0 [ 55.788752][ T3648] gfs2_atomic_open+0xa4/0x230 [ 55.793519][ T3648] path_openat+0xf39/0x2df0 [ 55.798024][ T3648] ? gfs2_rename2+0x3000/0x3000 [ 55.802899][ T3648] ? do_filp_open+0x4f0/0x4f0 [ 55.807584][ T3648] do_filp_open+0x264/0x4f0 [ 55.812166][ T3648] ? vfs_tmpfile+0x490/0x490 [ 55.816759][ T3648] ? do_raw_spin_unlock+0x134/0x8a0 [ 55.821961][ T3648] ? _raw_spin_unlock+0x24/0x40 [ 55.826826][ T3648] ? alloc_fd+0x5a7/0x640 [ 55.831159][ T3648] do_sys_openat2+0x124/0x4e0 [ 55.835836][ T3648] ? print_irqtrace_events+0x220/0x220 [ 55.841285][ T3648] ? ptrace_stop+0x74d/0x970 [ 55.845872][ T3648] ? do_sys_open+0x220/0x220 [ 55.850457][ T3648] ? lockdep_hardirqs_on+0x8d/0x130 [ 55.855652][ T3648] ? _raw_spin_unlock_irq+0x2a/0x40 [ 55.860843][ T3648] ? ptrace_notify+0x245/0x340 [ 55.865681][ T3648] __x64_sys_openat+0x243/0x290 [ 55.870530][ T3648] ? __ia32_sys_open+0x270/0x270 [ 55.875482][ T3648] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 55.881478][ T3648] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 55.887470][ T3648] do_syscall_64+0x3d/0xb0 [ 55.891896][ T3648] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 55.897882][ T3648] RIP: 0033:0x7fc8868064d9 [ 55.902392][ T3648] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 55.922014][ T3648] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 55.930602][ T3648] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 55.938566][ T3648] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 55.946537][ T3648] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3649] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3648] <... openat resumed>) = -1 EIO (Input/output error) [pid 3648] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3648] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3647] exit_group(0 [pid 3649] <... futex resumed>) = ? [pid 3648] <... futex resumed>) = ? [pid 3647] <... exit_group resumed>) = ? [pid 3648] +++ exited with 0 +++ [pid 3649] +++ exited with 0 +++ [pid 3647] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3647, si_uid=0, si_status=0, si_utime=1, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./5/binderfs") = 0 [ 55.954592][ T3648] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 55.962551][ T3648] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 55.970540][ T3648] umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./5/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3650 ./strace-static-x86_64: Process 3650 attached [pid 3650] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3650] chdir("./6") = 0 [pid 3650] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3650] setpgid(0, 0) = 0 [pid 3650] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3650] write(3, "1000", 4) = 4 [pid 3650] close(3) = 0 [pid 3650] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3650] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3650] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3650] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3650] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3651 attached [pid 3651] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3651] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3650] <... clone resumed>, parent_tid=[3651], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3651 [pid 3650] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3650] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3651] <... futex resumed>) = 0 [pid 3651] memfd_create("syzkaller", 0) = 3 [pid 3651] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3651] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3651] munmap(0x7fc87e392000, 16777216) = 0 [pid 3651] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3651] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3651] close(3) = 0 [pid 3651] mkdir("./file0", 0777) = 0 [ 56.284117][ T3651] loop0: detected capacity change from 0 to 32768 [ 56.294185][ T3651] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 56.302477][ T3651] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 56.312812][ T3651] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 56.321619][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 56.328390][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3651] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3651] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3651] chdir("./file0") = 0 [pid 3651] ioctl(4, LOOP_CLR_FD) = 0 [pid 3651] close(4) = 0 [pid 3651] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3650] <... futex resumed>) = 0 [pid 3650] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3650] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3651] <... futex resumed>) = 1 [pid 3651] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3651] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3650] <... futex resumed>) = 0 [pid 3650] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3650] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3651] <... futex resumed>) = 1 [ 56.362211][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 56.369892][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 56.375388][ T3651] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 56.391268][ T3651] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 56.400370][ T3651] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 56.400370][ T3651] inode = 12 2341 [pid 3651] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3650] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3650] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3650] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3650] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3650] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3652], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3652 [ 56.400370][ T3651] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 56.419550][ T3651] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 56.429038][ T3651] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3651 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 56.439284][ T3651] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 56.447905][ T3651] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3650] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3652 attached [ 56.455223][ T3651] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 56.464057][ T3651] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 56.470728][ T3651] gfs2: fsid=syz:syz.0: File system withdrawn [ 56.476865][ T3651] CPU: 0 PID: 3651 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 56.487299][ T3651] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 56.497383][ T3651] Call Trace: [ 56.500664][ T3651] [ 56.503586][ T3651] dump_stack_lvl+0x1b1/0x28e [ 56.508264][ T3651] ? nf_tcp_handle_invalid+0x62e/0x62e [ 56.513720][ T3651] ? panic+0x710/0x710 [ 56.517782][ T3651] ? kobject_uevent_env+0x46b/0x8e0 [ 56.522982][ T3651] ? do_raw_spin_unlock+0x134/0x8a0 [ 56.528284][ T3651] gfs2_withdraw+0xf33/0x1540 [ 56.532994][ T3651] ? gfs2_lm+0x220/0x220 [ 56.537256][ T3651] ? gfs2_dirent_scan+0xb6/0x650 [ 56.542207][ T3651] ? panic+0x710/0x710 [ 56.546268][ T3651] ? gfs2_permission+0x2ff/0x430 [ 56.551203][ T3651] ? gfs2_consist_inode_i+0xf3/0x110 [ 56.556491][ T3651] gfs2_dirent_scan+0x535/0x650 [ 56.561343][ T3651] ? gfs2_dirent_search+0xb10/0xb10 [ 56.566540][ T3651] gfs2_dirent_search+0x2ea/0xb10 [ 56.571562][ T3651] ? gfs2_dirent_search+0xb10/0xb10 [ 56.576758][ T3651] ? gfs2_dir_search+0x2a0/0x2a0 [ 56.581691][ T3651] ? gfs2_permission+0x3bf/0x430 [ 56.586629][ T3651] gfs2_dir_search+0x8c/0x2a0 [ 56.591301][ T3651] ? do_filldir_main+0x530/0x530 [ 56.596233][ T3651] ? inode_go_held+0xe4/0x1f0 [ 56.600909][ T3651] ? gfs2_glock_wait+0x213/0x2a0 [ 56.605877][ T3651] gfs2_lookupi+0x465/0x650 [ 56.610419][ T3651] ? gfs2_lookup_simple+0x170/0x170 [ 56.615627][ T3651] ? __gfs2_lookup+0x8c/0x260 [ 56.620308][ T3651] __gfs2_lookup+0x8c/0x260 [ 56.624810][ T3651] ? gfs2_atomic_open+0x230/0x230 [ 56.629830][ T3651] ? __d_lookup+0x6a4/0x770 [ 56.634324][ T3651] ? d_hash_and_lookup+0x1c0/0x1c0 [ 56.639428][ T3651] gfs2_atomic_open+0xa4/0x230 [ 56.644195][ T3651] path_openat+0xf39/0x2df0 [ 56.648710][ T3651] ? gfs2_rename2+0x3000/0x3000 [ 56.653566][ T3651] ? do_filp_open+0x4f0/0x4f0 [ 56.658249][ T3651] do_filp_open+0x264/0x4f0 [ 56.662745][ T3651] ? vfs_tmpfile+0x490/0x490 [ 56.667333][ T3651] ? do_raw_spin_unlock+0x134/0x8a0 [ 56.672530][ T3651] ? _raw_spin_unlock+0x24/0x40 [ 56.677372][ T3651] ? alloc_fd+0x5a7/0x640 [ 56.681703][ T3651] do_sys_openat2+0x124/0x4e0 [ 56.686379][ T3651] ? print_irqtrace_events+0x220/0x220 [ 56.691829][ T3651] ? ptrace_stop+0x74d/0x970 [ 56.696502][ T3651] ? do_sys_open+0x220/0x220 [ 56.701087][ T3651] ? lockdep_hardirqs_on+0x8d/0x130 [ 56.706277][ T3651] ? _raw_spin_unlock_irq+0x2a/0x40 [ 56.711471][ T3651] ? ptrace_notify+0x245/0x340 [ 56.716223][ T3651] __x64_sys_openat+0x243/0x290 [ 56.721068][ T3651] ? __ia32_sys_open+0x270/0x270 [ 56.725999][ T3651] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 56.731976][ T3651] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 56.737978][ T3651] do_syscall_64+0x3d/0xb0 [ 56.742399][ T3651] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 56.748290][ T3651] RIP: 0033:0x7fc8868064d9 [ 56.752697][ T3651] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 56.772299][ T3651] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 56.780706][ T3651] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 56.788672][ T3651] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 56.796632][ T3651] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 56.805206][ T3651] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3652] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3652] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3652] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3652] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3651] <... openat resumed>) = -1 EIO (Input/output error) [pid 3651] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3651] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3650] exit_group(0) = ? [pid 3652] <... futex resumed>) = ? [pid 3652] +++ exited with 0 +++ [pid 3651] <... futex resumed>) = ? [pid 3651] +++ exited with 0 +++ [pid 3650] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3650, si_uid=0, si_status=0, si_utime=2, si_stime=29} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./6/binderfs") = 0 [ 56.813217][ T3651] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 56.821204][ T3651] umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./6/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3653 ./strace-static-x86_64: Process 3653 attached [pid 3653] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3653] chdir("./7") = 0 [pid 3653] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3653] setpgid(0, 0) = 0 [pid 3653] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3653] write(3, "1000", 4) = 4 [pid 3653] close(3) = 0 [pid 3653] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3653] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3653] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3653] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3653] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3654], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3654 [pid 3653] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 3654 attached ) = 0 [pid 3654] set_robust_list(0x7fc8867b29e0, 24 [pid 3653] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3654] <... set_robust_list resumed>) = 0 [pid 3654] memfd_create("syzkaller", 0) = 3 [pid 3654] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3654] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3654] munmap(0x7fc87e392000, 16777216) = 0 [pid 3654] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3654] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3654] close(3) = 0 [pid 3654] mkdir("./file0", 0777) = 0 [ 57.136525][ T3654] loop0: detected capacity change from 0 to 32768 [ 57.147876][ T3654] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 57.156294][ T3654] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 57.166181][ T3654] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 57.175087][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 57.182067][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3654] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3654] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3654] chdir("./file0") = 0 [pid 3654] ioctl(4, LOOP_CLR_FD) = 0 [pid 3654] close(4) = 0 [pid 3654] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3653] <... futex resumed>) = 0 [pid 3653] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3653] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3654] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3654] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3653] <... futex resumed>) = 0 [pid 3653] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3653] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 57.220015][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 57.227638][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 57.232936][ T3654] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 57.252666][ T3654] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 57.261248][ T3654] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3654] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3653] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3653] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 57.261248][ T3654] inode = 12 2341 [ 57.261248][ T3654] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 57.280119][ T3654] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 57.289295][ T3654] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3654 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 57.299567][ T3654] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 57.308142][ T3654] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3653] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3653] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3653] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3655], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3655 [pid 3653] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3655 attached [pid 3655] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3655] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3655] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 57.316425][ T3654] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 57.325629][ T3654] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 57.332368][ T3654] gfs2: fsid=syz:syz.0: File system withdrawn [ 57.338469][ T3654] CPU: 0 PID: 3654 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 57.348899][ T3654] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 57.358949][ T3654] Call Trace: [ 57.362231][ T3654] [ 57.365162][ T3654] dump_stack_lvl+0x1b1/0x28e [ 57.369845][ T3654] ? nf_tcp_handle_invalid+0x62e/0x62e [ 57.375320][ T3654] ? panic+0x710/0x710 [ 57.379402][ T3654] ? kobject_uevent_env+0x46b/0x8e0 [ 57.384609][ T3654] ? do_raw_spin_unlock+0x134/0x8a0 [ 57.389809][ T3654] gfs2_withdraw+0xf33/0x1540 [ 57.394491][ T3654] ? gfs2_lm+0x220/0x220 [ 57.398722][ T3654] ? gfs2_dirent_scan+0xb6/0x650 [ 57.403660][ T3654] ? panic+0x710/0x710 [ 57.407737][ T3654] ? gfs2_permission+0x2ff/0x430 [ 57.412690][ T3654] ? gfs2_consist_inode_i+0xf3/0x110 [ 57.417968][ T3654] gfs2_dirent_scan+0x535/0x650 [ 57.422833][ T3654] ? gfs2_dirent_search+0xb10/0xb10 [ 57.428040][ T3654] gfs2_dirent_search+0x2ea/0xb10 [ 57.433074][ T3654] ? gfs2_dirent_search+0xb10/0xb10 [ 57.438286][ T3654] ? gfs2_dir_search+0x2a0/0x2a0 [ 57.443218][ T3654] ? gfs2_permission+0x3bf/0x430 [ 57.448159][ T3654] gfs2_dir_search+0x8c/0x2a0 [ 57.452835][ T3654] ? do_filldir_main+0x530/0x530 [ 57.457765][ T3654] ? inode_go_held+0xe4/0x1f0 [ 57.462443][ T3654] ? gfs2_glock_wait+0x213/0x2a0 [ 57.467375][ T3654] gfs2_lookupi+0x465/0x650 [ 57.471877][ T3654] ? gfs2_lookup_simple+0x170/0x170 [ 57.477068][ T3654] ? __gfs2_lookup+0x8c/0x260 [ 57.481744][ T3654] __gfs2_lookup+0x8c/0x260 [ 57.486262][ T3654] ? gfs2_atomic_open+0x230/0x230 [ 57.491285][ T3654] ? __d_lookup+0x6a4/0x770 [ 57.495785][ T3654] ? d_hash_and_lookup+0x1c0/0x1c0 [ 57.500888][ T3654] gfs2_atomic_open+0xa4/0x230 [ 57.505810][ T3654] path_openat+0xf39/0x2df0 [ 57.510318][ T3654] ? gfs2_rename2+0x3000/0x3000 [ 57.515178][ T3654] ? do_filp_open+0x4f0/0x4f0 [ 57.520032][ T3654] do_filp_open+0x264/0x4f0 [ 57.524530][ T3654] ? vfs_tmpfile+0x490/0x490 [ 57.529119][ T3654] ? do_raw_spin_unlock+0x134/0x8a0 [ 57.534317][ T3654] ? _raw_spin_unlock+0x24/0x40 [ 57.539163][ T3654] ? alloc_fd+0x5a7/0x640 [ 57.543494][ T3654] do_sys_openat2+0x124/0x4e0 [ 57.548164][ T3654] ? print_irqtrace_events+0x220/0x220 [ 57.553608][ T3654] ? ptrace_stop+0x74d/0x970 [ 57.558192][ T3654] ? do_sys_open+0x220/0x220 [ 57.562779][ T3654] ? lockdep_hardirqs_on+0x8d/0x130 [ 57.567972][ T3654] ? _raw_spin_unlock_irq+0x2a/0x40 [ 57.573165][ T3654] ? ptrace_notify+0x245/0x340 [ 57.577919][ T3654] __x64_sys_openat+0x243/0x290 [ 57.582768][ T3654] ? __ia32_sys_open+0x270/0x270 [ 57.587704][ T3654] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 57.593679][ T3654] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 57.599651][ T3654] do_syscall_64+0x3d/0xb0 [ 57.604059][ T3654] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.609942][ T3654] RIP: 0033:0x7fc8868064d9 [ 57.614370][ T3654] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 57.633981][ T3654] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 57.642388][ T3654] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 57.650347][ T3654] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 57.658574][ T3654] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3655] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3654] <... openat resumed>) = -1 EIO (Input/output error) [pid 3654] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3653] exit_group(0 [pid 3654] <... futex resumed>) = 0 [pid 3654] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3655] <... futex resumed>) = ? [pid 3653] <... exit_group resumed>) = ? [pid 3654] +++ exited with 0 +++ [pid 3655] +++ exited with 0 +++ [pid 3653] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3653, si_uid=0, si_status=0, si_utime=2, si_stime=33} --- umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./7/binderfs") = 0 [ 57.666533][ T3654] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 57.674500][ T3654] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 57.682491][ T3654] umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./7/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./7/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3656 ./strace-static-x86_64: Process 3656 attached [pid 3656] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3656] chdir("./8") = 0 [pid 3656] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3656] setpgid(0, 0) = 0 [pid 3656] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3656] write(3, "1000", 4) = 4 [pid 3656] close(3) = 0 [pid 3656] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3656] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3656] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3656] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3656] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3657 attached [pid 3657] set_robust_list(0x7fc8867b29e0, 24 [pid 3656] <... clone resumed>, parent_tid=[3657], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3657 [pid 3656] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3656] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3657] <... set_robust_list resumed>) = 0 [pid 3657] memfd_create("syzkaller", 0) = 3 [pid 3657] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3657] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3657] munmap(0x7fc87e392000, 16777216) = 0 [pid 3657] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3657] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3657] close(3) = 0 [pid 3657] mkdir("./file0", 0777) = 0 [ 57.991874][ T3657] loop0: detected capacity change from 0 to 32768 [ 58.003490][ T3657] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 58.011791][ T3657] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 58.021974][ T3657] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 58.030979][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 58.037748][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3657] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3657] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3657] chdir("./file0") = 0 [pid 3657] ioctl(4, LOOP_CLR_FD) = 0 [pid 3657] close(4) = 0 [pid 3657] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3656] <... futex resumed>) = 0 [pid 3656] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3656] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3657] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3657] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3656] <... futex resumed>) = 0 [pid 3656] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3656] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 58.075922][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 58.084675][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 58.089940][ T3657] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 58.117525][ T3657] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 58.125973][ T3657] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 58.125973][ T3657] inode = 12 2341 [ 58.125973][ T3657] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 58.144821][ T3657] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 58.153953][ T3657] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3657 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3657] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3656] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3656] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3656] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3656] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3656] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3658], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3658 [pid 3656] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3658 attached [pid 3658] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3658] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3658] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 58.164155][ T3657] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 58.172783][ T3657] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 58.180062][ T3657] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 58.189164][ T3657] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 58.197314][ T3657] gfs2: fsid=syz:syz.0: File system withdrawn [ 58.203635][ T3657] CPU: 0 PID: 3657 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 58.214226][ T3657] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 58.224281][ T3657] Call Trace: [ 58.227559][ T3657] [ 58.230499][ T3657] dump_stack_lvl+0x1b1/0x28e [ 58.235179][ T3657] ? nf_tcp_handle_invalid+0x62e/0x62e [ 58.240658][ T3657] ? panic+0x710/0x710 [ 58.244739][ T3657] ? kobject_uevent_env+0x46b/0x8e0 [ 58.250274][ T3657] ? do_raw_spin_unlock+0x134/0x8a0 [ 58.255464][ T3657] gfs2_withdraw+0xf33/0x1540 [ 58.260153][ T3657] ? gfs2_lm+0x220/0x220 [pid 3658] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3656] exit_group(0 [pid 3658] <... futex resumed>) = ? [pid 3656] <... exit_group resumed>) = ? [pid 3658] +++ exited with 0 +++ [ 58.264399][ T3657] ? gfs2_dirent_scan+0xb6/0x650 [ 58.269327][ T3657] ? panic+0x710/0x710 [ 58.273393][ T3657] ? gfs2_permission+0x2ff/0x430 [ 58.278340][ T3657] ? gfs2_consist_inode_i+0xf3/0x110 [ 58.283615][ T3657] gfs2_dirent_scan+0x535/0x650 [ 58.288465][ T3657] ? gfs2_dirent_search+0xb10/0xb10 [ 58.293658][ T3657] gfs2_dirent_search+0x2ea/0xb10 [ 58.298688][ T3657] ? gfs2_dirent_search+0xb10/0xb10 [ 58.303892][ T3657] ? gfs2_dir_search+0x2a0/0x2a0 [ 58.308820][ T3657] ? gfs2_permission+0x3bf/0x430 [ 58.313755][ T3657] gfs2_dir_search+0x8c/0x2a0 [ 58.318428][ T3657] ? do_filldir_main+0x530/0x530 [ 58.323352][ T3657] ? inode_go_held+0xe4/0x1f0 [ 58.328018][ T3657] ? gfs2_glock_wait+0x213/0x2a0 [ 58.332941][ T3657] gfs2_lookupi+0x465/0x650 [ 58.337438][ T3657] ? gfs2_lookup_simple+0x170/0x170 [ 58.342631][ T3657] ? __gfs2_lookup+0x8c/0x260 [ 58.347307][ T3657] __gfs2_lookup+0x8c/0x260 [ 58.351823][ T3657] ? gfs2_atomic_open+0x230/0x230 [ 58.356941][ T3657] ? __d_lookup+0x6a4/0x770 [ 58.361446][ T3657] ? d_hash_and_lookup+0x1c0/0x1c0 [ 58.366559][ T3657] gfs2_atomic_open+0xa4/0x230 [ 58.371314][ T3657] path_openat+0xf39/0x2df0 [ 58.375812][ T3657] ? gfs2_rename2+0x3000/0x3000 [ 58.380682][ T3657] ? do_filp_open+0x4f0/0x4f0 [ 58.385372][ T3657] do_filp_open+0x264/0x4f0 [ 58.390042][ T3657] ? vfs_tmpfile+0x490/0x490 [ 58.394648][ T3657] ? do_raw_spin_unlock+0x134/0x8a0 [ 58.399845][ T3657] ? _raw_spin_unlock+0x24/0x40 [ 58.404787][ T3657] ? alloc_fd+0x5a7/0x640 [ 58.409121][ T3657] do_sys_openat2+0x124/0x4e0 [ 58.413795][ T3657] ? print_irqtrace_events+0x220/0x220 [ 58.419252][ T3657] ? ptrace_stop+0x74d/0x970 [ 58.423844][ T3657] ? do_sys_open+0x220/0x220 [ 58.428440][ T3657] ? lockdep_hardirqs_on+0x8d/0x130 [ 58.433656][ T3657] ? _raw_spin_unlock_irq+0x2a/0x40 [ 58.438858][ T3657] ? ptrace_notify+0x245/0x340 [ 58.443702][ T3657] __x64_sys_openat+0x243/0x290 [ 58.448551][ T3657] ? __ia32_sys_open+0x270/0x270 [ 58.453481][ T3657] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 58.459454][ T3657] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 58.465428][ T3657] do_syscall_64+0x3d/0xb0 [ 58.469833][ T3657] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.475720][ T3657] RIP: 0033:0x7fc8868064d9 [ 58.480144][ T3657] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 58.499749][ T3657] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 58.508154][ T3657] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3657] <... openat resumed>) = ? [pid 3657] +++ exited with 0 +++ [pid 3656] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3656, si_uid=0, si_status=0, si_utime=2, si_stime=26} --- umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./8/binderfs") = 0 [ 58.516118][ T3657] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 58.524089][ T3657] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 58.532072][ T3657] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 58.540047][ T3657] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 58.548033][ T3657] umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./8/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./8/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./8") = 0 mkdir("./9", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3659 ./strace-static-x86_64: Process 3659 attached [pid 3659] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3659] chdir("./9") = 0 [pid 3659] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3659] setpgid(0, 0) = 0 [pid 3659] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3659] write(3, "1000", 4) = 4 [pid 3659] close(3) = 0 [pid 3659] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3659] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3659] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3659] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3659] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3660], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3660 [pid 3659] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3659] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3660 attached [pid 3660] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3660] memfd_create("syzkaller", 0) = 3 [pid 3660] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3660] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3660] munmap(0x7fc87e392000, 16777216) = 0 [pid 3660] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3660] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3660] close(3) = 0 [pid 3660] mkdir("./file0", 0777) = 0 [ 58.892392][ T3660] loop0: detected capacity change from 0 to 32768 [ 58.904150][ T3660] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 58.912426][ T3660] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 58.922786][ T3660] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 58.931390][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 58.938171][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3660] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3660] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3660] chdir("./file0") = 0 [pid 3660] ioctl(4, LOOP_CLR_FD) = 0 [pid 3660] close(4) = 0 [pid 3660] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3659] <... futex resumed>) = 0 [pid 3659] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3659] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3660] <... futex resumed>) = 1 [pid 3660] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3660] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3659] <... futex resumed>) = 0 [pid 3659] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3659] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3660] <... futex resumed>) = 1 [ 58.978002][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 58.987230][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 58.992779][ T3660] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 59.009873][ T3660] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 59.018806][ T3660] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3660] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3659] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3659] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3659] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3659] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3659] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3661 attached , parent_tid=[3661], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3661 [pid 3661] set_robust_list(0x7fc87f3919e0, 24 [pid 3659] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3661] <... set_robust_list resumed>) = 0 [ 59.018806][ T3660] inode = 12 2341 [ 59.018806][ T3660] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 59.039266][ T3660] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 59.049212][ T3660] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3660 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 59.064344][ T3660] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 59.064690][ T3661] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 59.073821][ T3660] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 59.081502][ T3661] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 59.089434][ T3660] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 59.097744][ T3661] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3660 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 59.107267][ T3660] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 59.117034][ T3661] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3661 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 59.123661][ T3660] gfs2: fsid=syz:syz.0: File system withdrawn [ 59.139453][ T3660] CPU: 0 PID: 3660 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 59.149882][ T3660] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 59.159937][ T3660] Call Trace: [ 59.163209][ T3660] [ 59.166168][ T3660] dump_stack_lvl+0x1b1/0x28e [ 59.170843][ T3660] ? nf_tcp_handle_invalid+0x62e/0x62e [ 59.176292][ T3660] ? panic+0x710/0x710 [ 59.180353][ T3660] ? kobject_uevent_env+0x46b/0x8e0 [ 59.185542][ T3660] ? do_raw_spin_unlock+0x134/0x8a0 [ 59.190743][ T3660] gfs2_withdraw+0xf33/0x1540 [ 59.195425][ T3660] ? gfs2_lm+0x220/0x220 [ 59.199655][ T3660] ? gfs2_dirent_scan+0xb6/0x650 [ 59.204585][ T3660] ? panic+0x710/0x710 [ 59.208640][ T3660] ? gfs2_permission+0x2ff/0x430 [ 59.213579][ T3660] ? gfs2_consist_inode_i+0xf3/0x110 [ 59.218856][ T3660] gfs2_dirent_scan+0x535/0x650 [ 59.223714][ T3660] ? gfs2_dirent_search+0xb10/0xb10 [ 59.228911][ T3660] gfs2_dirent_search+0x2ea/0xb10 [ 59.233937][ T3660] ? gfs2_dirent_search+0xb10/0xb10 [ 59.239141][ T3660] ? gfs2_dir_search+0x2a0/0x2a0 [ 59.244074][ T3660] ? gfs2_permission+0x3bf/0x430 [ 59.249010][ T3660] gfs2_dir_search+0x8c/0x2a0 [ 59.253682][ T3660] ? do_filldir_main+0x530/0x530 [ 59.258614][ T3660] ? inode_go_held+0xe4/0x1f0 [ 59.263286][ T3660] ? gfs2_glock_wait+0x213/0x2a0 [ 59.268228][ T3660] gfs2_lookupi+0x465/0x650 [ 59.272744][ T3660] ? gfs2_lookup_simple+0x170/0x170 [ 59.277940][ T3660] ? __gfs2_lookup+0x8c/0x260 [ 59.282617][ T3660] __gfs2_lookup+0x8c/0x260 [ 59.287118][ T3660] ? gfs2_atomic_open+0x230/0x230 [ 59.292137][ T3660] ? __d_lookup+0x6a4/0x770 [ 59.296627][ T3660] ? d_hash_and_lookup+0x1c0/0x1c0 [ 59.301904][ T3660] gfs2_atomic_open+0xa4/0x230 [ 59.306664][ T3660] path_openat+0xf39/0x2df0 [ 59.311166][ T3660] ? gfs2_rename2+0x3000/0x3000 [ 59.316020][ T3660] ? do_filp_open+0x4f0/0x4f0 [ 59.320700][ T3660] do_filp_open+0x264/0x4f0 [ 59.325281][ T3660] ? vfs_tmpfile+0x490/0x490 [ 59.329870][ T3660] ? do_raw_spin_unlock+0x134/0x8a0 [ 59.335083][ T3660] ? _raw_spin_unlock+0x24/0x40 [ 59.339953][ T3660] ? alloc_fd+0x5a7/0x640 [ 59.344283][ T3660] do_sys_openat2+0x124/0x4e0 [ 59.348952][ T3660] ? print_irqtrace_events+0x220/0x220 [ 59.354410][ T3660] ? ptrace_stop+0x74d/0x970 [ 59.358992][ T3660] ? do_sys_open+0x220/0x220 [ 59.363576][ T3660] ? lockdep_hardirqs_on+0x8d/0x130 [ 59.368764][ T3660] ? _raw_spin_unlock_irq+0x2a/0x40 [ 59.373956][ T3660] ? ptrace_notify+0x245/0x340 [ 59.378713][ T3660] __x64_sys_openat+0x243/0x290 [ 59.383561][ T3660] ? __ia32_sys_open+0x270/0x270 [ 59.388493][ T3660] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 59.394468][ T3660] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 59.400451][ T3660] do_syscall_64+0x3d/0xb0 [ 59.404950][ T3660] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 59.410832][ T3660] RIP: 0033:0x7fc8868064d9 [ 59.415238][ T3660] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 59.434833][ T3660] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 59.443237][ T3660] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 59.451196][ T3660] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 59.459158][ T3660] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 59.467116][ T3660] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3661] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3660] <... openat resumed>) = -1 EIO (Input/output error) [pid 3661] <... openat resumed>) = -1 EIO (Input/output error) [pid 3660] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3660] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3661] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3661] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3659] exit_group(0 [pid 3660] <... futex resumed>) = ? [pid 3659] <... exit_group resumed>) = ? [pid 3660] +++ exited with 0 +++ [pid 3661] <... futex resumed>) = ? [pid 3661] +++ exited with 0 +++ [pid 3659] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3659, si_uid=0, si_status=0, si_utime=3, si_stime=39} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./9", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./9/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./9/binderfs") = 0 [ 59.475078][ T3660] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 59.483054][ T3660] [ 59.486426][ T3661] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./9/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./9/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./9") = 0 mkdir("./10", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3662 ./strace-static-x86_64: Process 3662 attached [pid 3662] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3662] chdir("./10") = 0 [pid 3662] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3662] setpgid(0, 0) = 0 [pid 3662] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3662] write(3, "1000", 4) = 4 [pid 3662] close(3) = 0 [pid 3662] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3662] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3662] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3662] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3662] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3663 attached , parent_tid=[3663], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3663 [pid 3662] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3663] set_robust_list(0x7fc8867b29e0, 24 [pid 3662] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3663] <... set_robust_list resumed>) = 0 [pid 3663] memfd_create("syzkaller", 0) = 3 [pid 3663] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3663] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3663] munmap(0x7fc87e392000, 16777216) = 0 [pid 3663] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3663] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3663] close(3) = 0 [pid 3663] mkdir("./file0", 0777) = 0 [ 59.811904][ T3663] loop0: detected capacity change from 0 to 32768 [ 59.823006][ T3663] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 59.831240][ T3663] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 59.841699][ T3663] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 59.850779][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 59.857563][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3663] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3663] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3663] chdir("./file0") = 0 [pid 3663] ioctl(4, LOOP_CLR_FD) = 0 [pid 3663] close(4) = 0 [pid 3663] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3662] <... futex resumed>) = 0 [pid 3662] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3662] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3663] <... futex resumed>) = 1 [pid 3663] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3663] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3662] <... futex resumed>) = 0 [pid 3662] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3662] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3663] <... futex resumed>) = 1 [ 59.897526][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 59.905120][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 59.910413][ T3663] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 59.925627][ T3663] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 59.934500][ T3663] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 59.934500][ T3663] inode = 12 2341 [pid 3663] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3662] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3662] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 59.934500][ T3663] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 59.953658][ T3663] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 59.963296][ T3663] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3663 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 59.973419][ T3663] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 59.981943][ T3663] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 59.989215][ T3663] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3662] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3662] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3662] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3664], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3664 [pid 3662] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3664 attached [pid 3664] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3664] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3664] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 59.998111][ T3663] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 60.004734][ T3663] gfs2: fsid=syz:syz.0: File system withdrawn [ 60.010934][ T3663] CPU: 0 PID: 3663 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 60.021364][ T3663] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 60.031428][ T3663] Call Trace: [ 60.034698][ T3663] [ 60.037620][ T3663] dump_stack_lvl+0x1b1/0x28e [ 60.042287][ T3663] ? nf_tcp_handle_invalid+0x62e/0x62e [ 60.047732][ T3663] ? panic+0x710/0x710 [ 60.051790][ T3663] ? kobject_uevent_env+0x46b/0x8e0 [ 60.056980][ T3663] ? do_raw_spin_unlock+0x134/0x8a0 [ 60.062188][ T3663] gfs2_withdraw+0xf33/0x1540 [ 60.066889][ T3663] ? gfs2_lm+0x220/0x220 [ 60.071122][ T3663] ? gfs2_dirent_scan+0xb6/0x650 [ 60.076059][ T3663] ? panic+0x710/0x710 [ 60.080124][ T3663] ? gfs2_permission+0x2ff/0x430 [ 60.085063][ T3663] ? gfs2_consist_inode_i+0xf3/0x110 [ 60.090340][ T3663] gfs2_dirent_scan+0x535/0x650 [ 60.095189][ T3663] ? gfs2_dirent_search+0xb10/0xb10 [ 60.100383][ T3663] gfs2_dirent_search+0x2ea/0xb10 [ 60.105402][ T3663] ? gfs2_dirent_search+0xb10/0xb10 [ 60.110600][ T3663] ? gfs2_dir_search+0x2a0/0x2a0 [ 60.115530][ T3663] ? gfs2_permission+0x3bf/0x430 [ 60.120466][ T3663] gfs2_dir_search+0x8c/0x2a0 [ 60.125139][ T3663] ? do_filldir_main+0x530/0x530 [ 60.130071][ T3663] ? inode_go_held+0xe4/0x1f0 [ 60.134746][ T3663] ? gfs2_glock_wait+0x213/0x2a0 [ 60.139675][ T3663] gfs2_lookupi+0x465/0x650 [ 60.144177][ T3663] ? gfs2_lookup_simple+0x170/0x170 [ 60.149368][ T3663] ? __gfs2_lookup+0x8c/0x260 [ 60.154048][ T3663] __gfs2_lookup+0x8c/0x260 [ 60.158546][ T3663] ? gfs2_atomic_open+0x230/0x230 [ 60.163576][ T3663] ? __d_lookup+0x6a4/0x770 [ 60.168076][ T3663] ? d_hash_and_lookup+0x1c0/0x1c0 [ 60.173178][ T3663] gfs2_atomic_open+0xa4/0x230 [ 60.177937][ T3663] path_openat+0xf39/0x2df0 [ 60.182444][ T3663] ? gfs2_rename2+0x3000/0x3000 [ 60.187311][ T3663] ? do_filp_open+0x4f0/0x4f0 [ 60.191998][ T3663] do_filp_open+0x264/0x4f0 [ 60.196493][ T3663] ? vfs_tmpfile+0x490/0x490 [ 60.201080][ T3663] ? do_raw_spin_unlock+0x134/0x8a0 [ 60.206278][ T3663] ? _raw_spin_unlock+0x24/0x40 [ 60.211126][ T3663] ? alloc_fd+0x5a7/0x640 [ 60.215544][ T3663] do_sys_openat2+0x124/0x4e0 [ 60.220213][ T3663] ? print_irqtrace_events+0x220/0x220 [ 60.225666][ T3663] ? ptrace_stop+0x74d/0x970 [ 60.230249][ T3663] ? do_sys_open+0x220/0x220 [ 60.234839][ T3663] ? lockdep_hardirqs_on+0x8d/0x130 [ 60.240030][ T3663] ? _raw_spin_unlock_irq+0x2a/0x40 [ 60.245231][ T3663] ? ptrace_notify+0x245/0x340 [ 60.249987][ T3663] __x64_sys_openat+0x243/0x290 [ 60.254834][ T3663] ? __ia32_sys_open+0x270/0x270 [ 60.259770][ T3663] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 60.265749][ T3663] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 60.271726][ T3663] do_syscall_64+0x3d/0xb0 [ 60.276136][ T3663] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 60.282022][ T3663] RIP: 0033:0x7fc8868064d9 [ 60.286434][ T3663] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 60.306038][ T3663] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 60.314445][ T3663] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 60.322429][ T3663] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 60.330490][ T3663] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 60.338450][ T3663] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3664] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3663] <... openat resumed>) = -1 EIO (Input/output error) [pid 3663] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3663] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3662] exit_group(0 [pid 3664] <... futex resumed>) = ? [pid 3663] <... futex resumed>) = ? [pid 3662] <... exit_group resumed>) = ? [pid 3663] +++ exited with 0 +++ [pid 3664] +++ exited with 0 +++ [pid 3662] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3662, si_uid=0, si_status=0, si_utime=1, si_stime=30} --- umount2("./10", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./10/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./10/binderfs") = 0 [ 60.346412][ T3663] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 60.354403][ T3663] umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./10/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./10/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./10") = 0 mkdir("./11", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3665 ./strace-static-x86_64: Process 3665 attached [pid 3665] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3665] chdir("./11") = 0 [pid 3665] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3665] setpgid(0, 0) = 0 [pid 3665] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3665] write(3, "1000", 4) = 4 [pid 3665] close(3) = 0 [pid 3665] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3665] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3665] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3665] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3665] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3666], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3666 [pid 3665] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3666 attached [pid 3666] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3665] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3666] memfd_create("syzkaller", 0) = 3 [pid 3666] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3666] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3666] munmap(0x7fc87e392000, 16777216) = 0 [pid 3666] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3666] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3666] close(3) = 0 [pid 3666] mkdir("./file0", 0777) = 0 [ 60.650077][ T3666] loop0: detected capacity change from 0 to 32768 [ 60.660751][ T3666] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 60.668998][ T3666] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 60.679414][ T3666] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 60.688288][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 60.695258][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3666] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3666] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3666] chdir("./file0") = 0 [pid 3666] ioctl(4, LOOP_CLR_FD) = 0 [pid 3666] close(4) = 0 [pid 3666] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3665] <... futex resumed>) = 0 [pid 3666] <... futex resumed>) = 1 [pid 3665] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3666] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3665] <... futex resumed>) = 0 [pid 3666] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3666] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3666] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3665] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 3665] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3665] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3666] <... futex resumed>) = 0 [ 60.737171][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 60.746033][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 60.751614][ T3666] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 60.784803][ T3666] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 60.793859][ T3666] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 60.793859][ T3666] inode = 12 2341 [ 60.793859][ T3666] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 60.813059][ T3666] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 60.822420][ T3666] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3666 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3666] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3665] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3665] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3665] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3665] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3665] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3667], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3667 [pid 3665] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3667 attached [pid 3667] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3667] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3667] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 60.832555][ T3666] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 60.841101][ T3666] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 60.848350][ T3666] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 60.857211][ T3666] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 60.863872][ T3666] gfs2: fsid=syz:syz.0: File system withdrawn [ 60.869946][ T3666] CPU: 0 PID: 3666 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 60.880374][ T3666] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 60.890462][ T3666] Call Trace: [ 60.893754][ T3666] [ 60.896677][ T3666] dump_stack_lvl+0x1b1/0x28e [ 60.901352][ T3666] ? nf_tcp_handle_invalid+0x62e/0x62e [ 60.906813][ T3666] ? panic+0x710/0x710 [ 60.910904][ T3666] ? kobject_uevent_env+0x46b/0x8e0 [ 60.916138][ T3666] ? do_raw_spin_unlock+0x134/0x8a0 [ 60.921376][ T3666] gfs2_withdraw+0xf33/0x1540 [ 60.926063][ T3666] ? gfs2_lm+0x220/0x220 [ 60.930322][ T3666] ? gfs2_dirent_scan+0xb6/0x650 [ 60.935281][ T3666] ? panic+0x710/0x710 [ 60.939344][ T3666] ? gfs2_permission+0x2ff/0x430 [ 60.944294][ T3666] ? gfs2_consist_inode_i+0xf3/0x110 [ 60.949593][ T3666] gfs2_dirent_scan+0x535/0x650 [ 60.954485][ T3666] ? gfs2_dirent_search+0xb10/0xb10 [ 60.960062][ T3666] gfs2_dirent_search+0x2ea/0xb10 [ 60.965102][ T3666] ? gfs2_dirent_search+0xb10/0xb10 [ 60.970568][ T3666] ? gfs2_dir_search+0x2a0/0x2a0 [ 60.975512][ T3666] ? gfs2_permission+0x3bf/0x430 [ 60.980468][ T3666] gfs2_dir_search+0x8c/0x2a0 [pid 3667] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3665] exit_group(0 [pid 3667] <... futex resumed>) = ? [pid 3665] <... exit_group resumed>) = ? [pid 3667] +++ exited with 0 +++ [ 60.985151][ T3666] ? do_filldir_main+0x530/0x530 [ 60.990471][ T3666] ? inode_go_held+0xe4/0x1f0 [ 60.995166][ T3666] ? gfs2_glock_wait+0x213/0x2a0 [ 61.000105][ T3666] gfs2_lookupi+0x465/0x650 [ 61.004623][ T3666] ? gfs2_lookup_simple+0x170/0x170 [ 61.009812][ T3666] ? __gfs2_lookup+0x8c/0x260 [ 61.014483][ T3666] __gfs2_lookup+0x8c/0x260 [ 61.019081][ T3666] ? gfs2_atomic_open+0x230/0x230 [ 61.024157][ T3666] ? __d_lookup+0x6a4/0x770 [ 61.028648][ T3666] ? d_hash_and_lookup+0x1c0/0x1c0 [ 61.033764][ T3666] gfs2_atomic_open+0xa4/0x230 [ 61.038535][ T3666] path_openat+0xf39/0x2df0 [ 61.043049][ T3666] ? gfs2_rename2+0x3000/0x3000 [ 61.047917][ T3666] ? do_filp_open+0x4f0/0x4f0 [ 61.052592][ T3666] do_filp_open+0x264/0x4f0 [ 61.057083][ T3666] ? vfs_tmpfile+0x490/0x490 [ 61.061667][ T3666] ? do_raw_spin_unlock+0x134/0x8a0 [ 61.066860][ T3666] ? _raw_spin_unlock+0x24/0x40 [ 61.071716][ T3666] ? alloc_fd+0x5a7/0x640 [ 61.076068][ T3666] do_sys_openat2+0x124/0x4e0 [ 61.080735][ T3666] ? print_irqtrace_events+0x220/0x220 [ 61.086181][ T3666] ? ptrace_stop+0x74d/0x970 [ 61.090760][ T3666] ? do_sys_open+0x220/0x220 [ 61.095339][ T3666] ? lockdep_hardirqs_on+0x8d/0x130 [ 61.100538][ T3666] ? _raw_spin_unlock_irq+0x2a/0x40 [ 61.105741][ T3666] ? ptrace_notify+0x245/0x340 [ 61.110493][ T3666] __x64_sys_openat+0x243/0x290 [ 61.115336][ T3666] ? __ia32_sys_open+0x270/0x270 [ 61.120284][ T3666] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 61.126275][ T3666] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 61.132245][ T3666] do_syscall_64+0x3d/0xb0 [ 61.136670][ T3666] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 61.142590][ T3666] RIP: 0033:0x7fc8868064d9 [ 61.147016][ T3666] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 61.166621][ T3666] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 61.175129][ T3666] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3666] <... openat resumed>) = ? [pid 3666] +++ exited with 0 +++ [pid 3665] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3665, si_uid=0, si_status=0, si_utime=3, si_stime=27} --- umount2("./11", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./11/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./11/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./11/binderfs") = 0 [ 61.183100][ T3666] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 61.191090][ T3666] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 61.199067][ T3666] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 61.207030][ T3666] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 61.215005][ T3666] umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./11/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./11/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./11") = 0 mkdir("./12", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3668 ./strace-static-x86_64: Process 3668 attached [pid 3668] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3668] chdir("./12") = 0 [pid 3668] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3668] setpgid(0, 0) = 0 [pid 3668] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3668] write(3, "1000", 4) = 4 [pid 3668] close(3) = 0 [pid 3668] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3668] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3668] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3668] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3668] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3669 attached [pid 3669] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3669] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3668] <... clone resumed>, parent_tid=[3669], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3669 [pid 3668] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3669] <... futex resumed>) = 0 [pid 3668] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3669] memfd_create("syzkaller", 0) = 3 [pid 3669] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3669] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3669] munmap(0x7fc87e392000, 16777216) = 0 [pid 3669] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3669] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3669] close(3) = 0 [pid 3669] mkdir("./file0", 0777) = 0 [ 61.566096][ T3669] loop0: detected capacity change from 0 to 32768 [ 61.576814][ T3669] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 61.585223][ T3669] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 61.594951][ T3669] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 61.603884][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 61.611183][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3669] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3669] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3669] chdir("./file0") = 0 [pid 3669] ioctl(4, LOOP_CLR_FD) = 0 [pid 3669] close(4) = 0 [pid 3669] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3668] <... futex resumed>) = 0 [pid 3669] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3668] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3669] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3668] <... futex resumed>) = 0 [pid 3669] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3668] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3669] <... futex resumed>) = 0 [pid 3668] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3669] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3668] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3669] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3668] <... futex resumed>) = 0 [pid 3669] openat(AT_FDCWD, "./file0", O_RDONLY [ 61.654415][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 61.663365][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 61.668681][ T3669] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 61.698630][ T3669] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 61.708380][ T3669] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 61.708380][ T3669] inode = 12 2341 [ 61.708380][ T3669] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 61.727442][ T3669] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 61.736675][ T3669] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3669 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3668] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3668] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3668] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3668] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3668] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3670 attached , parent_tid=[3670], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3670 [pid 3668] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3670] set_robust_list(0x7fc87f3919e0, 24 [pid 3668] <... futex resumed>) = 0 [pid 3670] <... set_robust_list resumed>) = 0 [pid 3670] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3670] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 61.746770][ T3669] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 61.755242][ T3669] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 61.762586][ T3669] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 61.771436][ T3669] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 61.778423][ T3669] gfs2: fsid=syz:syz.0: File system withdrawn [ 61.787991][ T3669] CPU: 0 PID: 3669 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 61.798437][ T3669] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 61.808487][ T3669] Call Trace: [ 61.811756][ T3669] [ 61.814679][ T3669] dump_stack_lvl+0x1b1/0x28e [ 61.819362][ T3669] ? nf_tcp_handle_invalid+0x62e/0x62e [ 61.824824][ T3669] ? panic+0x710/0x710 [ 61.828883][ T3669] ? kobject_uevent_env+0x46b/0x8e0 [ 61.834068][ T3669] ? do_raw_spin_unlock+0x134/0x8a0 [ 61.839275][ T3669] gfs2_withdraw+0xf33/0x1540 [ 61.843967][ T3669] ? gfs2_lm+0x220/0x220 [ 61.848200][ T3669] ? gfs2_dirent_scan+0xb6/0x650 [ 61.853135][ T3669] ? panic+0x710/0x710 [ 61.857278][ T3669] ? gfs2_permission+0x2ff/0x430 [ 61.862210][ T3669] ? gfs2_consist_inode_i+0xf3/0x110 [ 61.867493][ T3669] gfs2_dirent_scan+0x535/0x650 [ 61.872356][ T3669] ? gfs2_dirent_search+0xb10/0xb10 [ 61.877568][ T3669] gfs2_dirent_search+0x2ea/0xb10 [ 61.882605][ T3669] ? gfs2_dirent_search+0xb10/0xb10 [ 61.887793][ T3669] ? gfs2_dir_search+0x2a0/0x2a0 [ 61.892723][ T3669] ? gfs2_permission+0x3bf/0x430 [ 61.897661][ T3669] gfs2_dir_search+0x8c/0x2a0 [ 61.902335][ T3669] ? do_filldir_main+0x530/0x530 [ 61.907354][ T3669] ? inode_go_held+0xe4/0x1f0 [ 61.912027][ T3669] ? gfs2_glock_wait+0x213/0x2a0 [ 61.916961][ T3669] gfs2_lookupi+0x465/0x650 [ 61.921486][ T3669] ? gfs2_lookup_simple+0x170/0x170 [ 61.926679][ T3669] ? __gfs2_lookup+0x8c/0x260 [ 61.931357][ T3669] __gfs2_lookup+0x8c/0x260 [ 61.935856][ T3669] ? gfs2_atomic_open+0x230/0x230 [ 61.940885][ T3669] ? __d_lookup+0x6a4/0x770 [ 61.945381][ T3669] ? d_hash_and_lookup+0x1c0/0x1c0 [ 61.950480][ T3669] gfs2_atomic_open+0xa4/0x230 [ 61.955239][ T3669] path_openat+0xf39/0x2df0 [ 61.959747][ T3669] ? gfs2_rename2+0x3000/0x3000 [ 61.964602][ T3669] ? do_filp_open+0x4f0/0x4f0 [ 61.969367][ T3669] do_filp_open+0x264/0x4f0 [ 61.973861][ T3669] ? vfs_tmpfile+0x490/0x490 [ 61.978455][ T3669] ? do_raw_spin_unlock+0x134/0x8a0 [ 61.983652][ T3669] ? _raw_spin_unlock+0x24/0x40 [ 61.988500][ T3669] ? alloc_fd+0x5a7/0x640 [ 61.992832][ T3669] do_sys_openat2+0x124/0x4e0 [ 61.997586][ T3669] ? print_irqtrace_events+0x220/0x220 [ 62.003041][ T3669] ? ptrace_stop+0x74d/0x970 [ 62.007623][ T3669] ? do_sys_open+0x220/0x220 [ 62.012204][ T3669] ? lockdep_hardirqs_on+0x8d/0x130 [ 62.017395][ T3669] ? _raw_spin_unlock_irq+0x2a/0x40 [ 62.022589][ T3669] ? ptrace_notify+0x245/0x340 [ 62.027349][ T3669] __x64_sys_openat+0x243/0x290 [ 62.032281][ T3669] ? __ia32_sys_open+0x270/0x270 [ 62.037214][ T3669] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 62.043193][ T3669] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 62.049165][ T3669] do_syscall_64+0x3d/0xb0 [ 62.053586][ T3669] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 62.059470][ T3669] RIP: 0033:0x7fc8868064d9 [ 62.063876][ T3669] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 62.083475][ T3669] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 62.091903][ T3669] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3670] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3669] <... openat resumed>) = -1 EIO (Input/output error) [pid 3669] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3669] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3668] exit_group(0 [pid 3670] <... futex resumed>) = ? [pid 3669] <... futex resumed>) = ? [pid 3668] <... exit_group resumed>) = ? [pid 3670] +++ exited with 0 +++ [pid 3669] +++ exited with 0 +++ [pid 3668] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3668, si_uid=0, si_status=0, si_utime=1, si_stime=32} --- umount2("./12", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./12/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./12/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./12/binderfs") = 0 [ 62.099867][ T3669] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 62.107842][ T3669] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 62.115802][ T3669] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 62.123762][ T3669] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 62.131738][ T3669] umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./12/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./12/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./12") = 0 mkdir("./13", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3671 ./strace-static-x86_64: Process 3671 attached [pid 3671] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3671] chdir("./13") = 0 [pid 3671] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3671] setpgid(0, 0) = 0 [pid 3671] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3671] write(3, "1000", 4) = 4 [pid 3671] close(3) = 0 [pid 3671] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3671] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3671] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3671] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3671] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3672 attached , parent_tid=[3672], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3672 [pid 3671] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3671] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3672] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3672] memfd_create("syzkaller", 0) = 3 [pid 3672] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3672] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3672] munmap(0x7fc87e392000, 16777216) = 0 [pid 3672] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3672] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3672] close(3) = 0 [pid 3672] mkdir("./file0", 0777) = 0 [ 62.439641][ T3672] loop0: detected capacity change from 0 to 32768 [ 62.451246][ T3672] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 62.459437][ T3672] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 62.469420][ T3672] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 62.478299][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 62.485234][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3672] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3672] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3672] chdir("./file0") = 0 [pid 3672] ioctl(4, LOOP_CLR_FD) = 0 [pid 3672] close(4) = 0 [pid 3672] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3672] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3671] <... futex resumed>) = 0 [pid 3671] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3671] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3672] <... futex resumed>) = 0 [pid 3672] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3672] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3671] <... futex resumed>) = 0 [pid 3671] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3671] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3672] <... futex resumed>) = 1 [ 62.525357][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 62.534178][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 62.539425][ T3672] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 62.570716][ T3672] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 62.579757][ T3672] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 62.579757][ T3672] inode = 12 2341 [ 62.579757][ T3672] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 62.598931][ T3672] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 62.608454][ T3672] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3672 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3672] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3671] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3671] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3671] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3671] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3671] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3673], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3673 [pid 3671] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3673 attached [pid 3673] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3673] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3673] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 62.619018][ T3672] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 62.627802][ T3672] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 62.636128][ T3672] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 62.645155][ T3672] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 62.652574][ T3672] gfs2: fsid=syz:syz.0: File system withdrawn [ 62.658726][ T3672] CPU: 0 PID: 3672 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 62.669150][ T3672] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 62.679201][ T3672] Call Trace: [ 62.682476][ T3672] [ 62.685400][ T3672] dump_stack_lvl+0x1b1/0x28e [ 62.690077][ T3672] ? nf_tcp_handle_invalid+0x62e/0x62e [ 62.695551][ T3672] ? panic+0x710/0x710 [ 62.699624][ T3672] ? kobject_uevent_env+0x46b/0x8e0 [ 62.704817][ T3672] ? do_raw_spin_unlock+0x134/0x8a0 [ 62.710039][ T3672] gfs2_withdraw+0xf33/0x1540 [ 62.714745][ T3672] ? gfs2_lm+0x220/0x220 [ 62.718987][ T3672] ? gfs2_dirent_scan+0xb6/0x650 [ 62.723934][ T3672] ? panic+0x710/0x710 [ 62.727999][ T3672] ? gfs2_permission+0x2ff/0x430 [ 62.732959][ T3672] ? gfs2_consist_inode_i+0xf3/0x110 [ 62.738256][ T3672] gfs2_dirent_scan+0x535/0x650 [ 62.743119][ T3672] ? gfs2_dirent_search+0xb10/0xb10 [ 62.748341][ T3672] gfs2_dirent_search+0x2ea/0xb10 [ 62.753386][ T3672] ? gfs2_dirent_search+0xb10/0xb10 [ 62.758614][ T3672] ? gfs2_dir_search+0x2a0/0x2a0 [ 62.763556][ T3672] ? gfs2_permission+0x3bf/0x430 [ 62.768525][ T3672] gfs2_dir_search+0x8c/0x2a0 [ 62.773223][ T3672] ? do_filldir_main+0x530/0x530 [ 62.778173][ T3672] ? inode_go_held+0xe4/0x1f0 [ 62.782851][ T3672] ? gfs2_glock_wait+0x213/0x2a0 [ 62.787783][ T3672] gfs2_lookupi+0x465/0x650 [ 62.792289][ T3672] ? gfs2_lookup_simple+0x170/0x170 [ 62.797489][ T3672] ? __gfs2_lookup+0x8c/0x260 [ 62.802168][ T3672] __gfs2_lookup+0x8c/0x260 [ 62.806669][ T3672] ? gfs2_atomic_open+0x230/0x230 [ 62.811901][ T3672] ? __d_lookup+0x6a4/0x770 [ 62.816423][ T3672] ? d_hash_and_lookup+0x1c0/0x1c0 [ 62.821546][ T3672] gfs2_atomic_open+0xa4/0x230 [ 62.826314][ T3672] path_openat+0xf39/0x2df0 [ 62.830835][ T3672] ? gfs2_rename2+0x3000/0x3000 [ 62.835695][ T3672] ? do_filp_open+0x4f0/0x4f0 [ 62.840379][ T3672] do_filp_open+0x264/0x4f0 [ 62.844874][ T3672] ? vfs_tmpfile+0x490/0x490 [ 62.849468][ T3672] ? do_raw_spin_unlock+0x134/0x8a0 [ 62.854666][ T3672] ? _raw_spin_unlock+0x24/0x40 [ 62.859514][ T3672] ? alloc_fd+0x5a7/0x640 [ 62.863844][ T3672] do_sys_openat2+0x124/0x4e0 [ 62.868518][ T3672] ? print_irqtrace_events+0x220/0x220 [ 62.873964][ T3672] ? ptrace_stop+0x74d/0x970 [ 62.878551][ T3672] ? do_sys_open+0x220/0x220 [ 62.883133][ T3672] ? lockdep_hardirqs_on+0x8d/0x130 [ 62.888326][ T3672] ? _raw_spin_unlock_irq+0x2a/0x40 [ 62.893524][ T3672] ? ptrace_notify+0x245/0x340 [ 62.898282][ T3672] __x64_sys_openat+0x243/0x290 [ 62.903147][ T3672] ? __ia32_sys_open+0x270/0x270 [ 62.908081][ T3672] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 62.914056][ T3672] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 62.920550][ T3672] do_syscall_64+0x3d/0xb0 [ 62.924960][ T3672] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 62.930848][ T3672] RIP: 0033:0x7fc8868064d9 [ 62.935255][ T3672] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 62.954942][ T3672] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 62.963367][ T3672] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3673] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3672] <... openat resumed>) = -1 EIO (Input/output error) [pid 3672] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3671] exit_group(0 [pid 3673] <... futex resumed>) = ? [pid 3672] <... futex resumed>) = ? [pid 3671] <... exit_group resumed>) = ? [pid 3673] +++ exited with 0 +++ [pid 3672] +++ exited with 0 +++ [pid 3671] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3671, si_uid=0, si_status=0, si_utime=0, si_stime=29} --- umount2("./13", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./13/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./13/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./13/binderfs") = 0 [ 62.971504][ T3672] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 62.979985][ T3672] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 62.987961][ T3672] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 62.995921][ T3672] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 63.003897][ T3672] umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./13/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./13/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./13") = 0 mkdir("./14", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3674 ./strace-static-x86_64: Process 3674 attached [pid 3674] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3674] chdir("./14") = 0 [pid 3674] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3674] setpgid(0, 0) = 0 [pid 3674] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3674] write(3, "1000", 4) = 4 [pid 3674] close(3) = 0 [pid 3674] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3674] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3674] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3674] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3674] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3675], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3675 ./strace-static-x86_64: Process 3675 attached [pid 3674] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3674] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3675] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3675] memfd_create("syzkaller", 0) = 3 [pid 3675] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3675] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3675] munmap(0x7fc87e392000, 16777216) = 0 [pid 3675] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3675] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3675] close(3) = 0 [pid 3675] mkdir("./file0", 0777) = 0 [ 63.306796][ T3675] loop0: detected capacity change from 0 to 32768 [ 63.317913][ T3675] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 63.326251][ T3675] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 63.336104][ T3675] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 63.344942][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 63.351841][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3675] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3675] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3675] chdir("./file0") = 0 [pid 3675] ioctl(4, LOOP_CLR_FD) = 0 [pid 3675] close(4) = 0 [pid 3675] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3674] <... futex resumed>) = 0 [pid 3675] <... futex resumed>) = 1 [pid 3675] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3674] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3675] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3674] <... futex resumed>) = 0 [pid 3675] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3674] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3675] <... futex resumed>) = 0 [pid 3674] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3674] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [ 63.384144][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 63.391729][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 63.397083][ T3675] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3675] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3674] <... futex resumed>) = 0 [ 63.434351][ T3675] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 63.443496][ T3675] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 63.443496][ T3675] inode = 12 2341 [ 63.443496][ T3675] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 63.463128][ T3675] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 63.473186][ T3675] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3675 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3674] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3674] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3674] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [ 63.483369][ T3675] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 63.491856][ T3675] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 63.499878][ T3675] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 63.508713][ T3675] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 63.516673][ T3675] gfs2: fsid=syz:syz.0: File system withdrawn [ 63.523760][ T3675] CPU: 0 PID: 3675 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 63.534285][ T3675] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 63.544343][ T3675] Call Trace: [ 63.547612][ T3675] [ 63.550550][ T3675] dump_stack_lvl+0x1b1/0x28e [ 63.555322][ T3675] ? nf_tcp_handle_invalid+0x62e/0x62e [ 63.560773][ T3675] ? panic+0x710/0x710 [ 63.564848][ T3675] ? kobject_uevent_env+0x46b/0x8e0 [ 63.570054][ T3675] ? do_raw_spin_unlock+0x134/0x8a0 [ 63.575260][ T3675] gfs2_withdraw+0xf33/0x1540 [ 63.580017][ T3675] ? gfs2_lm+0x220/0x220 [ 63.584299][ T3675] ? gfs2_dirent_scan+0xb6/0x650 [ 63.589254][ T3675] ? panic+0x710/0x710 [ 63.593345][ T3675] ? gfs2_permission+0x2ff/0x430 [ 63.598580][ T3675] ? gfs2_consist_inode_i+0xf3/0x110 [ 63.603862][ T3675] gfs2_dirent_scan+0x535/0x650 [ 63.608750][ T3675] ? gfs2_dirent_search+0xb10/0xb10 [ 63.613952][ T3675] gfs2_dirent_search+0x2ea/0xb10 [ 63.618987][ T3675] ? gfs2_dirent_search+0xb10/0xb10 [ 63.624199][ T3675] ? gfs2_dir_search+0x2a0/0x2a0 [ 63.629308][ T3675] ? gfs2_permission+0x3bf/0x430 [ 63.634700][ T3675] gfs2_dir_search+0x8c/0x2a0 [ 63.639384][ T3675] ? do_filldir_main+0x530/0x530 [ 63.644356][ T3675] ? inode_go_held+0xe4/0x1f0 [ 63.649068][ T3675] ? gfs2_glock_wait+0x213/0x2a0 [ 63.655491][ T3675] gfs2_lookupi+0x465/0x650 [ 63.660011][ T3675] ? gfs2_lookup_simple+0x170/0x170 [ 63.665242][ T3675] ? __gfs2_lookup+0x8c/0x260 [ 63.669945][ T3675] __gfs2_lookup+0x8c/0x260 [ 63.674446][ T3675] ? gfs2_atomic_open+0x230/0x230 [ 63.679472][ T3675] ? __d_lookup+0x6a4/0x770 [ 63.683966][ T3675] ? d_hash_and_lookup+0x1c0/0x1c0 [ 63.689074][ T3675] gfs2_atomic_open+0xa4/0x230 [ 63.693842][ T3675] path_openat+0xf39/0x2df0 [ 63.698518][ T3675] ? gfs2_rename2+0x3000/0x3000 [ 63.703380][ T3675] ? do_filp_open+0x4f0/0x4f0 [ 63.708063][ T3675] do_filp_open+0x264/0x4f0 [ 63.712575][ T3675] ? vfs_tmpfile+0x490/0x490 [ 63.717192][ T3675] ? do_raw_spin_unlock+0x134/0x8a0 [ 63.722420][ T3675] ? _raw_spin_unlock+0x24/0x40 [ 63.727374][ T3675] ? alloc_fd+0x5a7/0x640 [ 63.731718][ T3675] do_sys_openat2+0x124/0x4e0 [ 63.736397][ T3675] ? print_irqtrace_events+0x220/0x220 [ 63.741851][ T3675] ? ptrace_stop+0x74d/0x970 [ 63.746434][ T3675] ? do_sys_open+0x220/0x220 [ 63.751019][ T3675] ? lockdep_hardirqs_on+0x8d/0x130 [ 63.756213][ T3675] ? _raw_spin_unlock_irq+0x2a/0x40 [ 63.761407][ T3675] ? ptrace_notify+0x245/0x340 [ 63.766187][ T3675] __x64_sys_openat+0x243/0x290 [ 63.771078][ T3675] ? __ia32_sys_open+0x270/0x270 [ 63.776010][ T3675] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 63.781988][ T3675] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 63.787959][ T3675] do_syscall_64+0x3d/0xb0 [ 63.792368][ T3675] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 63.798259][ T3675] RIP: 0033:0x7fc8868064d9 [ 63.802666][ T3675] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 63.822265][ T3675] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 3675] <... openat resumed>) = -1 EIO (Input/output error) [pid 3674] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE [pid 3675] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3674] <... mprotect resumed>) = 0 [pid 3675] <... futex resumed>) = 0 [pid 3674] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 3675] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3674] <... clone resumed>, parent_tid=[3676], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3676 [pid 3674] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3676 attached [pid 3676] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3676] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3676] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3676] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3674] exit_group(0 [pid 3675] <... futex resumed>) = ? [pid 3674] <... exit_group resumed>) = ? [pid 3675] +++ exited with 0 +++ [pid 3676] <... futex resumed>) = ? [pid 3676] +++ exited with 0 +++ [pid 3674] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3674, si_uid=0, si_status=0, si_utime=2, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./14", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./14/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./14/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./14/binderfs") = 0 [ 63.830667][ T3675] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 63.838629][ T3675] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 63.846589][ T3675] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 63.854564][ T3675] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 63.862541][ T3675] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 63.870515][ T3675] umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./14/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./14/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./14") = 0 mkdir("./15", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3677 ./strace-static-x86_64: Process 3677 attached [pid 3677] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3677] chdir("./15") = 0 [pid 3677] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3677] setpgid(0, 0) = 0 [pid 3677] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3677] write(3, "1000", 4) = 4 [pid 3677] close(3) = 0 [pid 3677] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3677] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3677] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3677] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3677] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3678], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3678 [pid 3677] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3677] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3678 attached [pid 3678] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3678] memfd_create("syzkaller", 0) = 3 [pid 3678] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3678] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3678] munmap(0x7fc87e392000, 16777216) = 0 [pid 3678] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3678] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3678] close(3) = 0 [pid 3678] mkdir("./file0", 0777) = 0 [ 64.173433][ T3678] loop0: detected capacity change from 0 to 32768 [ 64.185736][ T3678] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 64.194225][ T3678] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 64.204688][ T3678] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 64.213757][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 64.220680][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3678] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3678] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3678] chdir("./file0") = 0 [pid 3678] ioctl(4, LOOP_CLR_FD) = 0 [pid 3678] close(4) = 0 [pid 3678] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3677] <... futex resumed>) = 0 [pid 3677] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3677] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3678] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3678] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3677] <... futex resumed>) = 0 [pid 3677] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3677] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 64.258880][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 64.267755][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 64.273262][ T3678] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3678] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3677] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3677] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3677] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3677] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [ 64.309631][ T3678] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 64.318399][ T3678] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 64.318399][ T3678] inode = 12 2341 [ 64.318399][ T3678] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 64.337831][ T3678] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 64.347194][ T3678] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3678 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3677] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3679], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3679 [pid 3677] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3679 attached [pid 3679] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 64.357328][ T3678] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 64.365877][ T3678] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 64.373202][ T3678] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 64.382154][ T3678] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 64.390357][ T3678] gfs2: fsid=syz:syz.0: File system withdrawn [ 64.396458][ T3678] CPU: 0 PID: 3678 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 64.406890][ T3678] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 64.417997][ T3678] Call Trace: [ 64.421350][ T3678] [ 64.424290][ T3678] dump_stack_lvl+0x1b1/0x28e [ 64.429005][ T3678] ? nf_tcp_handle_invalid+0x62e/0x62e [ 64.434606][ T3678] ? panic+0x710/0x710 [ 64.438697][ T3678] ? kobject_uevent_env+0x46b/0x8e0 [ 64.443953][ T3678] ? do_raw_spin_unlock+0x134/0x8a0 [ 64.449191][ T3678] gfs2_withdraw+0xf33/0x1540 [ 64.453893][ T3678] ? gfs2_lm+0x220/0x220 [ 64.458142][ T3678] ? gfs2_dirent_scan+0xb6/0x650 [ 64.463180][ T3678] ? panic+0x710/0x710 [ 64.467278][ T3678] ? gfs2_permission+0x2ff/0x430 [ 64.472239][ T3678] ? gfs2_consist_inode_i+0xf3/0x110 [ 64.477525][ T3678] gfs2_dirent_scan+0x535/0x650 [ 64.482380][ T3678] ? gfs2_dirent_search+0xb10/0xb10 [ 64.487597][ T3678] gfs2_dirent_search+0x2ea/0xb10 [ 64.492644][ T3678] ? gfs2_dirent_search+0xb10/0xb10 [ 64.497864][ T3678] ? gfs2_dir_search+0x2a0/0x2a0 [ 64.502805][ T3678] ? gfs2_permission+0x3bf/0x430 [ 64.507777][ T3678] gfs2_dir_search+0x8c/0x2a0 [ 64.512466][ T3678] ? do_filldir_main+0x530/0x530 [ 64.517487][ T3678] ? inode_go_held+0xe4/0x1f0 [ 64.522210][ T3678] ? gfs2_glock_wait+0x213/0x2a0 [ 64.527244][ T3678] gfs2_lookupi+0x465/0x650 [ 64.531845][ T3678] ? gfs2_lookup_simple+0x170/0x170 [ 64.537047][ T3678] ? __gfs2_lookup+0x8c/0x260 [ 64.541749][ T3678] __gfs2_lookup+0x8c/0x260 [ 64.546295][ T3678] ? gfs2_atomic_open+0x230/0x230 [ 64.551335][ T3678] ? __d_lookup+0x6a4/0x770 [ 64.555835][ T3678] ? d_hash_and_lookup+0x1c0/0x1c0 [ 64.561026][ T3678] gfs2_atomic_open+0xa4/0x230 [ 64.565795][ T3678] path_openat+0xf39/0x2df0 [ 64.570302][ T3678] ? gfs2_rename2+0x3000/0x3000 [ 64.575164][ T3678] ? do_filp_open+0x4f0/0x4f0 [ 64.579848][ T3678] do_filp_open+0x264/0x4f0 [ 64.584344][ T3678] ? vfs_tmpfile+0x490/0x490 [ 64.588948][ T3678] ? do_raw_spin_unlock+0x134/0x8a0 [ 64.594235][ T3678] ? _raw_spin_unlock+0x24/0x40 [ 64.599082][ T3678] ? alloc_fd+0x5a7/0x640 [ 64.603415][ T3678] do_sys_openat2+0x124/0x4e0 [ 64.608088][ T3678] ? print_irqtrace_events+0x220/0x220 [ 64.613537][ T3678] ? ptrace_stop+0x74d/0x970 [ 64.618124][ T3678] ? do_sys_open+0x220/0x220 [ 64.622706][ T3678] ? lockdep_hardirqs_on+0x8d/0x130 [ 64.627898][ T3678] ? _raw_spin_unlock_irq+0x2a/0x40 [ 64.633093][ T3678] ? ptrace_notify+0x245/0x340 [ 64.637847][ T3678] __x64_sys_openat+0x243/0x290 [ 64.642716][ T3678] ? __ia32_sys_open+0x270/0x270 [ 64.647650][ T3678] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 64.653626][ T3678] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 64.659603][ T3678] do_syscall_64+0x3d/0xb0 [ 64.664014][ T3678] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 64.674672][ T3678] RIP: 0033:0x7fc8868064d9 [ 64.679096][ T3678] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 64.698697][ T3678] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 3679] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3679] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3679] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3678] <... openat resumed>) = -1 EIO (Input/output error) [pid 3678] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3678] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3677] exit_group(0 [pid 3679] <... futex resumed>) = ? [pid 3678] <... futex resumed>) = ? [pid 3677] <... exit_group resumed>) = ? [pid 3679] +++ exited with 0 +++ [pid 3678] +++ exited with 0 +++ [pid 3677] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3677, si_uid=0, si_status=0, si_utime=4, si_stime=26} --- umount2("./15", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./15/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./15/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./15/binderfs") = 0 [ 64.707100][ T3678] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 64.715062][ T3678] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 64.723022][ T3678] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 64.730984][ T3678] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 64.738976][ T3678] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 64.747047][ T3678] umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./15/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./15/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./15") = 0 mkdir("./16", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3680 ./strace-static-x86_64: Process 3680 attached [pid 3680] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3680] chdir("./16") = 0 [pid 3680] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3680] setpgid(0, 0) = 0 [pid 3680] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3680] write(3, "1000", 4) = 4 [pid 3680] close(3) = 0 [pid 3680] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3680] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3680] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3680] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3680] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3681], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3681 [pid 3680] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3680] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3681 attached [pid 3681] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3681] memfd_create("syzkaller", 0) = 3 [pid 3681] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3681] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3681] munmap(0x7fc87e392000, 16777216) = 0 [pid 3681] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3681] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3681] close(3) = 0 [pid 3681] mkdir("./file0", 0777) = 0 [ 65.061480][ T3681] loop0: detected capacity change from 0 to 32768 [ 65.071687][ T3681] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 65.080239][ T3681] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 65.090157][ T3681] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 65.098895][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 65.106186][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3681] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3681] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3681] chdir("./file0") = 0 [pid 3681] ioctl(4, LOOP_CLR_FD) = 0 [pid 3681] close(4) = 0 [pid 3681] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3680] <... futex resumed>) = 0 [pid 3680] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3680] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3681] <... futex resumed>) = 1 [pid 3681] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3681] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3680] <... futex resumed>) = 0 [pid 3680] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3680] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3681] <... futex resumed>) = 1 [ 65.141985][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 65.149505][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 65.155140][ T3681] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 65.183670][ T3681] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 65.192507][ T3681] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 65.192507][ T3681] inode = 12 2341 [ 65.192507][ T3681] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 65.211368][ T3681] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 65.220897][ T3681] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3681 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3681] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3680] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3680] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3680] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3680] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3680] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3682], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3682 [pid 3680] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3682 attached [pid 3682] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3682] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3682] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 65.231542][ T3681] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 65.240070][ T3681] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 65.247432][ T3681] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 65.256309][ T3681] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 65.262969][ T3681] gfs2: fsid=syz:syz.0: File system withdrawn [ 65.269054][ T3681] CPU: 0 PID: 3681 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 65.279638][ T3681] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 65.289798][ T3681] Call Trace: [ 65.293100][ T3681] [ 65.296047][ T3681] dump_stack_lvl+0x1b1/0x28e [ 65.300748][ T3681] ? nf_tcp_handle_invalid+0x62e/0x62e [ 65.306222][ T3681] ? panic+0x710/0x710 [ 65.310308][ T3681] ? kobject_uevent_env+0x46b/0x8e0 [ 65.315517][ T3681] ? do_raw_spin_unlock+0x134/0x8a0 [ 65.320727][ T3681] gfs2_withdraw+0xf33/0x1540 [ 65.325420][ T3681] ? gfs2_lm+0x220/0x220 [ 65.329649][ T3681] ? gfs2_dirent_scan+0xb6/0x650 [ 65.334588][ T3681] ? panic+0x710/0x710 [ 65.338748][ T3681] ? gfs2_permission+0x2ff/0x430 [ 65.343692][ T3681] ? gfs2_consist_inode_i+0xf3/0x110 [ 65.348986][ T3681] gfs2_dirent_scan+0x535/0x650 [ 65.353838][ T3681] ? gfs2_dirent_search+0xb10/0xb10 [ 65.359041][ T3681] gfs2_dirent_search+0x2ea/0xb10 [ 65.364081][ T3681] ? gfs2_dirent_search+0xb10/0xb10 [ 65.369285][ T3681] ? gfs2_dir_search+0x2a0/0x2a0 [ 65.374233][ T3681] ? gfs2_permission+0x3bf/0x430 [ 65.379174][ T3681] gfs2_dir_search+0x8c/0x2a0 [ 65.383850][ T3681] ? do_filldir_main+0x530/0x530 [ 65.388784][ T3681] ? inode_go_held+0xe4/0x1f0 [ 65.393457][ T3681] ? gfs2_glock_wait+0x213/0x2a0 [ 65.398389][ T3681] gfs2_lookupi+0x465/0x650 [ 65.402892][ T3681] ? gfs2_lookup_simple+0x170/0x170 [ 65.408087][ T3681] ? __gfs2_lookup+0x8c/0x260 [ 65.412768][ T3681] __gfs2_lookup+0x8c/0x260 [ 65.417269][ T3681] ? gfs2_atomic_open+0x230/0x230 [ 65.422294][ T3681] ? __d_lookup+0x6a4/0x770 [ 65.426791][ T3681] ? d_hash_and_lookup+0x1c0/0x1c0 [ 65.431896][ T3681] gfs2_atomic_open+0xa4/0x230 [ 65.436672][ T3681] path_openat+0xf39/0x2df0 [ 65.441194][ T3681] ? gfs2_rename2+0x3000/0x3000 [ 65.446055][ T3681] ? do_filp_open+0x4f0/0x4f0 [ 65.450737][ T3681] do_filp_open+0x264/0x4f0 [ 65.455231][ T3681] ? vfs_tmpfile+0x490/0x490 [ 65.459823][ T3681] ? do_raw_spin_unlock+0x134/0x8a0 [ 65.465020][ T3681] ? _raw_spin_unlock+0x24/0x40 [ 65.470909][ T3681] ? alloc_fd+0x5a7/0x640 [ 65.475258][ T3681] do_sys_openat2+0x124/0x4e0 [ 65.479929][ T3681] ? print_irqtrace_events+0x220/0x220 [ 65.485738][ T3681] ? ptrace_stop+0x74d/0x970 [ 65.490321][ T3681] ? do_sys_open+0x220/0x220 [ 65.494907][ T3681] ? lockdep_hardirqs_on+0x8d/0x130 [ 65.500104][ T3681] ? _raw_spin_unlock_irq+0x2a/0x40 [ 65.505305][ T3681] ? ptrace_notify+0x245/0x340 [ 65.510062][ T3681] __x64_sys_openat+0x243/0x290 [ 65.514915][ T3681] ? __ia32_sys_open+0x270/0x270 [ 65.519849][ T3681] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 65.525822][ T3681] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 65.531795][ T3681] do_syscall_64+0x3d/0xb0 [ 65.536222][ T3681] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 65.542109][ T3681] RIP: 0033:0x7fc8868064d9 [ 65.546522][ T3681] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 65.568029][ T3681] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 65.576534][ T3681] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3682] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3681] <... openat resumed>) = -1 EIO (Input/output error) [pid 3681] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3681] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3680] exit_group(0 [pid 3681] <... futex resumed>) = ? [pid 3681] +++ exited with 0 +++ [pid 3680] <... exit_group resumed>) = ? [pid 3682] <... futex resumed>) = ? [pid 3682] +++ exited with 0 +++ [pid 3680] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3680, si_uid=0, si_status=0, si_utime=2, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./16", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./16/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./16/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./16/binderfs") = 0 [ 65.584494][ T3681] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 65.592452][ T3681] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 65.600411][ T3681] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 65.608373][ T3681] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 65.616347][ T3681] umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./16/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./16/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./16") = 0 mkdir("./17", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3683 ./strace-static-x86_64: Process 3683 attached [pid 3683] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3683] chdir("./17") = 0 [pid 3683] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3683] setpgid(0, 0) = 0 [pid 3683] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3683] write(3, "1000", 4) = 4 [pid 3683] close(3) = 0 [pid 3683] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3683] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3683] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3683] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3683] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3684], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3684 ./strace-static-x86_64: Process 3684 attached [pid 3684] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3684] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3683] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3684] <... futex resumed>) = 0 [pid 3683] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3684] memfd_create("syzkaller", 0) = 3 [pid 3684] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3684] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3684] munmap(0x7fc87e392000, 16777216) = 0 [pid 3684] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3684] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3684] close(3) = 0 [pid 3684] mkdir("./file0", 0777) = 0 [ 65.967946][ T3684] loop0: detected capacity change from 0 to 32768 [ 65.979584][ T3684] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 65.988222][ T3684] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 65.998090][ T3684] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 66.007247][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 66.014362][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3684] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3684] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3684] chdir("./file0") = 0 [pid 3684] ioctl(4, LOOP_CLR_FD) = 0 [pid 3684] close(4) = 0 [pid 3684] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3683] <... futex resumed>) = 0 [pid 3684] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3683] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3684] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3683] <... futex resumed>) = 0 [pid 3684] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3683] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3684] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3684] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3683] <... futex resumed>) = 0 [pid 3684] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3683] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3684] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3683] <... futex resumed>) = 0 [pid 3684] openat(AT_FDCWD, "./file0", O_RDONLY [ 66.054625][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 66.063965][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 66.069259][ T3684] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3683] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3683] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 66.109192][ T3684] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 66.117892][ T3684] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 66.117892][ T3684] inode = 12 2341 [ 66.117892][ T3684] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 66.136917][ T3684] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 66.146107][ T3684] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3684 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3683] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3683] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3683] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3685], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3685 [pid 3683] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3685 attached [pid 3685] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3685] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3685] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 66.156167][ T3684] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 66.165535][ T3684] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 66.173128][ T3684] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 66.181994][ T3684] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 66.188572][ T3684] gfs2: fsid=syz:syz.0: File system withdrawn [ 66.194933][ T3684] CPU: 1 PID: 3684 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 66.205354][ T3684] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 66.215404][ T3684] Call Trace: [ 66.218688][ T3684] [ 66.221625][ T3684] dump_stack_lvl+0x1b1/0x28e [ 66.226312][ T3684] ? nf_tcp_handle_invalid+0x62e/0x62e [ 66.231770][ T3684] ? panic+0x710/0x710 [ 66.235857][ T3684] ? kobject_uevent_env+0x46b/0x8e0 [ 66.241070][ T3684] ? do_raw_spin_unlock+0x134/0x8a0 [ 66.246270][ T3684] gfs2_withdraw+0xf33/0x1540 [ 66.250950][ T3684] ? gfs2_lm+0x220/0x220 [ 66.255185][ T3684] ? gfs2_dirent_scan+0xb6/0x650 [pid 3685] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3683] exit_group(0 [pid 3685] <... futex resumed>) = ? [pid 3683] <... exit_group resumed>) = ? [pid 3685] +++ exited with 0 +++ [ 66.260126][ T3684] ? panic+0x710/0x710 [ 66.264221][ T3684] ? gfs2_permission+0x2ff/0x430 [ 66.269173][ T3684] ? gfs2_consist_inode_i+0xf3/0x110 [ 66.274465][ T3684] gfs2_dirent_scan+0x535/0x650 [ 66.279330][ T3684] ? gfs2_dirent_search+0xb10/0xb10 [ 66.284536][ T3684] gfs2_dirent_search+0x2ea/0xb10 [ 66.289576][ T3684] ? gfs2_dirent_search+0xb10/0xb10 [ 66.294787][ T3684] ? gfs2_dir_search+0x2a0/0x2a0 [ 66.299741][ T3684] ? gfs2_permission+0x3bf/0x430 [ 66.304680][ T3684] gfs2_dir_search+0x8c/0x2a0 [ 66.309444][ T3684] ? do_filldir_main+0x530/0x530 [ 66.314387][ T3684] ? inode_go_held+0xe4/0x1f0 [ 66.319099][ T3684] ? gfs2_glock_wait+0x213/0x2a0 [ 66.324030][ T3684] gfs2_lookupi+0x465/0x650 [ 66.328546][ T3684] ? gfs2_lookup_simple+0x170/0x170 [ 66.333743][ T3684] ? __gfs2_lookup+0x8c/0x260 [ 66.338418][ T3684] __gfs2_lookup+0x8c/0x260 [ 66.342916][ T3684] ? gfs2_atomic_open+0x230/0x230 [ 66.349496][ T3684] ? __d_lookup+0x6a4/0x770 [ 66.353993][ T3684] ? d_hash_and_lookup+0x1c0/0x1c0 [ 66.359095][ T3684] gfs2_atomic_open+0xa4/0x230 [ 66.363948][ T3684] path_openat+0xf39/0x2df0 [ 66.368462][ T3684] ? gfs2_rename2+0x3000/0x3000 [ 66.373340][ T3684] ? do_filp_open+0x4f0/0x4f0 [ 66.378054][ T3684] do_filp_open+0x264/0x4f0 [ 66.382599][ T3684] ? vfs_tmpfile+0x490/0x490 [ 66.387195][ T3684] ? do_raw_spin_unlock+0x134/0x8a0 [ 66.392389][ T3684] ? _raw_spin_unlock+0x24/0x40 [ 66.397756][ T3684] ? alloc_fd+0x5a7/0x640 [ 66.402081][ T3684] do_sys_openat2+0x124/0x4e0 [ 66.406753][ T3684] ? print_irqtrace_events+0x220/0x220 [ 66.412212][ T3684] ? ptrace_stop+0x74d/0x970 [ 66.416809][ T3684] ? do_sys_open+0x220/0x220 [ 66.421408][ T3684] ? lockdep_hardirqs_on+0x8d/0x130 [ 66.426609][ T3684] ? _raw_spin_unlock_irq+0x2a/0x40 [ 66.431819][ T3684] ? ptrace_notify+0x245/0x340 [ 66.436588][ T3684] __x64_sys_openat+0x243/0x290 [ 66.441447][ T3684] ? __ia32_sys_open+0x270/0x270 [ 66.447613][ T3684] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 66.453589][ T3684] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 66.459573][ T3684] do_syscall_64+0x3d/0xb0 [ 66.463996][ T3684] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 66.469878][ T3684] RIP: 0033:0x7fc8868064d9 [ 66.474285][ T3684] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 66.493985][ T3684] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 66.502412][ T3684] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3684] <... openat resumed>) = ? [pid 3684] +++ exited with 0 +++ [pid 3683] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3683, si_uid=0, si_status=0, si_utime=3, si_stime=26} --- umount2("./17", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./17/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./17/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./17/binderfs") = 0 [ 66.511162][ T3684] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 66.519130][ T3684] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 66.527110][ T3684] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 66.535098][ T3684] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 66.543080][ T3684] umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./17/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./17/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./17") = 0 mkdir("./18", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3686 ./strace-static-x86_64: Process 3686 attached [pid 3686] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3686] chdir("./18") = 0 [pid 3686] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3686] setpgid(0, 0) = 0 [pid 3686] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3686] write(3, "1000", 4) = 4 [pid 3686] close(3) = 0 [pid 3686] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3686] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3686] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3686] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3686] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3687], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3687 [pid 3686] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3686] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3687 attached [pid 3687] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3687] memfd_create("syzkaller", 0) = 3 [pid 3687] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3687] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3687] munmap(0x7fc87e392000, 16777216) = 0 [pid 3687] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3687] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3687] close(3) = 0 [pid 3687] mkdir("./file0", 0777) = 0 [ 66.857991][ T3687] loop0: detected capacity change from 0 to 32768 [ 66.868937][ T3687] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 66.877221][ T3687] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 66.887085][ T3687] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 66.895862][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 66.902844][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3687] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3687] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3687] chdir("./file0") = 0 [pid 3687] ioctl(4, LOOP_CLR_FD) = 0 [pid 3687] close(4) = 0 [pid 3687] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3686] <... futex resumed>) = 0 [pid 3687] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3686] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3687] <... futex resumed>) = 0 [pid 3686] <... futex resumed>) = 1 [pid 3687] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3686] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3687] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3686] <... futex resumed>) = 0 [pid 3687] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3686] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 66.938281][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 66.947090][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 66.952487][ T3687] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 66.973191][ T3687] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3686] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3686] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 66.982466][ T3687] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 66.982466][ T3687] inode = 12 2341 [ 66.982466][ T3687] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 67.001406][ T3687] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 67.010844][ T3687] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3687 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 67.021232][ T3687] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 67.029669][ T3687] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3686] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3686] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3686] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3688], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3688 [pid 3686] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3688 attached [pid 3688] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3688] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3688] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 67.037290][ T3687] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 67.046449][ T3687] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 67.053365][ T3687] gfs2: fsid=syz:syz.0: File system withdrawn [ 67.059464][ T3687] CPU: 1 PID: 3687 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 67.069884][ T3687] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 67.079930][ T3687] Call Trace: [ 67.083215][ T3687] [ 67.086143][ T3687] dump_stack_lvl+0x1b1/0x28e [ 67.093159][ T3687] ? nf_tcp_handle_invalid+0x62e/0x62e [ 67.098611][ T3687] ? panic+0x710/0x710 [ 67.102675][ T3687] ? kobject_uevent_env+0x46b/0x8e0 [ 67.107878][ T3687] ? do_raw_spin_unlock+0x134/0x8a0 [ 67.113122][ T3687] gfs2_withdraw+0xf33/0x1540 [ 67.117817][ T3687] ? gfs2_lm+0x220/0x220 [ 67.122049][ T3687] ? gfs2_dirent_scan+0xb6/0x650 [ 67.126980][ T3687] ? panic+0x710/0x710 [ 67.131039][ T3687] ? gfs2_permission+0x2ff/0x430 [ 67.135972][ T3687] ? gfs2_consist_inode_i+0xf3/0x110 [ 67.141251][ T3687] gfs2_dirent_scan+0x535/0x650 [ 67.146099][ T3687] ? gfs2_dirent_search+0xb10/0xb10 [ 67.151298][ T3687] gfs2_dirent_search+0x2ea/0xb10 [ 67.156323][ T3687] ? gfs2_dirent_search+0xb10/0xb10 [ 67.161515][ T3687] ? gfs2_dir_search+0x2a0/0x2a0 [ 67.166454][ T3687] ? gfs2_permission+0x3bf/0x430 [ 67.171417][ T3687] gfs2_dir_search+0x8c/0x2a0 [ 67.176092][ T3687] ? do_filldir_main+0x530/0x530 [ 67.181030][ T3687] ? inode_go_held+0xe4/0x1f0 [ 67.185706][ T3687] ? gfs2_glock_wait+0x213/0x2a0 [ 67.190646][ T3687] gfs2_lookupi+0x465/0x650 [ 67.195161][ T3687] ? gfs2_lookup_simple+0x170/0x170 [ 67.200354][ T3687] ? __gfs2_lookup+0x8c/0x260 [ 67.205032][ T3687] __gfs2_lookup+0x8c/0x260 [ 67.209616][ T3687] ? gfs2_atomic_open+0x230/0x230 [ 67.214726][ T3687] ? __d_lookup+0x6a4/0x770 [ 67.219222][ T3687] ? d_hash_and_lookup+0x1c0/0x1c0 [ 67.224326][ T3687] gfs2_atomic_open+0xa4/0x230 [ 67.229083][ T3687] path_openat+0xf39/0x2df0 [ 67.233589][ T3687] ? gfs2_rename2+0x3000/0x3000 [ 67.238451][ T3687] ? do_filp_open+0x4f0/0x4f0 [ 67.243137][ T3687] do_filp_open+0x264/0x4f0 [ 67.247629][ T3687] ? vfs_tmpfile+0x490/0x490 [ 67.252218][ T3687] ? do_raw_spin_unlock+0x134/0x8a0 [ 67.257414][ T3687] ? _raw_spin_unlock+0x24/0x40 [ 67.262278][ T3687] ? alloc_fd+0x5a7/0x640 [ 67.266608][ T3687] do_sys_openat2+0x124/0x4e0 [ 67.271364][ T3687] ? print_irqtrace_events+0x220/0x220 [ 67.276812][ T3687] ? ptrace_stop+0x74d/0x970 [ 67.281395][ T3687] ? do_sys_open+0x220/0x220 [ 67.285980][ T3687] ? lockdep_hardirqs_on+0x8d/0x130 [ 67.291171][ T3687] ? _raw_spin_unlock_irq+0x2a/0x40 [ 67.296366][ T3687] ? ptrace_notify+0x245/0x340 [ 67.301129][ T3687] __x64_sys_openat+0x243/0x290 [ 67.305974][ T3687] ? __ia32_sys_open+0x270/0x270 [ 67.310905][ T3687] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 67.316884][ T3687] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 67.322868][ T3687] do_syscall_64+0x3d/0xb0 [ 67.327276][ T3687] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 67.333161][ T3687] RIP: 0033:0x7fc8868064d9 [ 67.337566][ T3687] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 67.357169][ T3687] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 67.365574][ T3687] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 67.373536][ T3687] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 67.381497][ T3687] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3688] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3687] <... openat resumed>) = -1 EIO (Input/output error) [pid 3687] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3686] exit_group(0 [pid 3687] <... futex resumed>) = ? [pid 3686] <... exit_group resumed>) = ? [pid 3688] <... futex resumed>) = ? [pid 3687] +++ exited with 0 +++ [pid 3688] +++ exited with 0 +++ [pid 3686] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3686, si_uid=0, si_status=0, si_utime=4, si_stime=26} --- umount2("./18", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./18/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./18/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./18/binderfs") = 0 [ 67.389458][ T3687] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 67.397422][ T3687] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 67.405399][ T3687] umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./18/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./18/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./18") = 0 mkdir("./19", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3689 ./strace-static-x86_64: Process 3689 attached [pid 3689] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3689] chdir("./19") = 0 [pid 3689] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3689] setpgid(0, 0) = 0 [pid 3689] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3689] write(3, "1000", 4) = 4 [pid 3689] close(3) = 0 [pid 3689] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3689] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3689] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3689] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3689] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3690], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3690 ./strace-static-x86_64: Process 3690 attached [pid 3690] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3690] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3689] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3690] <... futex resumed>) = 0 [pid 3689] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3690] memfd_create("syzkaller", 0) = 3 [pid 3690] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3690] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3690] munmap(0x7fc87e392000, 16777216) = 0 [pid 3690] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3690] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3690] close(3) = 0 [pid 3690] mkdir("./file0", 0777) = 0 [ 67.710618][ T3690] loop0: detected capacity change from 0 to 32768 [ 67.723500][ T3690] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 67.731969][ T3690] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 67.741376][ T3690] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 67.749841][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 67.757124][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3690] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3690] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3690] chdir("./file0") = 0 [pid 3690] ioctl(4, LOOP_CLR_FD) = 0 [pid 3690] close(4) = 0 [pid 3690] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3690] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3689] <... futex resumed>) = 0 [pid 3689] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3690] <... futex resumed>) = 0 [pid 3689] <... futex resumed>) = 1 [pid 3690] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3690] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3690] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3689] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 3689] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3690] <... futex resumed>) = 0 [pid 3689] <... futex resumed>) = 1 [pid 3690] openat(AT_FDCWD, "./file0", O_RDONLY [ 67.792366][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 67.801352][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 67.806591][ T3690] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 67.845011][ T3690] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 67.853626][ T3690] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 67.853626][ T3690] inode = 12 2341 [ 67.853626][ T3690] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 67.872515][ T3690] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 67.881738][ T3690] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3690 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3689] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3689] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3689] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3689] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3689] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3691], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3691 ./strace-static-x86_64: Process 3691 attached [pid 3689] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3691] set_robust_list(0x7fc87f3919e0, 24 [pid 3689] <... futex resumed>) = 0 [pid 3691] <... set_robust_list resumed>) = 0 [pid 3691] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3691] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 67.891921][ T3690] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 67.902123][ T3690] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 67.909837][ T3690] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 67.921128][ T3690] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 67.929349][ T3690] gfs2: fsid=syz:syz.0: File system withdrawn [ 67.935550][ T3690] CPU: 0 PID: 3690 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 67.945976][ T3690] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 67.956036][ T3690] Call Trace: [ 67.959309][ T3690] [ 67.962234][ T3690] dump_stack_lvl+0x1b1/0x28e [ 67.966922][ T3690] ? nf_tcp_handle_invalid+0x62e/0x62e [ 67.972401][ T3690] ? panic+0x710/0x710 [ 67.976488][ T3690] ? kobject_uevent_env+0x46b/0x8e0 [ 67.981693][ T3690] ? do_raw_spin_unlock+0x134/0x8a0 [ 67.986905][ T3690] gfs2_withdraw+0xf33/0x1540 [ 67.991601][ T3690] ? gfs2_lm+0x220/0x220 [ 67.995838][ T3690] ? gfs2_dirent_scan+0xb6/0x650 [ 68.000799][ T3690] ? panic+0x710/0x710 [ 68.004863][ T3690] ? gfs2_permission+0x2ff/0x430 [ 68.009863][ T3690] ? gfs2_consist_inode_i+0xf3/0x110 [ 68.015156][ T3690] gfs2_dirent_scan+0x535/0x650 [ 68.020004][ T3690] ? gfs2_dirent_search+0xb10/0xb10 [ 68.025217][ T3690] gfs2_dirent_search+0x2ea/0xb10 [ 68.030257][ T3690] ? gfs2_dirent_search+0xb10/0xb10 [ 68.035471][ T3690] ? gfs2_dir_search+0x2a0/0x2a0 [ 68.040750][ T3690] ? gfs2_permission+0x3bf/0x430 [ 68.045703][ T3690] gfs2_dir_search+0x8c/0x2a0 [ 68.050400][ T3690] ? do_filldir_main+0x530/0x530 [ 68.055335][ T3690] ? inode_go_held+0xe4/0x1f0 [ 68.060021][ T3690] ? gfs2_glock_wait+0x213/0x2a0 [ 68.065243][ T3690] gfs2_lookupi+0x465/0x650 [ 68.069760][ T3690] ? gfs2_lookup_simple+0x170/0x170 [ 68.074986][ T3690] ? __gfs2_lookup+0x8c/0x260 [ 68.079700][ T3690] __gfs2_lookup+0x8c/0x260 [ 68.084218][ T3690] ? gfs2_atomic_open+0x230/0x230 [ 68.089294][ T3690] ? __d_lookup+0x6a4/0x770 [pid 3691] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3689] exit_group(0 [pid 3691] <... futex resumed>) = ? [pid 3689] <... exit_group resumed>) = ? [pid 3691] +++ exited with 0 +++ [ 68.093807][ T3690] ? d_hash_and_lookup+0x1c0/0x1c0 [ 68.099003][ T3690] gfs2_atomic_open+0xa4/0x230 [ 68.103773][ T3690] path_openat+0xf39/0x2df0 [ 68.108294][ T3690] ? gfs2_rename2+0x3000/0x3000 [ 68.113174][ T3690] ? do_filp_open+0x4f0/0x4f0 [ 68.117878][ T3690] do_filp_open+0x264/0x4f0 [ 68.122402][ T3690] ? vfs_tmpfile+0x490/0x490 [ 68.126993][ T3690] ? do_raw_spin_unlock+0x134/0x8a0 [ 68.132372][ T3690] ? _raw_spin_unlock+0x24/0x40 [ 68.137228][ T3690] ? alloc_fd+0x5a7/0x640 [ 68.141567][ T3690] do_sys_openat2+0x124/0x4e0 [ 68.146257][ T3690] ? print_irqtrace_events+0x220/0x220 [ 68.151707][ T3690] ? ptrace_stop+0x74d/0x970 [ 68.156294][ T3690] ? do_sys_open+0x220/0x220 [ 68.160878][ T3690] ? lockdep_hardirqs_on+0x8d/0x130 [ 68.166071][ T3690] ? _raw_spin_unlock_irq+0x2a/0x40 [ 68.171263][ T3690] ? ptrace_notify+0x245/0x340 [ 68.176031][ T3690] __x64_sys_openat+0x243/0x290 [ 68.180893][ T3690] ? __ia32_sys_open+0x270/0x270 [ 68.185836][ T3690] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 68.191826][ T3690] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 68.197828][ T3690] do_syscall_64+0x3d/0xb0 [ 68.202238][ T3690] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 68.208129][ T3690] RIP: 0033:0x7fc8868064d9 [ 68.212563][ T3690] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 68.232167][ T3690] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 3690] <... openat resumed>) = ? [pid 3690] +++ exited with 0 +++ [pid 3689] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3689, si_uid=0, si_status=0, si_utime=2, si_stime=25} --- umount2("./19", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./19/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./19/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./19/binderfs") = 0 [ 68.242226][ T3690] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 68.250204][ T3690] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 68.258166][ T3690] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 68.266213][ T3690] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 68.274194][ T3690] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 68.282183][ T3690] umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./19/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./19/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./19") = 0 mkdir("./20", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3692 ./strace-static-x86_64: Process 3692 attached [pid 3692] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3692] chdir("./20") = 0 [pid 3692] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3692] setpgid(0, 0) = 0 [pid 3692] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3692] write(3, "1000", 4) = 4 [pid 3692] close(3) = 0 [pid 3692] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3692] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3692] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3692] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3692] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3693], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3693 [pid 3692] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3692] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3693 attached [pid 3693] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3693] memfd_create("syzkaller", 0) = 3 [pid 3693] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3693] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3693] munmap(0x7fc87e392000, 16777216) = 0 [pid 3693] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3693] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3693] close(3) = 0 [pid 3693] mkdir("./file0", 0777) = 0 [ 68.587602][ T3693] loop0: detected capacity change from 0 to 32768 [ 68.597243][ T3693] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 68.605769][ T3693] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 68.616409][ T3693] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 68.625371][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 68.632463][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3693] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3693] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3693] chdir("./file0") = 0 [pid 3693] ioctl(4, LOOP_CLR_FD) = 0 [pid 3693] close(4) = 0 [pid 3693] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3692] <... futex resumed>) = 0 [pid 3692] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3692] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3693] <... futex resumed>) = 1 [pid 3693] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3693] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3692] <... futex resumed>) = 0 [pid 3692] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3692] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3693] <... futex resumed>) = 1 [ 68.670309][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 68.677808][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 68.683162][ T3693] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 68.697034][ T3693] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 68.705622][ T3693] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 68.705622][ T3693] inode = 12 2341 [pid 3693] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3692] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3692] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3692] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3692] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3692] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3694], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3694 [pid 3692] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3694 attached [pid 3694] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 68.705622][ T3693] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 68.724684][ T3693] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 68.734204][ T3693] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3693 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 68.744396][ T3693] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 68.753099][ T3693] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 68.760401][ T3693] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3694] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3694] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 68.769255][ T3693] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 68.775855][ T3693] gfs2: fsid=syz:syz.0: File system withdrawn [ 68.782027][ T3693] CPU: 0 PID: 3693 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 68.792450][ T3693] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 68.802510][ T3693] Call Trace: [ 68.805788][ T3693] [ 68.808734][ T3693] dump_stack_lvl+0x1b1/0x28e [ 68.813433][ T3693] ? nf_tcp_handle_invalid+0x62e/0x62e [ 68.818905][ T3693] ? panic+0x710/0x710 [ 68.822980][ T3693] ? kobject_uevent_env+0x46b/0x8e0 [ 68.828173][ T3693] ? do_raw_spin_unlock+0x134/0x8a0 [ 68.833371][ T3693] gfs2_withdraw+0xf33/0x1540 [ 68.838142][ T3693] ? gfs2_lm+0x220/0x220 [ 68.842373][ T3693] ? gfs2_dirent_scan+0xb6/0x650 [ 68.847313][ T3693] ? panic+0x710/0x710 [ 68.851395][ T3693] ? gfs2_permission+0x2ff/0x430 [ 68.856343][ T3693] ? gfs2_consist_inode_i+0xf3/0x110 [ 68.861706][ T3693] gfs2_dirent_scan+0x535/0x650 [pid 3694] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3692] exit_group(0 [pid 3694] <... futex resumed>) = ? [pid 3692] <... exit_group resumed>) = ? [pid 3694] +++ exited with 0 +++ [ 68.866549][ T3693] ? gfs2_dirent_search+0xb10/0xb10 [ 68.871742][ T3693] gfs2_dirent_search+0x2ea/0xb10 [ 68.876773][ T3693] ? gfs2_dirent_search+0xb10/0xb10 [ 68.881986][ T3693] ? gfs2_dir_search+0x2a0/0x2a0 [ 68.886918][ T3693] ? gfs2_permission+0x3bf/0x430 [ 68.891889][ T3693] gfs2_dir_search+0x8c/0x2a0 [ 68.896577][ T3693] ? do_filldir_main+0x530/0x530 [ 68.901533][ T3693] ? inode_go_held+0xe4/0x1f0 [ 68.906208][ T3693] ? gfs2_glock_wait+0x213/0x2a0 [ 68.911143][ T3693] gfs2_lookupi+0x465/0x650 [ 68.915647][ T3693] ? gfs2_lookup_simple+0x170/0x170 [ 68.920839][ T3693] ? __gfs2_lookup+0x8c/0x260 [ 68.925517][ T3693] __gfs2_lookup+0x8c/0x260 [ 68.930022][ T3693] ? gfs2_atomic_open+0x230/0x230 [ 68.935073][ T3693] ? __d_lookup+0x6a4/0x770 [ 68.939570][ T3693] ? d_hash_and_lookup+0x1c0/0x1c0 [ 68.944688][ T3693] gfs2_atomic_open+0xa4/0x230 [ 68.949463][ T3693] path_openat+0xf39/0x2df0 [ 68.954062][ T3693] ? gfs2_rename2+0x3000/0x3000 [ 68.958935][ T3693] ? do_filp_open+0x4f0/0x4f0 [ 68.963714][ T3693] do_filp_open+0x264/0x4f0 [ 68.968209][ T3693] ? vfs_tmpfile+0x490/0x490 [ 68.972809][ T3693] ? do_raw_spin_unlock+0x134/0x8a0 [ 68.978054][ T3693] ? _raw_spin_unlock+0x24/0x40 [ 68.982931][ T3693] ? alloc_fd+0x5a7/0x640 [ 68.987259][ T3693] do_sys_openat2+0x124/0x4e0 [ 68.991938][ T3693] ? print_irqtrace_events+0x220/0x220 [ 68.997410][ T3693] ? ptrace_stop+0x74d/0x970 [ 69.002008][ T3693] ? do_sys_open+0x220/0x220 [ 69.006588][ T3693] ? lockdep_hardirqs_on+0x8d/0x130 [ 69.011776][ T3693] ? _raw_spin_unlock_irq+0x2a/0x40 [ 69.016967][ T3693] ? ptrace_notify+0x245/0x340 [ 69.021806][ T3693] __x64_sys_openat+0x243/0x290 [ 69.026651][ T3693] ? __ia32_sys_open+0x270/0x270 [ 69.031577][ T3693] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 69.037565][ T3693] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 69.043546][ T3693] do_syscall_64+0x3d/0xb0 [ 69.047954][ T3693] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 69.053931][ T3693] RIP: 0033:0x7fc8868064d9 [ 69.058400][ T3693] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 69.078003][ T3693] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 69.087452][ T3693] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 69.095419][ T3693] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 69.103394][ T3693] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 69.111354][ T3693] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3693] <... openat resumed>) = ? [pid 3693] +++ exited with 0 +++ [pid 3692] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3692, si_uid=0, si_status=0, si_utime=1, si_stime=29} --- umount2("./20", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./20/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./20/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./20/binderfs") = 0 [ 69.119321][ T3693] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 69.127313][ T3693] umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./20/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./20/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./20") = 0 mkdir("./21", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3695 ./strace-static-x86_64: Process 3695 attached [pid 3695] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3695] chdir("./21") = 0 [pid 3695] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3695] setpgid(0, 0) = 0 [pid 3695] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3695] write(3, "1000", 4) = 4 [pid 3695] close(3) = 0 [pid 3695] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3695] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3695] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3695] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3695] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3696 attached , parent_tid=[3696], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3696 [pid 3695] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3695] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3696] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3696] memfd_create("syzkaller", 0) = 3 [pid 3696] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3696] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3696] munmap(0x7fc87e392000, 16777216) = 0 [pid 3696] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3696] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3696] close(3) = 0 [pid 3696] mkdir("./file0", 0777) = 0 [ 69.443966][ T3696] loop0: detected capacity change from 0 to 32768 [ 69.453733][ T3696] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 69.462268][ T3696] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 69.472620][ T3696] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 69.481241][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 69.488001][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3696] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3696] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3696] chdir("./file0") = 0 [pid 3696] ioctl(4, LOOP_CLR_FD) = 0 [pid 3696] close(4) = 0 [pid 3696] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3695] <... futex resumed>) = 0 [pid 3696] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3695] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3695] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3696] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3696] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3695] <... futex resumed>) = 0 [pid 3696] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3695] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 69.526918][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 69.534659][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 69.540024][ T3696] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 69.553179][ T3696] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 69.561826][ T3696] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 69.561826][ T3696] inode = 12 2341 [pid 3695] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3695] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3695] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3695] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3695] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3697], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3697 [pid 3695] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 69.561826][ T3696] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 69.580804][ T3696] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 69.589986][ T3696] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3696 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 69.600522][ T3696] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 69.609130][ T3696] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 69.616449][ T3696] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. ./strace-static-x86_64: Process 3697 attached [pid 3697] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3697] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3697] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 69.625331][ T3696] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 69.632017][ T3696] gfs2: fsid=syz:syz.0: File system withdrawn [ 69.638147][ T3696] CPU: 0 PID: 3696 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 69.648566][ T3696] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 69.658631][ T3696] Call Trace: [ 69.661903][ T3696] [ 69.664842][ T3696] dump_stack_lvl+0x1b1/0x28e [ 69.669542][ T3696] ? nf_tcp_handle_invalid+0x62e/0x62e [ 69.675029][ T3696] ? panic+0x710/0x710 [ 69.679110][ T3696] ? kobject_uevent_env+0x46b/0x8e0 [ 69.684299][ T3696] ? do_raw_spin_unlock+0x134/0x8a0 [ 69.689506][ T3696] gfs2_withdraw+0xf33/0x1540 [ 69.694209][ T3696] ? gfs2_lm+0x220/0x220 [ 69.698455][ T3696] ? gfs2_dirent_scan+0xb6/0x650 [ 69.703410][ T3696] ? panic+0x710/0x710 [ 69.707489][ T3696] ? gfs2_permission+0x2ff/0x430 [ 69.712424][ T3696] ? gfs2_consist_inode_i+0xf3/0x110 [ 69.717717][ T3696] gfs2_dirent_scan+0x535/0x650 [ 69.722679][ T3696] ? gfs2_dirent_search+0xb10/0xb10 [pid 3697] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3695] exit_group(0 [pid 3697] <... futex resumed>) = ? [pid 3695] <... exit_group resumed>) = ? [pid 3697] +++ exited with 0 +++ [ 69.727877][ T3696] gfs2_dirent_search+0x2ea/0xb10 [ 69.732968][ T3696] ? gfs2_dirent_search+0xb10/0xb10 [ 69.738198][ T3696] ? gfs2_dir_search+0x2a0/0x2a0 [ 69.743164][ T3696] ? gfs2_permission+0x3bf/0x430 [ 69.748125][ T3696] gfs2_dir_search+0x8c/0x2a0 [ 69.752809][ T3696] ? do_filldir_main+0x530/0x530 [ 69.757761][ T3696] ? inode_go_held+0xe4/0x1f0 [ 69.762476][ T3696] ? gfs2_glock_wait+0x213/0x2a0 [ 69.767418][ T3696] gfs2_lookupi+0x465/0x650 [ 69.771946][ T3696] ? gfs2_lookup_simple+0x170/0x170 [ 69.777154][ T3696] ? __gfs2_lookup+0x8c/0x260 [ 69.781829][ T3696] __gfs2_lookup+0x8c/0x260 [ 69.786327][ T3696] ? gfs2_atomic_open+0x230/0x230 [ 69.791368][ T3696] ? __d_lookup+0x6a4/0x770 [ 69.795885][ T3696] ? d_hash_and_lookup+0x1c0/0x1c0 [ 69.800994][ T3696] gfs2_atomic_open+0xa4/0x230 [ 69.805774][ T3696] path_openat+0xf39/0x2df0 [ 69.810276][ T3696] ? gfs2_rename2+0x3000/0x3000 [ 69.815133][ T3696] ? do_filp_open+0x4f0/0x4f0 [ 69.819810][ T3696] do_filp_open+0x264/0x4f0 [ 69.824319][ T3696] ? vfs_tmpfile+0x490/0x490 [ 69.828934][ T3696] ? do_raw_spin_unlock+0x134/0x8a0 [ 69.834169][ T3696] ? _raw_spin_unlock+0x24/0x40 [ 69.839015][ T3696] ? alloc_fd+0x5a7/0x640 [ 69.843432][ T3696] do_sys_openat2+0x124/0x4e0 [ 69.848104][ T3696] ? print_irqtrace_events+0x220/0x220 [ 69.853556][ T3696] ? ptrace_stop+0x74d/0x970 [ 69.858153][ T3696] ? do_sys_open+0x220/0x220 [ 69.862755][ T3696] ? lockdep_hardirqs_on+0x8d/0x130 [ 69.867948][ T3696] ? _raw_spin_unlock_irq+0x2a/0x40 [ 69.873162][ T3696] ? ptrace_notify+0x245/0x340 [ 69.877938][ T3696] __x64_sys_openat+0x243/0x290 [ 69.882794][ T3696] ? __ia32_sys_open+0x270/0x270 [ 69.887744][ T3696] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 69.893733][ T3696] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 69.899742][ T3696] do_syscall_64+0x3d/0xb0 [ 69.904157][ T3696] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 69.910041][ T3696] RIP: 0033:0x7fc8868064d9 [ 69.914464][ T3696] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 69.934181][ T3696] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 69.942605][ T3696] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 69.950577][ T3696] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 69.958846][ T3696] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 69.966878][ T3696] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3696] <... openat resumed>) = ? [pid 3696] +++ exited with 0 +++ [pid 3695] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3695, si_uid=0, si_status=0, si_utime=2, si_stime=31} --- umount2("./21", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./21/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./21/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./21/binderfs") = 0 [ 69.974855][ T3696] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 69.982921][ T3696] umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./21/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./21/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./21") = 0 mkdir("./22", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3698 ./strace-static-x86_64: Process 3698 attached [pid 3698] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3698] chdir("./22") = 0 [pid 3698] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3698] setpgid(0, 0) = 0 [pid 3698] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3698] write(3, "1000", 4) = 4 [pid 3698] close(3) = 0 [pid 3698] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3698] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3698] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3698] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3698] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3699], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3699 [pid 3698] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3698] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3699 attached [pid 3699] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3699] memfd_create("syzkaller", 0) = 3 [pid 3699] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3699] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3699] munmap(0x7fc87e392000, 16777216) = 0 [pid 3699] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3699] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3699] close(3) = 0 [pid 3699] mkdir("./file0", 0777) = 0 [ 70.279757][ T3699] loop0: detected capacity change from 0 to 32768 [ 70.289574][ T3699] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 70.298619][ T3699] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 70.307826][ T3699] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 70.316421][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 70.323328][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3699] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3699] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3699] chdir("./file0") = 0 [pid 3699] ioctl(4, LOOP_CLR_FD) = 0 [pid 3699] close(4) = 0 [pid 3699] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3698] <... futex resumed>) = 0 [pid 3699] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3698] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3699] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3698] <... futex resumed>) = 0 [pid 3699] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3698] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3699] <... futex resumed>) = 0 [pid 3698] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3699] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3698] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 70.358822][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 70.366402][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 70.372442][ T3699] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 70.386339][ T3699] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 70.395281][ T3699] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 70.395281][ T3699] inode = 12 2341 [pid 3698] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3698] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3698] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3698] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3698] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3700], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3700 [pid 3698] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3700 attached [pid 3700] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3700] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3700] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 70.395281][ T3699] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 70.414493][ T3699] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 70.424068][ T3699] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3699 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 70.434487][ T3699] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 70.443489][ T3699] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 70.453619][ T3699] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 70.462567][ T3699] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 70.469138][ T3699] gfs2: fsid=syz:syz.0: File system withdrawn [ 70.475362][ T3699] CPU: 0 PID: 3699 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 70.485803][ T3699] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 70.495878][ T3699] Call Trace: [ 70.499163][ T3699] [ 70.502087][ T3699] dump_stack_lvl+0x1b1/0x28e [ 70.506759][ T3699] ? nf_tcp_handle_invalid+0x62e/0x62e [ 70.512215][ T3699] ? panic+0x710/0x710 [ 70.516308][ T3699] ? kobject_uevent_env+0x46b/0x8e0 [ 70.521501][ T3699] ? do_raw_spin_unlock+0x134/0x8a0 [ 70.526708][ T3699] gfs2_withdraw+0xf33/0x1540 [ 70.531409][ T3699] ? gfs2_lm+0x220/0x220 [ 70.535642][ T3699] ? gfs2_dirent_scan+0xb6/0x650 [ 70.540602][ T3699] ? panic+0x710/0x710 [ 70.544678][ T3699] ? gfs2_permission+0x2ff/0x430 [ 70.549611][ T3699] ? gfs2_consist_inode_i+0xf3/0x110 [ 70.554897][ T3699] gfs2_dirent_scan+0x535/0x650 [pid 3700] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3698] exit_group(0 [pid 3700] <... futex resumed>) = ? [pid 3698] <... exit_group resumed>) = ? [pid 3700] +++ exited with 0 +++ [ 70.559764][ T3699] ? gfs2_dirent_search+0xb10/0xb10 [ 70.564962][ T3699] gfs2_dirent_search+0x2ea/0xb10 [ 70.569990][ T3699] ? gfs2_dirent_search+0xb10/0xb10 [ 70.575181][ T3699] ? gfs2_dir_search+0x2a0/0x2a0 [ 70.580116][ T3699] ? gfs2_permission+0x3bf/0x430 [ 70.585075][ T3699] gfs2_dir_search+0x8c/0x2a0 [ 70.589746][ T3699] ? do_filldir_main+0x530/0x530 [ 70.594692][ T3699] ? inode_go_held+0xe4/0x1f0 [ 70.599409][ T3699] ? gfs2_glock_wait+0x213/0x2a0 [ 70.604360][ T3699] gfs2_lookupi+0x465/0x650 [ 70.608868][ T3699] ? gfs2_lookup_simple+0x170/0x170 [ 70.614060][ T3699] ? __gfs2_lookup+0x8c/0x260 [ 70.618748][ T3699] __gfs2_lookup+0x8c/0x260 [ 70.623282][ T3699] ? gfs2_atomic_open+0x230/0x230 [ 70.628326][ T3699] ? __d_lookup+0x6a4/0x770 [ 70.632831][ T3699] ? d_hash_and_lookup+0x1c0/0x1c0 [ 70.638127][ T3699] gfs2_atomic_open+0xa4/0x230 [ 70.642891][ T3699] path_openat+0xf39/0x2df0 [ 70.647389][ T3699] ? gfs2_rename2+0x3000/0x3000 [ 70.652262][ T3699] ? do_filp_open+0x4f0/0x4f0 [ 70.656958][ T3699] do_filp_open+0x264/0x4f0 [ 70.661449][ T3699] ? vfs_tmpfile+0x490/0x490 [ 70.666046][ T3699] ? do_raw_spin_unlock+0x134/0x8a0 [ 70.671255][ T3699] ? _raw_spin_unlock+0x24/0x40 [ 70.676100][ T3699] ? alloc_fd+0x5a7/0x640 [ 70.680426][ T3699] do_sys_openat2+0x124/0x4e0 [ 70.685094][ T3699] ? print_irqtrace_events+0x220/0x220 [ 70.690544][ T3699] ? ptrace_stop+0x74d/0x970 [ 70.695133][ T3699] ? do_sys_open+0x220/0x220 [ 70.699712][ T3699] ? lockdep_hardirqs_on+0x8d/0x130 [ 70.704898][ T3699] ? _raw_spin_unlock_irq+0x2a/0x40 [ 70.710097][ T3699] ? ptrace_notify+0x245/0x340 [ 70.714867][ T3699] __x64_sys_openat+0x243/0x290 [ 70.719721][ T3699] ? __ia32_sys_open+0x270/0x270 [ 70.724671][ T3699] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 70.730661][ T3699] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 70.736650][ T3699] do_syscall_64+0x3d/0xb0 [ 70.741058][ T3699] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 70.746947][ T3699] RIP: 0033:0x7fc8868064d9 [ 70.751363][ T3699] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 70.770969][ T3699] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 70.779409][ T3699] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 70.787386][ T3699] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 70.795348][ T3699] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3699] <... openat resumed>) = ? [pid 3699] +++ exited with 0 +++ [pid 3698] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3698, si_uid=0, si_status=0, si_utime=1, si_stime=29} --- umount2("./22", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./22/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./22/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./22/binderfs") = 0 [ 70.803316][ T3699] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 70.811295][ T3699] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 70.819311][ T3699] umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./22/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./22/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./22") = 0 mkdir("./23", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3701 ./strace-static-x86_64: Process 3701 attached [pid 3701] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3701] chdir("./23") = 0 [pid 3701] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3701] setpgid(0, 0) = 0 [pid 3701] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3701] write(3, "1000", 4) = 4 [pid 3701] close(3) = 0 [pid 3701] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3701] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3701] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3701] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3701] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3702], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3702 [pid 3701] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3701] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3702 attached [pid 3702] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3702] memfd_create("syzkaller", 0) = 3 [pid 3702] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3702] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3702] munmap(0x7fc87e392000, 16777216) = 0 [pid 3702] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3702] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3702] close(3) = 0 [pid 3702] mkdir("./file0", 0777) = 0 [ 71.103633][ T3702] loop0: detected capacity change from 0 to 32768 [ 71.113853][ T3702] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 71.122335][ T3702] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 71.132524][ T3702] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 71.141498][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 71.148263][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3702] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3702] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3702] chdir("./file0") = 0 [pid 3702] ioctl(4, LOOP_CLR_FD) = 0 [pid 3702] close(4) = 0 [pid 3702] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3702] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3701] <... futex resumed>) = 0 [pid 3701] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3701] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3702] <... futex resumed>) = 0 [pid 3702] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3702] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3701] <... futex resumed>) = 0 [pid 3701] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3701] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3702] <... futex resumed>) = 1 [ 71.183249][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 71.192031][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 71.197294][ T3702] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3702] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3701] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3701] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3701] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3701] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3701] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3703], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3703 [pid 3701] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 71.226705][ T3702] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 71.235617][ T3702] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 71.235617][ T3702] inode = 12 2341 [ 71.235617][ T3702] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 71.254866][ T3702] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 71.264461][ T3702] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3702 [syz-executor337] __gfs2_lookup+0x8c/0x260 ./strace-static-x86_64: Process 3703 attached [pid 3703] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 71.279898][ T3702] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 71.290986][ T3703] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 71.291567][ T3702] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 71.299358][ T3703] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 71.299391][ T3703] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3702 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 71.307170][ T3702] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 71.335165][ T3702] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 71.341921][ T3703] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3703 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 71.342295][ T3702] gfs2: fsid=syz:syz.0: File system withdrawn [ 71.358585][ T3702] CPU: 1 PID: 3702 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 71.369010][ T3702] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 71.370172][ T3703] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 71.379050][ T3702] Call Trace: [ 71.379060][ T3702] [ 71.393654][ T3702] dump_stack_lvl+0x1b1/0x28e [ 71.398330][ T3702] ? nf_tcp_handle_invalid+0x62e/0x62e [ 71.403779][ T3702] ? panic+0x710/0x710 [ 71.407839][ T3702] ? kobject_uevent_env+0x46b/0x8e0 [ 71.413028][ T3702] ? do_raw_spin_unlock+0x134/0x8a0 [ 71.418226][ T3702] gfs2_withdraw+0xf33/0x1540 [ 71.422906][ T3702] ? gfs2_lm+0x220/0x220 [ 71.427151][ T3702] ? gfs2_dirent_scan+0xb6/0x650 [ 71.432085][ T3702] ? panic+0x710/0x710 [ 71.436149][ T3702] ? gfs2_permission+0x2ff/0x430 [ 71.441085][ T3702] ? gfs2_consist_inode_i+0xf3/0x110 [ 71.446364][ T3702] gfs2_dirent_scan+0x535/0x650 [ 71.451216][ T3702] ? gfs2_dirent_search+0xb10/0xb10 [ 71.456434][ T3702] gfs2_dirent_search+0x2ea/0xb10 [ 71.461459][ T3702] ? gfs2_dirent_search+0xb10/0xb10 [ 71.466656][ T3702] ? gfs2_dir_search+0x2a0/0x2a0 [ 71.471587][ T3702] ? gfs2_permission+0x3bf/0x430 [ 71.476524][ T3702] gfs2_dir_search+0x8c/0x2a0 [ 71.481206][ T3702] ? do_filldir_main+0x530/0x530 [ 71.486138][ T3702] ? inode_go_held+0xe4/0x1f0 [ 71.490812][ T3702] ? gfs2_glock_wait+0x213/0x2a0 [ 71.495744][ T3702] gfs2_lookupi+0x465/0x650 [ 71.500246][ T3702] ? gfs2_lookup_simple+0x170/0x170 [ 71.505438][ T3702] ? __gfs2_lookup+0x8c/0x260 [ 71.510122][ T3702] __gfs2_lookup+0x8c/0x260 [ 71.514623][ T3702] ? gfs2_atomic_open+0x230/0x230 [ 71.519648][ T3702] ? __d_lookup+0x6a4/0x770 [ 71.524140][ T3702] ? d_hash_and_lookup+0x1c0/0x1c0 [ 71.529242][ T3702] gfs2_atomic_open+0xa4/0x230 [ 71.534002][ T3702] path_openat+0xf39/0x2df0 [ 71.538501][ T3702] ? gfs2_rename2+0x3000/0x3000 [ 71.543359][ T3702] ? do_filp_open+0x4f0/0x4f0 [ 71.548043][ T3702] do_filp_open+0x264/0x4f0 [ 71.552540][ T3702] ? vfs_tmpfile+0x490/0x490 [ 71.557131][ T3702] ? do_raw_spin_unlock+0x134/0x8a0 [ 71.562329][ T3702] ? _raw_spin_unlock+0x24/0x40 [ 71.567174][ T3702] ? alloc_fd+0x5a7/0x640 [ 71.571507][ T3702] do_sys_openat2+0x124/0x4e0 [ 71.576178][ T3702] ? print_irqtrace_events+0x220/0x220 [ 71.581645][ T3702] ? ptrace_stop+0x74d/0x970 [ 71.586261][ T3702] ? do_sys_open+0x220/0x220 [ 71.590858][ T3702] ? lockdep_hardirqs_on+0x8d/0x130 [ 71.596093][ T3702] ? _raw_spin_unlock_irq+0x2a/0x40 [ 71.601295][ T3702] ? ptrace_notify+0x245/0x340 [ 71.606053][ T3702] __x64_sys_openat+0x243/0x290 [ 71.610901][ T3702] ? __ia32_sys_open+0x270/0x270 [ 71.615834][ T3702] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 71.621812][ T3702] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 71.627785][ T3702] do_syscall_64+0x3d/0xb0 [ 71.632196][ T3702] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 71.638080][ T3702] RIP: 0033:0x7fc8868064d9 [ 71.642490][ T3702] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 71.662086][ T3702] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 71.670487][ T3702] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3703] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3702] <... openat resumed>) = -1 EIO (Input/output error) [pid 3702] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3702] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3703] <... openat resumed>) = -1 EIO (Input/output error) [pid 3703] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3701] exit_group(0 [pid 3702] <... futex resumed>) = ? [pid 3701] <... exit_group resumed>) = ? [pid 3702] +++ exited with 0 +++ [pid 3703] +++ exited with 0 +++ [pid 3701] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3701, si_uid=0, si_status=0, si_utime=1, si_stime=35} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./23", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [ 71.678450][ T3702] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 71.690491][ T3702] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 71.698452][ T3702] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 71.706410][ T3702] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 71.714402][ T3702] fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./23/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./23/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./23/binderfs") = 0 umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./23/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./23/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./23") = 0 mkdir("./24", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3705 ./strace-static-x86_64: Process 3705 attached [pid 3705] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3705] chdir("./24") = 0 [pid 3705] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3705] setpgid(0, 0) = 0 [pid 3705] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3705] write(3, "1000", 4) = 4 [pid 3705] close(3) = 0 [pid 3705] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3705] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3705] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3705] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3705] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3706], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3706 [pid 3705] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3705] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3706 attached [pid 3706] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3706] memfd_create("syzkaller", 0) = 3 [pid 3706] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3706] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3706] munmap(0x7fc87e392000, 16777216) = 0 [pid 3706] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3706] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3706] close(3) = 0 [pid 3706] mkdir("./file0", 0777) = 0 [ 72.307448][ T3706] loop0: detected capacity change from 0 to 32768 [ 72.319123][ T3706] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 72.327670][ T3706] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 72.337020][ T3706] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 72.345659][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 72.352544][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3706] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3706] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3706] chdir("./file0") = 0 [pid 3706] ioctl(4, LOOP_CLR_FD) = 0 [pid 3706] close(4) = 0 [pid 3706] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3706] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3705] <... futex resumed>) = 0 [pid 3705] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3705] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3706] <... futex resumed>) = 0 [pid 3706] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3706] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3705] <... futex resumed>) = 0 [pid 3705] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3705] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3706] <... futex resumed>) = 1 [ 72.393533][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 72.402729][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 72.408253][ T3706] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 72.438783][ T3706] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 72.447458][ T3706] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 72.447458][ T3706] inode = 12 2341 [ 72.447458][ T3706] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 72.466311][ T3706] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 72.475424][ T3706] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3706 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3706] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3705] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3705] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3705] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3705] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3705] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3707], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3707 [pid 3705] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3707 attached [pid 3707] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3707] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3707] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 72.485700][ T3706] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 72.494191][ T3706] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 72.503469][ T3706] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 72.512308][ T3706] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 72.518855][ T3706] gfs2: fsid=syz:syz.0: File system withdrawn [ 72.524985][ T3706] CPU: 1 PID: 3706 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 72.535497][ T3706] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 72.545554][ T3706] Call Trace: [ 72.548826][ T3706] [ 72.551750][ T3706] dump_stack_lvl+0x1b1/0x28e [ 72.556434][ T3706] ? nf_tcp_handle_invalid+0x62e/0x62e [ 72.561909][ T3706] ? panic+0x710/0x710 [ 72.565983][ T3706] ? kobject_uevent_env+0x46b/0x8e0 [ 72.571168][ T3706] ? do_raw_spin_unlock+0x134/0x8a0 [ 72.576376][ T3706] gfs2_withdraw+0xf33/0x1540 [ 72.581071][ T3706] ? gfs2_lm+0x220/0x220 [ 72.585299][ T3706] ? gfs2_dirent_scan+0xb6/0x650 [ 72.590249][ T3706] ? panic+0x710/0x710 [ 72.594320][ T3706] ? gfs2_permission+0x2ff/0x430 [ 72.599248][ T3706] ? gfs2_consist_inode_i+0xf3/0x110 [ 72.604540][ T3706] gfs2_dirent_scan+0x535/0x650 [ 72.609468][ T3706] ? gfs2_dirent_search+0xb10/0xb10 [ 72.614679][ T3706] gfs2_dirent_search+0x2ea/0xb10 [ 72.619714][ T3706] ? gfs2_dirent_search+0xb10/0xb10 [ 72.624936][ T3706] ? gfs2_dir_search+0x2a0/0x2a0 [ 72.629869][ T3706] ? gfs2_permission+0x3bf/0x430 [ 72.634805][ T3706] gfs2_dir_search+0x8c/0x2a0 [ 72.639479][ T3706] ? do_filldir_main+0x530/0x530 [ 72.644413][ T3706] ? inode_go_held+0xe4/0x1f0 [ 72.649085][ T3706] ? gfs2_glock_wait+0x213/0x2a0 [ 72.654012][ T3706] gfs2_lookupi+0x465/0x650 [ 72.658515][ T3706] ? gfs2_lookup_simple+0x170/0x170 [ 72.663717][ T3706] ? __gfs2_lookup+0x8c/0x260 [ 72.668408][ T3706] __gfs2_lookup+0x8c/0x260 [ 72.672905][ T3706] ? gfs2_atomic_open+0x230/0x230 [ 72.677927][ T3706] ? __d_lookup+0x6a4/0x770 [ 72.682421][ T3706] ? d_hash_and_lookup+0x1c0/0x1c0 [ 72.687525][ T3706] gfs2_atomic_open+0xa4/0x230 [ 72.692285][ T3706] path_openat+0xf39/0x2df0 [ 72.696789][ T3706] ? gfs2_rename2+0x3000/0x3000 [ 72.701734][ T3706] ? do_filp_open+0x4f0/0x4f0 [ 72.706435][ T3706] do_filp_open+0x264/0x4f0 [ 72.710930][ T3706] ? vfs_tmpfile+0x490/0x490 [ 72.715521][ T3706] ? do_raw_spin_unlock+0x134/0x8a0 [ 72.720771][ T3706] ? _raw_spin_unlock+0x24/0x40 [ 72.725671][ T3706] ? alloc_fd+0x5a7/0x640 [ 72.730048][ T3706] do_sys_openat2+0x124/0x4e0 [ 72.734748][ T3706] ? print_irqtrace_events+0x220/0x220 [ 72.740320][ T3706] ? ptrace_stop+0x74d/0x970 [ 72.745005][ T3706] ? do_sys_open+0x220/0x220 [ 72.749605][ T3706] ? lockdep_hardirqs_on+0x8d/0x130 [ 72.754811][ T3706] ? _raw_spin_unlock_irq+0x2a/0x40 [ 72.760006][ T3706] ? ptrace_notify+0x245/0x340 [ 72.764777][ T3706] __x64_sys_openat+0x243/0x290 [ 72.769626][ T3706] ? __ia32_sys_open+0x270/0x270 [ 72.774746][ T3706] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 72.780899][ T3706] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 72.786985][ T3706] do_syscall_64+0x3d/0xb0 [ 72.791396][ T3706] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 72.797454][ T3706] RIP: 0033:0x7fc8868064d9 [ 72.801883][ T3706] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 72.821571][ T3706] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 72.829981][ T3706] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3707] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3706] <... openat resumed>) = -1 EIO (Input/output error) [pid 3706] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3706] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3705] exit_group(0 [pid 3707] <... futex resumed>) = ? [pid 3705] <... exit_group resumed>) = ? [pid 3707] +++ exited with 0 +++ [pid 3706] <... futex resumed>) = ? [pid 3706] +++ exited with 0 +++ [pid 3705] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3705, si_uid=0, si_status=0, si_utime=3, si_stime=33} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./24", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./24/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./24/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./24/binderfs") = 0 [ 72.837957][ T3706] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 72.846012][ T3706] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 72.853986][ T3706] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 72.861965][ T3706] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 72.869972][ T3706] umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./24/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./24/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./24") = 0 mkdir("./25", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3708 ./strace-static-x86_64: Process 3708 attached [pid 3708] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3708] chdir("./25") = 0 [pid 3708] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3708] setpgid(0, 0) = 0 [pid 3708] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3708] write(3, "1000", 4) = 4 [pid 3708] close(3) = 0 [pid 3708] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3708] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3708] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3708] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3708] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3709 attached , parent_tid=[3709], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3709 [pid 3708] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3708] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3709] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3709] memfd_create("syzkaller", 0) = 3 [pid 3709] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3709] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3709] munmap(0x7fc87e392000, 16777216) = 0 [pid 3709] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3709] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3709] close(3) = 0 [pid 3709] mkdir("./file0", 0777) = 0 [ 73.188850][ T3709] loop0: detected capacity change from 0 to 32768 [ 73.198696][ T3709] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 73.207265][ T3709] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 73.217102][ T3709] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 73.226286][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 73.233408][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3709] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3709] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3709] chdir("./file0") = 0 [pid 3709] ioctl(4, LOOP_CLR_FD) = 0 [pid 3709] close(4) = 0 [pid 3709] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3708] <... futex resumed>) = 0 [pid 3708] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3708] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3709] <... futex resumed>) = 1 [pid 3709] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3709] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3708] <... futex resumed>) = 0 [pid 3708] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3708] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3709] <... futex resumed>) = 1 [ 73.269877][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 73.277784][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 73.283562][ T3709] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 73.299974][ T3709] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 73.309042][ T3709] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 73.309042][ T3709] inode = 12 2341 [pid 3709] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3708] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3708] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3708] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3708] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3708] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3710], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3710 [pid 3708] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 73.309042][ T3709] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 73.328729][ T3709] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 73.338412][ T3709] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3709 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 73.348950][ T3709] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 73.360617][ T3709] gfs2: fsid=syz:syz.0: about to withdraw this file system ./strace-static-x86_64: Process 3710 attached [pid 3710] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3710] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3710] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 73.368491][ T3709] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 73.377404][ T3709] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 73.384111][ T3709] gfs2: fsid=syz:syz.0: File system withdrawn [ 73.390246][ T3709] CPU: 0 PID: 3709 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 73.400666][ T3709] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 73.410726][ T3709] Call Trace: [ 73.414007][ T3709] [ 73.416938][ T3709] dump_stack_lvl+0x1b1/0x28e [ 73.421616][ T3709] ? nf_tcp_handle_invalid+0x62e/0x62e [ 73.427178][ T3709] ? panic+0x710/0x710 [ 73.431256][ T3709] ? kobject_uevent_env+0x46b/0x8e0 [ 73.436459][ T3709] ? do_raw_spin_unlock+0x134/0x8a0 [ 73.441685][ T3709] gfs2_withdraw+0xf33/0x1540 [ 73.446383][ T3709] ? gfs2_lm+0x220/0x220 [ 73.450789][ T3709] ? gfs2_dirent_scan+0xb6/0x650 [ 73.455720][ T3709] ? panic+0x710/0x710 [ 73.459778][ T3709] ? gfs2_permission+0x2ff/0x430 [ 73.464722][ T3709] ? gfs2_consist_inode_i+0xf3/0x110 [ 73.470021][ T3709] gfs2_dirent_scan+0x535/0x650 [ 73.474897][ T3709] ? gfs2_dirent_search+0xb10/0xb10 [ 73.480185][ T3709] gfs2_dirent_search+0x2ea/0xb10 [ 73.485223][ T3709] ? gfs2_dirent_search+0xb10/0xb10 [ 73.490418][ T3709] ? gfs2_dir_search+0x2a0/0x2a0 [ 73.495374][ T3709] ? gfs2_permission+0x3bf/0x430 [ 73.500335][ T3709] gfs2_dir_search+0x8c/0x2a0 [ 73.505024][ T3709] ? do_filldir_main+0x530/0x530 [ 73.509958][ T3709] ? inode_go_held+0xe4/0x1f0 [ 73.514632][ T3709] ? gfs2_glock_wait+0x213/0x2a0 [ 73.519570][ T3709] gfs2_lookupi+0x465/0x650 [ 73.524074][ T3709] ? gfs2_lookup_simple+0x170/0x170 [ 73.529266][ T3709] ? __gfs2_lookup+0x8c/0x260 [ 73.533942][ T3709] __gfs2_lookup+0x8c/0x260 [ 73.538439][ T3709] ? gfs2_atomic_open+0x230/0x230 [ 73.543460][ T3709] ? __d_lookup+0x6a4/0x770 [ 73.547956][ T3709] ? d_hash_and_lookup+0x1c0/0x1c0 [ 73.553061][ T3709] gfs2_atomic_open+0xa4/0x230 [ 73.557822][ T3709] path_openat+0xf39/0x2df0 [ 73.562320][ T3709] ? gfs2_rename2+0x3000/0x3000 [ 73.567181][ T3709] ? do_filp_open+0x4f0/0x4f0 [ 73.571861][ T3709] do_filp_open+0x264/0x4f0 [ 73.576356][ T3709] ? vfs_tmpfile+0x490/0x490 [ 73.580944][ T3709] ? do_raw_spin_unlock+0x134/0x8a0 [ 73.586140][ T3709] ? _raw_spin_unlock+0x24/0x40 [ 73.590985][ T3709] ? alloc_fd+0x5a7/0x640 [ 73.595318][ T3709] do_sys_openat2+0x124/0x4e0 [ 73.599991][ T3709] ? print_irqtrace_events+0x220/0x220 [ 73.605437][ T3709] ? ptrace_stop+0x74d/0x970 [ 73.610022][ T3709] ? do_sys_open+0x220/0x220 [ 73.614690][ T3709] ? lockdep_hardirqs_on+0x8d/0x130 [ 73.619879][ T3709] ? _raw_spin_unlock_irq+0x2a/0x40 [ 73.625070][ T3709] ? ptrace_notify+0x245/0x340 [ 73.629842][ T3709] __x64_sys_openat+0x243/0x290 [ 73.634698][ T3709] ? __ia32_sys_open+0x270/0x270 [ 73.639642][ T3709] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 73.645636][ T3709] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 73.651613][ T3709] do_syscall_64+0x3d/0xb0 [ 73.656026][ T3709] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 73.661910][ T3709] RIP: 0033:0x7fc8868064d9 [ 73.666374][ T3709] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 73.685988][ T3709] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 73.694397][ T3709] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 73.702359][ T3709] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 73.710318][ T3709] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3710] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3709] <... openat resumed>) = -1 EIO (Input/output error) [pid 3709] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3709] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3708] exit_group(0 [pid 3709] <... futex resumed>) = ? [pid 3708] <... exit_group resumed>) = ? [pid 3709] +++ exited with 0 +++ [pid 3710] <... futex resumed>) = ? [pid 3710] +++ exited with 0 +++ [pid 3708] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3708, si_uid=0, si_status=0, si_utime=2, si_stime=30} --- umount2("./25", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./25/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./25/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./25/binderfs") = 0 [ 73.718279][ T3709] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 73.726239][ T3709] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 73.734214][ T3709] umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./25/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./25/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./25") = 0 mkdir("./26", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3711 ./strace-static-x86_64: Process 3711 attached [pid 3711] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3711] chdir("./26") = 0 [pid 3711] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3711] setpgid(0, 0) = 0 [pid 3711] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3711] write(3, "1000", 4) = 4 [pid 3711] close(3) = 0 [pid 3711] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3711] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3711] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3711] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3711] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3712 attached , parent_tid=[3712], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3712 [pid 3712] set_robust_list(0x7fc8867b29e0, 24 [pid 3711] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3711] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3712] <... set_robust_list resumed>) = 0 [pid 3712] memfd_create("syzkaller", 0) = 3 [pid 3712] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3712] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3712] munmap(0x7fc87e392000, 16777216) = 0 [pid 3712] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3712] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3712] close(3) = 0 [pid 3712] mkdir("./file0", 0777) = 0 [ 74.030554][ T3712] loop0: detected capacity change from 0 to 32768 [ 74.041591][ T3712] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 74.049930][ T3712] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 74.059837][ T3712] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 74.068699][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 74.075662][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3712] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3712] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3712] chdir("./file0") = 0 [pid 3712] ioctl(4, LOOP_CLR_FD) = 0 [pid 3712] close(4) = 0 [pid 3712] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3711] <... futex resumed>) = 0 [pid 3711] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3711] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3712] <... futex resumed>) = 1 [pid 3712] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3712] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3711] <... futex resumed>) = 0 [pid 3711] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3711] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3712] <... futex resumed>) = 1 [ 74.114911][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 74.122487][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 74.127736][ T3712] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 74.147593][ T3712] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 74.156432][ T3712] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3712] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3711] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3711] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 74.156432][ T3712] inode = 12 2341 [ 74.156432][ T3712] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 74.175633][ T3712] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 74.185102][ T3712] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3712 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 74.195472][ T3712] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 74.204755][ T3712] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3711] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3711] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3711] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3713], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3713 [pid 3711] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 74.212551][ T3712] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 74.222042][ T3712] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 74.228911][ T3712] gfs2: fsid=syz:syz.0: File system withdrawn [ 74.235528][ T3712] CPU: 0 PID: 3712 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 74.245977][ T3712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 74.256055][ T3712] Call Trace: [ 74.259344][ T3712] [ 74.262269][ T3712] dump_stack_lvl+0x1b1/0x28e [ 74.266944][ T3712] ? nf_tcp_handle_invalid+0x62e/0x62e [ 74.272408][ T3712] ? panic+0x710/0x710 [ 74.276486][ T3712] ? kobject_uevent_env+0x46b/0x8e0 [ 74.281686][ T3712] ? do_raw_spin_unlock+0x134/0x8a0 [ 74.286900][ T3712] gfs2_withdraw+0xf33/0x1540 [ 74.291591][ T3712] ? gfs2_lm+0x220/0x220 [ 74.295834][ T3712] ? gfs2_dirent_scan+0xb6/0x650 [ 74.300779][ T3712] ? panic+0x710/0x710 [ 74.304923][ T3712] ? gfs2_permission+0x2ff/0x430 [ 74.309871][ T3712] ? gfs2_consist_inode_i+0xf3/0x110 [ 74.315173][ T3712] gfs2_dirent_scan+0x535/0x650 [ 74.320042][ T3712] ? gfs2_dirent_search+0xb10/0xb10 [ 74.325257][ T3712] gfs2_dirent_search+0x2ea/0xb10 [ 74.330294][ T3712] ? gfs2_dirent_search+0xb10/0xb10 [ 74.335486][ T3712] ? gfs2_dir_search+0x2a0/0x2a0 [ 74.340420][ T3712] ? gfs2_permission+0x3bf/0x430 [ 74.345362][ T3712] gfs2_dir_search+0x8c/0x2a0 [ 74.350036][ T3712] ? do_filldir_main+0x530/0x530 [ 74.354967][ T3712] ? inode_go_held+0xe4/0x1f0 [ 74.359639][ T3712] ? gfs2_glock_wait+0x213/0x2a0 [ 74.364568][ T3712] gfs2_lookupi+0x465/0x650 [ 74.369073][ T3712] ? gfs2_lookup_simple+0x170/0x170 [ 74.374275][ T3712] ? __gfs2_lookup+0x8c/0x260 [ 74.378950][ T3712] __gfs2_lookup+0x8c/0x260 [ 74.383447][ T3712] ? gfs2_atomic_open+0x230/0x230 [ 74.388474][ T3712] ? __d_lookup+0x6a4/0x770 [ 74.392967][ T3712] ? d_hash_and_lookup+0x1c0/0x1c0 [ 74.398088][ T3712] gfs2_atomic_open+0xa4/0x230 [ 74.402852][ T3712] path_openat+0xf39/0x2df0 [ 74.407351][ T3712] ? gfs2_rename2+0x3000/0x3000 [ 74.412206][ T3712] ? do_filp_open+0x4f0/0x4f0 [ 74.416888][ T3712] do_filp_open+0x264/0x4f0 [ 74.421380][ T3712] ? vfs_tmpfile+0x490/0x490 [ 74.425970][ T3712] ? do_raw_spin_unlock+0x134/0x8a0 [ 74.431162][ T3712] ? _raw_spin_unlock+0x24/0x40 [ 74.436006][ T3712] ? alloc_fd+0x5a7/0x640 [ 74.440335][ T3712] do_sys_openat2+0x124/0x4e0 [ 74.445004][ T3712] ? print_irqtrace_events+0x220/0x220 [ 74.450452][ T3712] ? ptrace_stop+0x74d/0x970 [ 74.455036][ T3712] ? do_sys_open+0x220/0x220 [ 74.459619][ T3712] ? lockdep_hardirqs_on+0x8d/0x130 [ 74.464806][ T3712] ? _raw_spin_unlock_irq+0x2a/0x40 [ 74.469995][ T3712] ? ptrace_notify+0x245/0x340 [ 74.474748][ T3712] __x64_sys_openat+0x243/0x290 [ 74.479593][ T3712] ? __ia32_sys_open+0x270/0x270 [ 74.484524][ T3712] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 74.490499][ T3712] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 74.496486][ T3712] do_syscall_64+0x3d/0xb0 [ 74.500892][ T3712] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 74.506773][ T3712] RIP: 0033:0x7fc8868064d9 [ 74.511179][ T3712] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 74.530775][ T3712] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 74.539178][ T3712] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 74.547224][ T3712] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 74.555183][ T3712] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 ./strace-static-x86_64: Process 3713 attached [pid 3713] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3713] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3713] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3713] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3712] <... openat resumed>) = -1 EIO (Input/output error) [pid 3712] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3712] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3711] exit_group(0 [pid 3713] <... futex resumed>) = ? [pid 3712] <... futex resumed>) = ? [pid 3711] <... exit_group resumed>) = ? [pid 3713] +++ exited with 0 +++ [pid 3712] +++ exited with 0 +++ [pid 3711] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3711, si_uid=0, si_status=0, si_utime=3, si_stime=27} --- umount2("./26", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./26/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./26/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./26/binderfs") = 0 [ 74.563145][ T3712] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 74.571102][ T3712] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 74.579076][ T3712] umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./26/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./26/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./26") = 0 mkdir("./27", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3714 ./strace-static-x86_64: Process 3714 attached [pid 3714] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3714] chdir("./27") = 0 [pid 3714] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3714] setpgid(0, 0) = 0 [pid 3714] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3714] write(3, "1000", 4) = 4 [pid 3714] close(3) = 0 [pid 3714] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3714] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3714] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3714] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3714] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3715], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3715 ./strace-static-x86_64: Process 3715 attached [pid 3714] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3714] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3715] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3715] memfd_create("syzkaller", 0) = 3 [pid 3715] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3715] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3715] munmap(0x7fc87e392000, 16777216) = 0 [pid 3715] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3715] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3715] close(3) = 0 [pid 3715] mkdir("./file0", 0777) = 0 [ 74.892409][ T3715] loop0: detected capacity change from 0 to 32768 [ 74.903051][ T3715] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 74.911292][ T3715] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 74.921388][ T3715] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 74.929997][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 74.937138][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3715] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3715] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3715] chdir("./file0") = 0 [pid 3715] ioctl(4, LOOP_CLR_FD) = 0 [pid 3715] close(4) = 0 [pid 3715] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3714] <... futex resumed>) = 0 [pid 3714] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3714] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3715] <... futex resumed>) = 1 [pid 3715] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3715] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3714] <... futex resumed>) = 0 [pid 3714] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3714] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3715] <... futex resumed>) = 1 [ 74.970300][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 74.977977][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 74.988756][ T3715] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 75.004127][ T3715] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 75.013009][ T3715] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3715] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3714] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3714] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3714] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3714] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3714] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3716], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3716 [pid 3714] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3716 attached [pid 3716] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 75.013009][ T3715] inode = 12 2341 [ 75.013009][ T3715] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 75.032237][ T3715] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 75.041881][ T3715] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3715 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 75.052214][ T3715] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 75.056835][ T3716] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 75.062071][ T3715] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 75.069328][ T3716] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 75.076609][ T3715] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 75.085567][ T3716] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3715 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 75.094421][ T3715] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 75.104365][ T3716] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3716 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 75.112716][ T3715] gfs2: fsid=syz:syz.0: File system withdrawn [ 75.120939][ T3716] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 75.127169][ T3715] CPU: 1 PID: 3715 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 75.145638][ T3715] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 75.155688][ T3715] Call Trace: [ 75.158958][ T3715] [ 75.161887][ T3715] dump_stack_lvl+0x1b1/0x28e [ 75.166575][ T3715] ? nf_tcp_handle_invalid+0x62e/0x62e [ 75.172029][ T3715] ? panic+0x710/0x710 [ 75.176094][ T3715] ? kobject_uevent_env+0x46b/0x8e0 [ 75.181282][ T3715] ? do_raw_spin_unlock+0x134/0x8a0 [ 75.186473][ T3715] gfs2_withdraw+0xf33/0x1540 [ 75.191154][ T3715] ? gfs2_lm+0x220/0x220 [ 75.195387][ T3715] ? gfs2_dirent_scan+0xb6/0x650 [ 75.200316][ T3715] ? panic+0x710/0x710 [ 75.204371][ T3715] ? gfs2_permission+0x2ff/0x430 [ 75.209300][ T3715] ? gfs2_consist_inode_i+0xf3/0x110 [ 75.214575][ T3715] gfs2_dirent_scan+0x535/0x650 [pid 3716] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3714] exit_group(0) = ? [ 75.219456][ T3715] ? gfs2_dirent_search+0xb10/0xb10 [ 75.224647][ T3715] gfs2_dirent_search+0x2ea/0xb10 [ 75.229671][ T3715] ? gfs2_dirent_search+0xb10/0xb10 [ 75.234874][ T3715] ? gfs2_dir_search+0x2a0/0x2a0 [ 75.239820][ T3715] ? gfs2_permission+0x3bf/0x430 [ 75.244755][ T3715] gfs2_dir_search+0x8c/0x2a0 [ 75.249431][ T3715] ? do_filldir_main+0x530/0x530 [ 75.254366][ T3715] ? inode_go_held+0xe4/0x1f0 [ 75.259044][ T3715] ? gfs2_glock_wait+0x213/0x2a0 [ 75.263974][ T3715] gfs2_lookupi+0x465/0x650 [ 75.268473][ T3715] ? gfs2_lookup_simple+0x170/0x170 [ 75.273658][ T3715] ? __gfs2_lookup+0x8c/0x260 [ 75.278330][ T3715] __gfs2_lookup+0x8c/0x260 [ 75.282822][ T3715] ? gfs2_atomic_open+0x230/0x230 [ 75.287837][ T3715] ? __d_lookup+0x6a4/0x770 [ 75.292325][ T3715] ? d_hash_and_lookup+0x1c0/0x1c0 [ 75.297421][ T3715] gfs2_atomic_open+0xa4/0x230 [ 75.302182][ T3715] path_openat+0xf39/0x2df0 [ 75.306675][ T3715] ? gfs2_rename2+0x3000/0x3000 [ 75.311521][ T3715] ? do_filp_open+0x4f0/0x4f0 [ 75.316191][ T3715] do_filp_open+0x264/0x4f0 [ 75.320681][ T3715] ? vfs_tmpfile+0x490/0x490 [ 75.325289][ T3715] ? do_raw_spin_unlock+0x134/0x8a0 [ 75.330475][ T3715] ? _raw_spin_unlock+0x24/0x40 [ 75.335316][ T3715] ? alloc_fd+0x5a7/0x640 [ 75.339640][ T3715] do_sys_openat2+0x124/0x4e0 [ 75.344304][ T3715] ? print_irqtrace_events+0x220/0x220 [ 75.349743][ T3715] ? ptrace_stop+0x74d/0x970 [ 75.354317][ T3715] ? do_sys_open+0x220/0x220 [ 75.358893][ T3715] ? lockdep_hardirqs_on+0x8d/0x130 [ 75.364092][ T3715] ? _raw_spin_unlock_irq+0x2a/0x40 [ 75.369363][ T3715] ? ptrace_notify+0x245/0x340 [ 75.374112][ T3715] __x64_sys_openat+0x243/0x290 [ 75.378957][ T3715] ? __ia32_sys_open+0x270/0x270 [ 75.383883][ T3715] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 75.389849][ T3715] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 75.395817][ T3715] do_syscall_64+0x3d/0xb0 [ 75.400222][ T3715] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 75.406099][ T3715] RIP: 0033:0x7fc8868064d9 [ 75.410513][ T3715] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 75.430109][ T3715] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 75.438542][ T3715] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 75.446501][ T3715] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 75.454454][ T3715] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 75.462408][ T3715] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3716] <... openat resumed>) = ? [pid 3715] <... openat resumed>) = ? [pid 3715] +++ exited with 0 +++ [pid 3716] +++ exited with 0 +++ [pid 3714] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3714, si_uid=0, si_status=0, si_utime=2, si_stime=38} --- umount2("./27", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./27/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./27/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./27/binderfs") = 0 [ 75.470370][ T3715] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 75.478345][ T3715] umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./27/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./27/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./27") = 0 mkdir("./28", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3717 ./strace-static-x86_64: Process 3717 attached [pid 3717] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3717] chdir("./28") = 0 [pid 3717] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3717] setpgid(0, 0) = 0 [pid 3717] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3717] write(3, "1000", 4) = 4 [pid 3717] close(3) = 0 [pid 3717] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3717] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3717] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3717] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3717] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3718], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3718 [pid 3717] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3717] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3718 attached [pid 3718] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3718] memfd_create("syzkaller", 0) = 3 [pid 3718] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3718] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3718] munmap(0x7fc87e392000, 16777216) = 0 [pid 3718] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3718] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3718] close(3) = 0 [pid 3718] mkdir("./file0", 0777) = 0 [ 75.775407][ T3718] loop0: detected capacity change from 0 to 32768 [ 75.786299][ T3718] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 75.794771][ T3718] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 75.804959][ T3718] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 75.814080][ T151] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 75.821301][ T151] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3718] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3718] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3718] chdir("./file0") = 0 [pid 3718] ioctl(4, LOOP_CLR_FD) = 0 [pid 3718] close(4) = 0 [pid 3718] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3717] <... futex resumed>) = 0 [pid 3717] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3717] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3718] <... futex resumed>) = 1 [pid 3718] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3718] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3717] <... futex resumed>) = 0 [pid 3717] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3717] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3718] <... futex resumed>) = 1 [ 75.854343][ T151] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 75.862207][ T151] gfs2: fsid=syz:syz.0: jid=0: Done [ 75.867453][ T3718] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 75.897976][ T3718] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 75.906994][ T3718] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 75.906994][ T3718] inode = 12 2341 [ 75.906994][ T3718] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 75.926331][ T3718] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 75.935593][ T3718] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3718 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3718] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3717] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3717] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3717] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3717] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3717] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3719], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3719 [pid 3717] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3719 attached [pid 3719] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3719] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3719] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 75.945799][ T3718] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 75.955649][ T3718] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 75.963297][ T3718] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 75.972141][ T3718] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 75.978717][ T3718] gfs2: fsid=syz:syz.0: File system withdrawn [ 75.985005][ T3718] CPU: 0 PID: 3718 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 75.995432][ T3718] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 76.005486][ T3718] Call Trace: [ 76.008764][ T3718] [ 76.011687][ T3718] dump_stack_lvl+0x1b1/0x28e [ 76.016356][ T3718] ? nf_tcp_handle_invalid+0x62e/0x62e [ 76.021803][ T3718] ? panic+0x710/0x710 [ 76.025860][ T3718] ? kobject_uevent_env+0x46b/0x8e0 [ 76.031057][ T3718] ? do_raw_spin_unlock+0x134/0x8a0 [ 76.036265][ T3718] gfs2_withdraw+0xf33/0x1540 [ 76.040957][ T3718] ? gfs2_lm+0x220/0x220 [ 76.045195][ T3718] ? gfs2_dirent_scan+0xb6/0x650 [ 76.050148][ T3718] ? panic+0x710/0x710 [ 76.054213][ T3718] ? gfs2_permission+0x2ff/0x430 [ 76.059173][ T3718] ? gfs2_consist_inode_i+0xf3/0x110 [ 76.064479][ T3718] gfs2_dirent_scan+0x535/0x650 [ 76.069346][ T3718] ? gfs2_dirent_search+0xb10/0xb10 [ 76.074568][ T3718] gfs2_dirent_search+0x2ea/0xb10 [ 76.079700][ T3718] ? gfs2_dirent_search+0xb10/0xb10 [ 76.084922][ T3718] ? gfs2_dir_search+0x2a0/0x2a0 [ 76.089858][ T3718] ? gfs2_permission+0x3bf/0x430 [ 76.094814][ T3718] gfs2_dir_search+0x8c/0x2a0 [ 76.099506][ T3718] ? do_filldir_main+0x530/0x530 [ 76.104435][ T3718] ? inode_go_held+0xe4/0x1f0 [ 76.109105][ T3718] ? gfs2_glock_wait+0x213/0x2a0 [ 76.114034][ T3718] gfs2_lookupi+0x465/0x650 [ 76.118537][ T3718] ? gfs2_lookup_simple+0x170/0x170 [ 76.123733][ T3718] ? __gfs2_lookup+0x8c/0x260 [ 76.128408][ T3718] __gfs2_lookup+0x8c/0x260 [ 76.132908][ T3718] ? gfs2_atomic_open+0x230/0x230 [ 76.137930][ T3718] ? __d_lookup+0x6a4/0x770 [ 76.142423][ T3718] ? d_hash_and_lookup+0x1c0/0x1c0 [ 76.147528][ T3718] gfs2_atomic_open+0xa4/0x230 [ 76.152287][ T3718] path_openat+0xf39/0x2df0 [ 76.156786][ T3718] ? gfs2_rename2+0x3000/0x3000 [ 76.161643][ T3718] ? do_filp_open+0x4f0/0x4f0 [ 76.166325][ T3718] do_filp_open+0x264/0x4f0 [ 76.170821][ T3718] ? vfs_tmpfile+0x490/0x490 [ 76.175408][ T3718] ? do_raw_spin_unlock+0x134/0x8a0 [ 76.180602][ T3718] ? _raw_spin_unlock+0x24/0x40 [ 76.185533][ T3718] ? alloc_fd+0x5a7/0x640 [ 76.189866][ T3718] do_sys_openat2+0x124/0x4e0 [ 76.194533][ T3718] ? print_irqtrace_events+0x220/0x220 [ 76.199979][ T3718] ? ptrace_stop+0x74d/0x970 [ 76.204567][ T3718] ? do_sys_open+0x220/0x220 [ 76.209151][ T3718] ? lockdep_hardirqs_on+0x8d/0x130 [ 76.214340][ T3718] ? _raw_spin_unlock_irq+0x2a/0x40 [ 76.219531][ T3718] ? ptrace_notify+0x245/0x340 [ 76.224287][ T3718] __x64_sys_openat+0x243/0x290 [ 76.229131][ T3718] ? __ia32_sys_open+0x270/0x270 [ 76.234061][ T3718] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 76.240035][ T3718] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 76.246007][ T3718] do_syscall_64+0x3d/0xb0 [ 76.250414][ T3718] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 76.256297][ T3718] RIP: 0033:0x7fc8868064d9 [ 76.260702][ T3718] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 76.280313][ T3718] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 76.288718][ T3718] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3719] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3718] <... openat resumed>) = -1 EIO (Input/output error) [pid 3718] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3718] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3717] exit_group(0 [pid 3718] <... futex resumed>) = ? [pid 3717] <... exit_group resumed>) = ? [pid 3718] +++ exited with 0 +++ [pid 3719] <... futex resumed>) = ? [pid 3719] +++ exited with 0 +++ [pid 3717] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3717, si_uid=0, si_status=0, si_utime=1, si_stime=32} --- umount2("./28", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./28/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./28/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./28/binderfs") = 0 [ 76.296694][ T3718] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 76.304657][ T3718] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 76.312615][ T3718] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 76.320574][ T3718] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 76.328549][ T3718] [ 76.333168][ T14] cfg80211: failed to load regulatory.db umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./28/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./28/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./28") = 0 mkdir("./29", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3720 ./strace-static-x86_64: Process 3720 attached [pid 3720] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3720] chdir("./29") = 0 [pid 3720] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3720] setpgid(0, 0) = 0 [pid 3720] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3720] write(3, "1000", 4) = 4 [pid 3720] close(3) = 0 [pid 3720] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3720] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3720] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3720] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3720] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3721 attached , parent_tid=[3721], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3721 [pid 3720] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3721] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3720] <... futex resumed>) = 0 [pid 3720] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3721] memfd_create("syzkaller", 0) = 3 [pid 3721] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3721] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3721] munmap(0x7fc87e392000, 16777216) = 0 [pid 3721] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3721] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3721] close(3) = 0 [pid 3721] mkdir("./file0", 0777) = 0 [ 76.648342][ T3721] loop0: detected capacity change from 0 to 32768 [ 76.661054][ T3721] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 76.669218][ T3721] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 76.679313][ T3721] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 76.688141][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 76.695369][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3721] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3721] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3721] chdir("./file0") = 0 [pid 3721] ioctl(4, LOOP_CLR_FD) = 0 [pid 3721] close(4) = 0 [pid 3721] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3721] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3720] <... futex resumed>) = 0 [pid 3720] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3721] <... futex resumed>) = 0 [pid 3720] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3721] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3721] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3720] <... futex resumed>) = 0 [pid 3721] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3720] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 76.736219][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 76.744976][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 76.750536][ T3721] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 76.775263][ T3721] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3720] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 76.784137][ T3721] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 76.784137][ T3721] inode = 12 2341 [ 76.784137][ T3721] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 76.803303][ T3721] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 76.812693][ T3721] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3721 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 76.823162][ T3721] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3720] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3720] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3720] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3720] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3722], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3722 [pid 3720] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 3722 attached ) = 0 [pid 3722] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3722] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3722] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 76.832280][ T3721] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 76.839810][ T3721] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 76.851672][ T3721] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 76.859941][ T3721] gfs2: fsid=syz:syz.0: File system withdrawn [ 76.866140][ T3721] CPU: 0 PID: 3721 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 76.876560][ T3721] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 76.886626][ T3721] Call Trace: [ 76.889911][ T3721] [ 76.892839][ T3721] dump_stack_lvl+0x1b1/0x28e [ 76.897527][ T3721] ? nf_tcp_handle_invalid+0x62e/0x62e [ 76.902997][ T3721] ? panic+0x710/0x710 [ 76.907085][ T3721] ? kobject_uevent_env+0x46b/0x8e0 [ 76.912289][ T3721] ? do_raw_spin_unlock+0x134/0x8a0 [ 76.917485][ T3721] gfs2_withdraw+0xf33/0x1540 [ 76.922185][ T3721] ? gfs2_lm+0x220/0x220 [ 76.926443][ T3721] ? gfs2_dirent_scan+0xb6/0x650 [ 76.931392][ T3721] ? panic+0x710/0x710 [ 76.935448][ T3721] ? gfs2_permission+0x2ff/0x430 [ 76.940378][ T3721] ? gfs2_consist_inode_i+0xf3/0x110 [ 76.945675][ T3721] gfs2_dirent_scan+0x535/0x650 [ 76.950540][ T3721] ? gfs2_dirent_search+0xb10/0xb10 [ 76.955736][ T3721] gfs2_dirent_search+0x2ea/0xb10 [ 76.960765][ T3721] ? gfs2_dirent_search+0xb10/0xb10 [ 76.966015][ T3721] ? gfs2_dir_search+0x2a0/0x2a0 [ 76.970963][ T3721] ? gfs2_permission+0x3bf/0x430 [ 76.975914][ T3721] gfs2_dir_search+0x8c/0x2a0 [ 76.980608][ T3721] ? do_filldir_main+0x530/0x530 [ 76.985550][ T3721] ? inode_go_held+0xe4/0x1f0 [ 76.990238][ T3721] ? gfs2_glock_wait+0x213/0x2a0 [ 76.995179][ T3721] gfs2_lookupi+0x465/0x650 [ 76.999698][ T3721] ? gfs2_lookup_simple+0x170/0x170 [ 77.004900][ T3721] ? __gfs2_lookup+0x8c/0x260 [ 77.009592][ T3721] __gfs2_lookup+0x8c/0x260 [ 77.014090][ T3721] ? gfs2_atomic_open+0x230/0x230 [ 77.019108][ T3721] ? __d_lookup+0x6a4/0x770 [ 77.023601][ T3721] ? d_hash_and_lookup+0x1c0/0x1c0 [ 77.028707][ T3721] gfs2_atomic_open+0xa4/0x230 [ 77.033469][ T3721] path_openat+0xf39/0x2df0 [ 77.037984][ T3721] ? gfs2_rename2+0x3000/0x3000 [ 77.042860][ T3721] ? do_filp_open+0x4f0/0x4f0 [ 77.047559][ T3721] do_filp_open+0x264/0x4f0 [ 77.052066][ T3721] ? vfs_tmpfile+0x490/0x490 [ 77.056652][ T3721] ? do_raw_spin_unlock+0x134/0x8a0 [ 77.061934][ T3721] ? _raw_spin_unlock+0x24/0x40 [ 77.066786][ T3721] ? alloc_fd+0x5a7/0x640 [ 77.071148][ T3721] do_sys_openat2+0x124/0x4e0 [ 77.075847][ T3721] ? print_irqtrace_events+0x220/0x220 [ 77.081414][ T3721] ? ptrace_stop+0x74d/0x970 [ 77.086030][ T3721] ? do_sys_open+0x220/0x220 [ 77.090657][ T3721] ? lockdep_hardirqs_on+0x8d/0x130 [ 77.095901][ T3721] ? _raw_spin_unlock_irq+0x2a/0x40 [ 77.101131][ T3721] ? ptrace_notify+0x245/0x340 [ 77.105921][ T3721] __x64_sys_openat+0x243/0x290 [ 77.110814][ T3721] ? __ia32_sys_open+0x270/0x270 [ 77.115806][ T3721] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 77.121819][ T3721] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 77.127827][ T3721] do_syscall_64+0x3d/0xb0 [ 77.132279][ T3721] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 77.138197][ T3721] RIP: 0033:0x7fc8868064d9 [ 77.142629][ T3721] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 77.162260][ T3721] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 77.170698][ T3721] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 77.178680][ T3721] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3722] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3721] <... openat resumed>) = -1 EIO (Input/output error) [pid 3721] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3721] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3720] exit_group(0 [pid 3721] <... futex resumed>) = ? [pid 3720] <... exit_group resumed>) = ? [pid 3722] <... futex resumed>) = ? [pid 3721] +++ exited with 0 +++ [pid 3722] +++ exited with 0 +++ [pid 3720] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3720, si_uid=0, si_status=0, si_utime=2, si_stime=28} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./29", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./29/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./29/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./29/binderfs") = 0 [ 77.186644][ T3721] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 77.194607][ T3721] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 77.202568][ T3721] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 77.210563][ T3721] umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./29/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./29/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./29") = 0 mkdir("./30", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3723 ./strace-static-x86_64: Process 3723 attached [pid 3723] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3723] chdir("./30") = 0 [pid 3723] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3723] setpgid(0, 0) = 0 [pid 3723] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3723] write(3, "1000", 4) = 4 [pid 3723] close(3) = 0 [pid 3723] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3723] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3723] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3723] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3723] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3724 attached , parent_tid=[3724], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3724 [pid 3723] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3724] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3723] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3724] memfd_create("syzkaller", 0) = 3 [pid 3724] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3724] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3724] munmap(0x7fc87e392000, 16777216) = 0 [pid 3724] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3724] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3724] close(3) = 0 [pid 3724] mkdir("./file0", 0777) = 0 [ 77.532956][ T3724] loop0: detected capacity change from 0 to 32768 [ 77.545406][ T3724] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 77.553671][ T3724] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 77.562897][ T3724] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 77.571720][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 77.578506][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3724] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3724] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3724] chdir("./file0") = 0 [pid 3724] ioctl(4, LOOP_CLR_FD) = 0 [pid 3724] close(4) = 0 [pid 3724] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3723] <... futex resumed>) = 0 [pid 3724] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3723] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3724] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3723] <... futex resumed>) = 0 [pid 3724] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3723] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3724] <... futex resumed>) = 0 [pid 3723] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3724] openat(AT_FDCWD, "./file0", O_RDONLY [ 77.614305][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 77.623171][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 77.628424][ T3724] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3723] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 77.659642][ T3724] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 77.668272][ T3724] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 77.668272][ T3724] inode = 12 2341 [ 77.668272][ T3724] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 77.687874][ T3724] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 77.696967][ T3724] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3724 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3723] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3723] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3723] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3723] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3723] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3725], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3725 [pid 3723] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3725 attached [pid 3725] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3725] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3725] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 77.707225][ T3724] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 77.715783][ T3724] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 77.723252][ T3724] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 77.732111][ T3724] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 77.740764][ T3724] gfs2: fsid=syz:syz.0: File system withdrawn [ 77.746860][ T3724] CPU: 0 PID: 3724 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 77.757307][ T3724] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 77.767357][ T3724] Call Trace: [ 77.770639][ T3724] [ 77.773577][ T3724] dump_stack_lvl+0x1b1/0x28e [ 77.778249][ T3724] ? nf_tcp_handle_invalid+0x62e/0x62e [ 77.783711][ T3724] ? panic+0x710/0x710 [ 77.787836][ T3724] ? kobject_uevent_env+0x46b/0x8e0 [ 77.793036][ T3724] ? do_raw_spin_unlock+0x134/0x8a0 [ 77.798239][ T3724] gfs2_withdraw+0xf33/0x1540 [ 77.802945][ T3724] ? gfs2_lm+0x220/0x220 [ 77.807194][ T3724] ? gfs2_dirent_scan+0xb6/0x650 [ 77.812133][ T3724] ? panic+0x710/0x710 [ 77.816212][ T3724] ? gfs2_permission+0x2ff/0x430 [ 77.821155][ T3724] ? gfs2_consist_inode_i+0xf3/0x110 [ 77.826434][ T3724] gfs2_dirent_scan+0x535/0x650 [ 77.831284][ T3724] ? gfs2_dirent_search+0xb10/0xb10 [ 77.836481][ T3724] gfs2_dirent_search+0x2ea/0xb10 [ 77.841589][ T3724] ? gfs2_dirent_search+0xb10/0xb10 [ 77.846781][ T3724] ? gfs2_dir_search+0x2a0/0x2a0 [ 77.851712][ T3724] ? gfs2_permission+0x3bf/0x430 [ 77.856647][ T3724] gfs2_dir_search+0x8c/0x2a0 [ 77.861319][ T3724] ? do_filldir_main+0x530/0x530 [ 77.866254][ T3724] ? inode_go_held+0xe4/0x1f0 [ 77.870932][ T3724] ? gfs2_glock_wait+0x213/0x2a0 [ 77.875863][ T3724] gfs2_lookupi+0x465/0x650 [ 77.880369][ T3724] ? gfs2_lookup_simple+0x170/0x170 [ 77.885568][ T3724] ? __gfs2_lookup+0x8c/0x260 [ 77.890243][ T3724] __gfs2_lookup+0x8c/0x260 [ 77.894739][ T3724] ? gfs2_atomic_open+0x230/0x230 [ 77.899787][ T3724] ? __d_lookup+0x6a4/0x770 [ 77.904316][ T3724] ? d_hash_and_lookup+0x1c0/0x1c0 [ 77.909440][ T3724] gfs2_atomic_open+0xa4/0x230 [ 77.914214][ T3724] path_openat+0xf39/0x2df0 [ 77.918738][ T3724] ? gfs2_rename2+0x3000/0x3000 [ 77.923623][ T3724] ? do_filp_open+0x4f0/0x4f0 [ 77.928324][ T3724] do_filp_open+0x264/0x4f0 [ 77.932827][ T3724] ? vfs_tmpfile+0x490/0x490 [ 77.937435][ T3724] ? do_raw_spin_unlock+0x134/0x8a0 [ 77.942629][ T3724] ? _raw_spin_unlock+0x24/0x40 [ 77.947473][ T3724] ? alloc_fd+0x5a7/0x640 [ 77.951802][ T3724] do_sys_openat2+0x124/0x4e0 [ 77.956474][ T3724] ? print_irqtrace_events+0x220/0x220 [ 77.962013][ T3724] ? ptrace_stop+0x74d/0x970 [ 77.966596][ T3724] ? do_sys_open+0x220/0x220 [ 77.971178][ T3724] ? lockdep_hardirqs_on+0x8d/0x130 [ 77.976367][ T3724] ? _raw_spin_unlock_irq+0x2a/0x40 [ 77.981558][ T3724] ? ptrace_notify+0x245/0x340 [ 77.986312][ T3724] __x64_sys_openat+0x243/0x290 [ 77.991158][ T3724] ? __ia32_sys_open+0x270/0x270 [ 77.996139][ T3724] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 78.002135][ T3724] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 78.008108][ T3724] do_syscall_64+0x3d/0xb0 [ 78.012517][ T3724] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 78.018399][ T3724] RIP: 0033:0x7fc8868064d9 [ 78.022806][ T3724] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 78.042406][ T3724] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 78.050815][ T3724] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3725] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3724] <... openat resumed>) = -1 EIO (Input/output error) [pid 3724] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3724] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3723] exit_group(0 [pid 3725] <... futex resumed>) = ? [pid 3724] <... futex resumed>) = ? [pid 3723] <... exit_group resumed>) = ? [pid 3724] +++ exited with 0 +++ [pid 3725] +++ exited with 0 +++ [pid 3723] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3723, si_uid=0, si_status=0, si_utime=1, si_stime=29} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./30", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./30/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./30/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./30/binderfs") = 0 [ 78.058778][ T3724] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 78.066746][ T3724] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 78.074706][ T3724] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 78.082666][ T3724] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 78.090652][ T3724] umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./30/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./30/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./30") = 0 mkdir("./31", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3726 ./strace-static-x86_64: Process 3726 attached [pid 3726] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3726] chdir("./31") = 0 [pid 3726] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3726] setpgid(0, 0) = 0 [pid 3726] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3726] write(3, "1000", 4) = 4 [pid 3726] close(3) = 0 [pid 3726] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3726] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3726] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3726] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3726] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3727 attached [pid 3727] set_robust_list(0x7fc8867b29e0, 24 [pid 3726] <... clone resumed>, parent_tid=[3727], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3727 [pid 3727] <... set_robust_list resumed>) = 0 [pid 3726] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3726] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3727] memfd_create("syzkaller", 0) = 3 [pid 3727] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3727] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3727] munmap(0x7fc87e392000, 16777216) = 0 [pid 3727] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3727] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3727] close(3) = 0 [pid 3727] mkdir("./file0", 0777) = 0 [ 78.397680][ T3727] loop0: detected capacity change from 0 to 32768 [ 78.411655][ T3727] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 78.419932][ T3727] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 78.430632][ T3727] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 78.439740][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 78.446790][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3727] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3727] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3727] chdir("./file0") = 0 [pid 3727] ioctl(4, LOOP_CLR_FD) = 0 [pid 3727] close(4) = 0 [pid 3727] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3726] <... futex resumed>) = 0 [pid 3727] <... futex resumed>) = 1 [pid 3726] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3727] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3726] <... futex resumed>) = 0 [pid 3727] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3726] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3727] <... futex resumed>) = 0 [pid 3726] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3726] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3726] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 78.488371][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 78.497335][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 78.502721][ T3727] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3727] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3726] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3726] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3726] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3726] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [ 78.540881][ T3727] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 78.549333][ T3727] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 78.549333][ T3727] inode = 12 2341 [ 78.549333][ T3727] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 78.568670][ T3727] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 78.580220][ T3727] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3727 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3726] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3728], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3728 [pid 3726] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3728 attached [pid 3728] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 78.590624][ T3727] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 78.595793][ T3728] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 78.601259][ T3727] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 78.608894][ T3728] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 78.616202][ T3727] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 78.625063][ T3728] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3727 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 78.633959][ T3727] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 78.643786][ T3728] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3728 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 78.650350][ T3727] gfs2: fsid=syz:syz.0: File system withdrawn [ 78.661716][ T3728] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 78.666690][ T3727] CPU: 1 PID: 3727 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 78.684929][ T3727] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 78.695015][ T3727] Call Trace: [ 78.698295][ T3727] [ 78.701227][ T3727] dump_stack_lvl+0x1b1/0x28e [ 78.705920][ T3727] ? nf_tcp_handle_invalid+0x62e/0x62e [ 78.711381][ T3727] ? panic+0x710/0x710 [ 78.715468][ T3727] ? kobject_uevent_env+0x46b/0x8e0 [ 78.720671][ T3727] ? do_raw_spin_unlock+0x134/0x8a0 [ 78.726062][ T3727] gfs2_withdraw+0xf33/0x1540 [ 78.730782][ T3727] ? gfs2_lm+0x220/0x220 [ 78.735055][ T3727] ? gfs2_dirent_scan+0xb6/0x650 [ 78.740015][ T3727] ? panic+0x710/0x710 [ 78.744086][ T3727] ? gfs2_permission+0x2ff/0x430 [ 78.749048][ T3727] ? gfs2_consist_inode_i+0xf3/0x110 [ 78.754355][ T3727] gfs2_dirent_scan+0x535/0x650 [ 78.759225][ T3727] ? gfs2_dirent_search+0xb10/0xb10 [ 78.764449][ T3727] gfs2_dirent_search+0x2ea/0xb10 [ 78.769482][ T3727] ? gfs2_dirent_search+0xb10/0xb10 [ 78.774721][ T3727] ? gfs2_dir_search+0x2a0/0x2a0 [ 78.779681][ T3727] ? gfs2_permission+0x3bf/0x430 [ 78.784724][ T3727] gfs2_dir_search+0x8c/0x2a0 [pid 3728] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3726] exit_group(0) = ? [ 78.789427][ T3727] ? do_filldir_main+0x530/0x530 [ 78.794370][ T3727] ? inode_go_held+0xe4/0x1f0 [ 78.799075][ T3727] ? gfs2_glock_wait+0x213/0x2a0 [ 78.804030][ T3727] gfs2_lookupi+0x465/0x650 [ 78.808560][ T3727] ? gfs2_lookup_simple+0x170/0x170 [ 78.813766][ T3727] ? __gfs2_lookup+0x8c/0x260 [ 78.818471][ T3727] __gfs2_lookup+0x8c/0x260 [ 78.822993][ T3727] ? gfs2_atomic_open+0x230/0x230 [ 78.828039][ T3727] ? __d_lookup+0x6a4/0x770 [ 78.832558][ T3727] ? d_hash_and_lookup+0x1c0/0x1c0 [ 78.837675][ T3727] gfs2_atomic_open+0xa4/0x230 [ 78.842492][ T3727] path_openat+0xf39/0x2df0 [ 78.847000][ T3727] ? gfs2_rename2+0x3000/0x3000 [ 78.851869][ T3727] ? do_filp_open+0x4f0/0x4f0 [ 78.856550][ T3727] do_filp_open+0x264/0x4f0 [ 78.861046][ T3727] ? vfs_tmpfile+0x490/0x490 [ 78.865649][ T3727] ? do_raw_spin_unlock+0x134/0x8a0 [ 78.870875][ T3727] ? _raw_spin_unlock+0x24/0x40 [ 78.875747][ T3727] ? alloc_fd+0x5a7/0x640 [ 78.880287][ T3727] do_sys_openat2+0x124/0x4e0 [ 78.884983][ T3727] ? print_irqtrace_events+0x220/0x220 [ 78.890462][ T3727] ? ptrace_stop+0x74d/0x970 [ 78.895063][ T3727] ? do_sys_open+0x220/0x220 [ 78.899645][ T3727] ? lockdep_hardirqs_on+0x8d/0x130 [ 78.904834][ T3727] ? _raw_spin_unlock_irq+0x2a/0x40 [ 78.910035][ T3727] ? ptrace_notify+0x245/0x340 [ 78.914804][ T3727] __x64_sys_openat+0x243/0x290 [ 78.919746][ T3727] ? __ia32_sys_open+0x270/0x270 [ 78.924678][ T3727] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 78.930664][ T3727] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 78.936649][ T3727] do_syscall_64+0x3d/0xb0 [ 78.941060][ T3727] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 78.947209][ T3727] RIP: 0033:0x7fc8868064d9 [ 78.951635][ T3727] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 78.971238][ T3727] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 78.979650][ T3727] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3728] <... openat resumed>) = ? [pid 3727] <... openat resumed>) = ? [pid 3728] +++ exited with 0 +++ [pid 3727] +++ exited with 0 +++ [pid 3726] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3726, si_uid=0, si_status=0, si_utime=0, si_stime=39} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./31", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./31/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./31/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./31/binderfs") = 0 [ 78.987873][ T3727] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 78.995862][ T3727] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 79.003824][ T3727] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 79.011796][ T3727] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 79.019804][ T3727] umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./31/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./31/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./31") = 0 mkdir("./32", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3729 ./strace-static-x86_64: Process 3729 attached [pid 3729] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3729] chdir("./32") = 0 [pid 3729] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3729] setpgid(0, 0) = 0 [pid 3729] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3729] write(3, "1000", 4) = 4 [pid 3729] close(3) = 0 [pid 3729] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3729] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3729] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3729] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3729] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3730 attached , parent_tid=[3730], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3730 [pid 3729] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3730] set_robust_list(0x7fc8867b29e0, 24 [pid 3729] <... futex resumed>) = 0 [pid 3730] <... set_robust_list resumed>) = 0 [pid 3729] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3730] memfd_create("syzkaller", 0) = 3 [pid 3730] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3730] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3730] munmap(0x7fc87e392000, 16777216) = 0 [pid 3730] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3730] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3730] close(3) = 0 [pid 3730] mkdir("./file0", 0777) = 0 [ 79.330242][ T3730] loop0: detected capacity change from 0 to 32768 [ 79.342496][ T3730] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 79.351019][ T3730] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 79.360213][ T3730] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 79.368982][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 79.376271][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3730] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3730] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3730] chdir("./file0") = 0 [pid 3730] ioctl(4, LOOP_CLR_FD) = 0 [pid 3730] close(4) = 0 [pid 3730] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3729] <... futex resumed>) = 0 [pid 3729] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3729] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3730] <... futex resumed>) = 1 [pid 3730] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3730] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3729] <... futex resumed>) = 0 [pid 3729] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3729] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3730] <... futex resumed>) = 1 [ 79.410616][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 79.419313][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 79.424688][ T3730] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 79.443682][ T3730] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3730] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3729] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3729] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3729] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3729] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3729] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3731], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3731 [pid 3729] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3731 attached [ 79.455430][ T3730] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 79.455430][ T3730] inode = 12 2341 [ 79.455430][ T3730] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 79.475103][ T3730] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 79.484797][ T3730] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3730 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 79.495125][ T3730] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 79.503791][ T3730] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3731] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3731] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3731] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 79.511263][ T3730] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 79.521597][ T3730] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 79.528205][ T3730] gfs2: fsid=syz:syz.0: File system withdrawn [ 79.534588][ T3730] CPU: 0 PID: 3730 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 79.545017][ T3730] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 79.555079][ T3730] Call Trace: [ 79.558375][ T3730] [ 79.561323][ T3730] dump_stack_lvl+0x1b1/0x28e [ 79.566179][ T3730] ? nf_tcp_handle_invalid+0x62e/0x62e [ 79.571641][ T3730] ? panic+0x710/0x710 [ 79.575707][ T3730] ? kobject_uevent_env+0x46b/0x8e0 [ 79.580909][ T3730] ? do_raw_spin_unlock+0x134/0x8a0 [ 79.586127][ T3730] gfs2_withdraw+0xf33/0x1540 [ 79.590815][ T3730] ? gfs2_lm+0x220/0x220 [ 79.595057][ T3730] ? gfs2_dirent_scan+0xb6/0x650 [ 79.599992][ T3730] ? panic+0x710/0x710 [ 79.604051][ T3730] ? gfs2_permission+0x2ff/0x430 [ 79.608986][ T3730] ? gfs2_consist_inode_i+0xf3/0x110 [ 79.614263][ T3730] gfs2_dirent_scan+0x535/0x650 [ 79.619113][ T3730] ? gfs2_dirent_search+0xb10/0xb10 [ 79.624312][ T3730] gfs2_dirent_search+0x2ea/0xb10 [ 79.629340][ T3730] ? gfs2_dirent_search+0xb10/0xb10 [ 79.634534][ T3730] ? gfs2_dir_search+0x2a0/0x2a0 [ 79.639473][ T3730] ? gfs2_permission+0x3bf/0x430 [ 79.644583][ T3730] gfs2_dir_search+0x8c/0x2a0 [ 79.649257][ T3730] ? do_filldir_main+0x530/0x530 [ 79.654194][ T3730] ? inode_go_held+0xe4/0x1f0 [ 79.658866][ T3730] ? gfs2_glock_wait+0x213/0x2a0 [ 79.663795][ T3730] gfs2_lookupi+0x465/0x650 [ 79.668302][ T3730] ? gfs2_lookup_simple+0x170/0x170 [ 79.673492][ T3730] ? __gfs2_lookup+0x8c/0x260 [ 79.678166][ T3730] __gfs2_lookup+0x8c/0x260 [ 79.682664][ T3730] ? gfs2_atomic_open+0x230/0x230 [ 79.687683][ T3730] ? __d_lookup+0x6a4/0x770 [ 79.692175][ T3730] ? d_hash_and_lookup+0x1c0/0x1c0 [ 79.697276][ T3730] gfs2_atomic_open+0xa4/0x230 [ 79.702039][ T3730] path_openat+0xf39/0x2df0 [ 79.706539][ T3730] ? gfs2_rename2+0x3000/0x3000 [ 79.711394][ T3730] ? do_filp_open+0x4f0/0x4f0 [ 79.716074][ T3730] do_filp_open+0x264/0x4f0 [ 79.720568][ T3730] ? vfs_tmpfile+0x490/0x490 [ 79.725155][ T3730] ? do_raw_spin_unlock+0x134/0x8a0 [ 79.730350][ T3730] ? _raw_spin_unlock+0x24/0x40 [ 79.735196][ T3730] ? alloc_fd+0x5a7/0x640 [ 79.739565][ T3730] do_sys_openat2+0x124/0x4e0 [ 79.744583][ T3730] ? print_irqtrace_events+0x220/0x220 [ 79.750380][ T3730] ? ptrace_stop+0x74d/0x970 [ 79.754970][ T3730] ? do_sys_open+0x220/0x220 [ 79.759647][ T3730] ? lockdep_hardirqs_on+0x8d/0x130 [ 79.764962][ T3730] ? _raw_spin_unlock_irq+0x2a/0x40 [ 79.770176][ T3730] ? ptrace_notify+0x245/0x340 [ 79.775004][ T3730] __x64_sys_openat+0x243/0x290 [ 79.779859][ T3730] ? __ia32_sys_open+0x270/0x270 [ 79.784794][ T3730] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 79.790781][ T3730] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 79.796757][ T3730] do_syscall_64+0x3d/0xb0 [ 79.801256][ T3730] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 79.807316][ T3730] RIP: 0033:0x7fc8868064d9 [ 79.811736][ T3730] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 79.831334][ T3730] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 79.839827][ T3730] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 79.847788][ T3730] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3731] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3730] <... openat resumed>) = -1 EIO (Input/output error) [pid 3730] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3730] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3729] exit_group(0 [pid 3730] <... futex resumed>) = ? [pid 3729] <... exit_group resumed>) = ? [pid 3730] +++ exited with 0 +++ [pid 3731] <... futex resumed>) = ? [pid 3731] +++ exited with 0 +++ [pid 3729] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3729, si_uid=0, si_status=0, si_utime=2, si_stime=29} --- umount2("./32", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./32", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./32/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./32/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./32/binderfs") = 0 [ 79.855750][ T3730] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 79.863717][ T3730] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 79.871686][ T3730] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 79.879769][ T3730] umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./32/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./32/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./32/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./32") = 0 mkdir("./33", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3732 ./strace-static-x86_64: Process 3732 attached [pid 3732] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3732] chdir("./33") = 0 [pid 3732] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3732] setpgid(0, 0) = 0 [pid 3732] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3732] write(3, "1000", 4) = 4 [pid 3732] close(3) = 0 [pid 3732] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3732] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3732] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3732] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3732] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3733 attached , parent_tid=[3733], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3733 [pid 3733] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3733] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3732] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3733] <... futex resumed>) = 0 [pid 3732] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3733] memfd_create("syzkaller", 0) = 3 [pid 3733] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3733] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3733] munmap(0x7fc87e392000, 16777216) = 0 [pid 3733] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3733] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3733] close(3) = 0 [pid 3733] mkdir("./file0", 0777) = 0 [ 80.192653][ T3733] loop0: detected capacity change from 0 to 32768 [ 80.204671][ T3733] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 80.212916][ T3733] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 80.222904][ T3733] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 80.231515][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 80.238327][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3733] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3733] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3733] chdir("./file0") = 0 [pid 3733] ioctl(4, LOOP_CLR_FD) = 0 [pid 3733] close(4) = 0 [pid 3733] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3732] <... futex resumed>) = 0 [pid 3732] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3732] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3733] <... futex resumed>) = 1 [pid 3733] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3733] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3732] <... futex resumed>) = 0 [pid 3732] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3732] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3733] <... futex resumed>) = 1 [ 80.273961][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 80.281572][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 80.286803][ T3733] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 80.316377][ T3733] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 80.325854][ T3733] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 80.325854][ T3733] inode = 12 2341 [ 80.325854][ T3733] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 80.345136][ T3733] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 80.354729][ T3733] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3733 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3733] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3732] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3732] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3732] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3732] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3732] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3734], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3734 [pid 3732] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3734 attached [ 80.365111][ T3733] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 80.374275][ T3733] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 80.381876][ T3733] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 80.391151][ T3733] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 80.397745][ T3733] gfs2: fsid=syz:syz.0: File system withdrawn [ 80.404206][ T3733] CPU: 0 PID: 3733 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [pid 3734] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3734] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3734] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 80.414629][ T3733] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 80.424679][ T3733] Call Trace: [ 80.427959][ T3733] [ 80.430891][ T3733] dump_stack_lvl+0x1b1/0x28e [ 80.435573][ T3733] ? nf_tcp_handle_invalid+0x62e/0x62e [ 80.441043][ T3733] ? panic+0x710/0x710 [ 80.445141][ T3733] ? kobject_uevent_env+0x46b/0x8e0 [ 80.450435][ T3733] ? do_raw_spin_unlock+0x134/0x8a0 [ 80.455893][ T3733] gfs2_withdraw+0xf33/0x1540 [ 80.460591][ T3733] ? gfs2_lm+0x220/0x220 [ 80.464846][ T3733] ? gfs2_dirent_scan+0xb6/0x650 [ 80.469792][ T3733] ? panic+0x710/0x710 [ 80.473868][ T3733] ? gfs2_permission+0x2ff/0x430 [ 80.478821][ T3733] ? gfs2_consist_inode_i+0xf3/0x110 [ 80.484123][ T3733] gfs2_dirent_scan+0x535/0x650 [ 80.488998][ T3733] ? gfs2_dirent_search+0xb10/0xb10 [ 80.494209][ T3733] gfs2_dirent_search+0x2ea/0xb10 [ 80.499228][ T3733] ? gfs2_dirent_search+0xb10/0xb10 [ 80.504433][ T3733] ? gfs2_dir_search+0x2a0/0x2a0 [ 80.509382][ T3733] ? gfs2_permission+0x3bf/0x430 [ 80.514323][ T3733] gfs2_dir_search+0x8c/0x2a0 [ 80.519005][ T3733] ? do_filldir_main+0x530/0x530 [ 80.523939][ T3733] ? inode_go_held+0xe4/0x1f0 [ 80.528614][ T3733] ? gfs2_glock_wait+0x213/0x2a0 [ 80.533549][ T3733] gfs2_lookupi+0x465/0x650 [ 80.538054][ T3733] ? gfs2_lookup_simple+0x170/0x170 [ 80.543258][ T3733] ? __gfs2_lookup+0x8c/0x260 [ 80.547939][ T3733] __gfs2_lookup+0x8c/0x260 [ 80.552441][ T3733] ? gfs2_atomic_open+0x230/0x230 [ 80.557465][ T3733] ? __d_lookup+0x6a4/0x770 [ 80.561964][ T3733] ? d_hash_and_lookup+0x1c0/0x1c0 [ 80.567078][ T3733] gfs2_atomic_open+0xa4/0x230 [ 80.571841][ T3733] path_openat+0xf39/0x2df0 [ 80.576362][ T3733] ? gfs2_rename2+0x3000/0x3000 [ 80.581227][ T3733] ? do_filp_open+0x4f0/0x4f0 [ 80.585906][ T3733] do_filp_open+0x264/0x4f0 [ 80.590400][ T3733] ? vfs_tmpfile+0x490/0x490 [ 80.594990][ T3733] ? do_raw_spin_unlock+0x134/0x8a0 [ 80.600187][ T3733] ? _raw_spin_unlock+0x24/0x40 [ 80.605048][ T3733] ? alloc_fd+0x5a7/0x640 [ 80.609404][ T3733] do_sys_openat2+0x124/0x4e0 [ 80.614093][ T3733] ? print_irqtrace_events+0x220/0x220 [ 80.619552][ T3733] ? ptrace_stop+0x74d/0x970 [ 80.624137][ T3733] ? do_sys_open+0x220/0x220 [ 80.628719][ T3733] ? lockdep_hardirqs_on+0x8d/0x130 [ 80.633908][ T3733] ? _raw_spin_unlock_irq+0x2a/0x40 [ 80.639102][ T3733] ? ptrace_notify+0x245/0x340 [ 80.643860][ T3733] __x64_sys_openat+0x243/0x290 [ 80.648705][ T3733] ? __ia32_sys_open+0x270/0x270 [ 80.653671][ T3733] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 80.659648][ T3733] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 80.665624][ T3733] do_syscall_64+0x3d/0xb0 [ 80.670038][ T3733] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 80.675931][ T3733] RIP: 0033:0x7fc8868064d9 [ 80.680339][ T3733] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 80.699936][ T3733] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 80.708344][ T3733] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3734] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3733] <... openat resumed>) = -1 EIO (Input/output error) [pid 3733] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3733] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3732] exit_group(0 [pid 3733] <... futex resumed>) = ? [pid 3732] <... exit_group resumed>) = ? [pid 3733] +++ exited with 0 +++ [pid 3734] <... futex resumed>) = ? [pid 3734] +++ exited with 0 +++ [pid 3732] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3732, si_uid=0, si_status=0, si_utime=0, si_stime=30} --- umount2("./33", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./33/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./33/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./33/binderfs") = 0 [ 80.716306][ T3733] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 80.724265][ T3733] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 80.732250][ T3733] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 80.740224][ T3733] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 80.748218][ T3733] umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./33/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./33/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./33") = 0 mkdir("./34", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3735 ./strace-static-x86_64: Process 3735 attached [pid 3735] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3735] chdir("./34") = 0 [pid 3735] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3735] setpgid(0, 0) = 0 [pid 3735] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3735] write(3, "1000", 4) = 4 [pid 3735] close(3) = 0 [pid 3735] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3735] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3735] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3735] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3735] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3736], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3736 [pid 3735] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3735] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3736 attached [pid 3736] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3736] memfd_create("syzkaller", 0) = 3 [pid 3736] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3736] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3736] munmap(0x7fc87e392000, 16777216) = 0 [pid 3736] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3736] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3736] close(3) = 0 [pid 3736] mkdir("./file0", 0777) = 0 [ 81.075774][ T3736] loop0: detected capacity change from 0 to 32768 [ 81.086025][ T3736] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 81.094792][ T3736] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 81.104169][ T3736] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 81.112774][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 81.119552][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3736] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3736] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3736] chdir("./file0") = 0 [pid 3736] ioctl(4, LOOP_CLR_FD) = 0 [pid 3736] close(4) = 0 [pid 3736] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3735] <... futex resumed>) = 0 [pid 3735] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3735] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3736] <... futex resumed>) = 1 [pid 3736] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3736] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3735] <... futex resumed>) = 0 [pid 3735] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3735] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3736] <... futex resumed>) = 1 [ 81.157201][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 81.164809][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 81.170067][ T3736] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 81.184701][ T3736] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 81.193276][ T3736] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 81.193276][ T3736] inode = 12 2341 [pid 3736] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3735] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3735] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 81.193276][ T3736] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 81.212638][ T3736] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 81.222582][ T3736] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3736 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 81.233016][ T3736] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 81.241935][ T3736] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3735] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3735] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3735] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3737], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3737 [pid 3735] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3737 attached [pid 3737] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3737] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3737] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 81.249192][ T3736] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 81.258315][ T3736] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 81.265264][ T3736] gfs2: fsid=syz:syz.0: File system withdrawn [ 81.271660][ T3736] CPU: 0 PID: 3736 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 81.282184][ T3736] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 81.292246][ T3736] Call Trace: [ 81.295516][ T3736] [ 81.298450][ T3736] dump_stack_lvl+0x1b1/0x28e [ 81.303139][ T3736] ? nf_tcp_handle_invalid+0x62e/0x62e [ 81.308589][ T3736] ? panic+0x710/0x710 [ 81.312659][ T3736] ? kobject_uevent_env+0x46b/0x8e0 [ 81.317857][ T3736] ? do_raw_spin_unlock+0x134/0x8a0 [ 81.323060][ T3736] gfs2_withdraw+0xf33/0x1540 [ 81.327763][ T3736] ? gfs2_lm+0x220/0x220 [ 81.332034][ T3736] ? gfs2_dirent_scan+0xb6/0x650 [ 81.337058][ T3736] ? panic+0x710/0x710 [ 81.341121][ T3736] ? gfs2_permission+0x2ff/0x430 [ 81.346150][ T3736] ? gfs2_consist_inode_i+0xf3/0x110 [ 81.351434][ T3736] gfs2_dirent_scan+0x535/0x650 [ 81.356283][ T3736] ? gfs2_dirent_search+0xb10/0xb10 [ 81.361478][ T3736] gfs2_dirent_search+0x2ea/0xb10 [ 81.366501][ T3736] ? gfs2_dirent_search+0xb10/0xb10 [ 81.371771][ T3736] ? gfs2_dir_search+0x2a0/0x2a0 [ 81.376706][ T3736] ? gfs2_permission+0x3bf/0x430 [ 81.381644][ T3736] gfs2_dir_search+0x8c/0x2a0 [ 81.386320][ T3736] ? do_filldir_main+0x530/0x530 [ 81.391443][ T3736] ? inode_go_held+0xe4/0x1f0 [ 81.396157][ T3736] ? gfs2_glock_wait+0x213/0x2a0 [ 81.401101][ T3736] gfs2_lookupi+0x465/0x650 [ 81.405619][ T3736] ? gfs2_lookup_simple+0x170/0x170 [ 81.410815][ T3736] ? __gfs2_lookup+0x8c/0x260 [ 81.415579][ T3736] __gfs2_lookup+0x8c/0x260 [ 81.420078][ T3736] ? gfs2_atomic_open+0x230/0x230 [ 81.425121][ T3736] ? __d_lookup+0x6a4/0x770 [ 81.429615][ T3736] ? d_hash_and_lookup+0x1c0/0x1c0 [ 81.434721][ T3736] gfs2_atomic_open+0xa4/0x230 [ 81.439495][ T3736] path_openat+0xf39/0x2df0 [ 81.443997][ T3736] ? gfs2_rename2+0x3000/0x3000 [ 81.448855][ T3736] ? do_filp_open+0x4f0/0x4f0 [ 81.453538][ T3736] do_filp_open+0x264/0x4f0 [ 81.458033][ T3736] ? vfs_tmpfile+0x490/0x490 [ 81.462625][ T3736] ? do_raw_spin_unlock+0x134/0x8a0 [ 81.467822][ T3736] ? _raw_spin_unlock+0x24/0x40 [ 81.472680][ T3736] ? alloc_fd+0x5a7/0x640 [ 81.477018][ T3736] do_sys_openat2+0x124/0x4e0 [ 81.481687][ T3736] ? print_irqtrace_events+0x220/0x220 [ 81.487142][ T3736] ? ptrace_stop+0x74d/0x970 [ 81.491725][ T3736] ? do_sys_open+0x220/0x220 [ 81.496307][ T3736] ? lockdep_hardirqs_on+0x8d/0x130 [ 81.501584][ T3736] ? _raw_spin_unlock_irq+0x2a/0x40 [ 81.506775][ T3736] ? ptrace_notify+0x245/0x340 [ 81.511536][ T3736] __x64_sys_openat+0x243/0x290 [ 81.516381][ T3736] ? __ia32_sys_open+0x270/0x270 [ 81.521315][ T3736] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 81.527291][ T3736] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 81.533268][ T3736] do_syscall_64+0x3d/0xb0 [ 81.537678][ T3736] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 81.543560][ T3736] RIP: 0033:0x7fc8868064d9 [ 81.547966][ T3736] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 81.567566][ T3736] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 81.575970][ T3736] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 81.583929][ T3736] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 81.591915][ T3736] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 81.599962][ T3736] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3737] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3736] <... openat resumed>) = -1 EIO (Input/output error) [pid 3736] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3736] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3735] exit_group(0 [pid 3737] <... futex resumed>) = ? [pid 3736] <... futex resumed>) = ? [pid 3735] <... exit_group resumed>) = ? [pid 3737] +++ exited with 0 +++ [pid 3736] +++ exited with 0 +++ [pid 3735] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3735, si_uid=0, si_status=0, si_utime=3, si_stime=28} --- umount2("./34", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./34", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./34/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./34/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./34/binderfs") = 0 [ 81.607923][ T3736] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 81.616156][ T3736] umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./34/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./34/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./34/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./34") = 0 mkdir("./35", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3738 ./strace-static-x86_64: Process 3738 attached [pid 3738] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3738] chdir("./35") = 0 [pid 3738] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3738] setpgid(0, 0) = 0 [pid 3738] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3738] write(3, "1000", 4) = 4 [pid 3738] close(3) = 0 [pid 3738] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3738] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3738] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3738] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3738] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3739], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3739 [pid 3738] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3738] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3739 attached [pid 3739] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3739] memfd_create("syzkaller", 0) = 3 [pid 3739] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3739] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3739] munmap(0x7fc87e392000, 16777216) = 0 [pid 3739] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3739] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3739] close(3) = 0 [pid 3739] mkdir("./file0", 0777) = 0 [ 81.928163][ T3739] loop0: detected capacity change from 0 to 32768 [ 81.939739][ T3739] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 81.948239][ T3739] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 81.958628][ T3739] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 81.967628][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 81.974599][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3739] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3739] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3739] chdir("./file0") = 0 [pid 3739] ioctl(4, LOOP_CLR_FD) = 0 [pid 3739] close(4) = 0 [pid 3739] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3738] <... futex resumed>) = 0 [pid 3738] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3738] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3739] <... futex resumed>) = 1 [pid 3739] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3739] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3738] <... futex resumed>) = 0 [pid 3738] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3738] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3739] <... futex resumed>) = 1 [ 82.014462][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 82.022773][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 82.028273][ T3739] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 82.050269][ T3739] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3739] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3738] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3738] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3738] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3738] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3738] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3740], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3740 [pid 3738] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3740 attached [pid 3740] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 82.058824][ T3739] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 82.058824][ T3739] inode = 12 2341 [ 82.058824][ T3739] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 82.078297][ T3739] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 82.087637][ T3739] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3739 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 82.097869][ T3739] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 82.106601][ T3740] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 82.107385][ T3739] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 82.115778][ T3740] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 82.122726][ T3739] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 82.131911][ T3740] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3739 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 82.140487][ T3739] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 82.150183][ T3740] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3740 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 82.157090][ T3739] gfs2: fsid=syz:syz.0: File system withdrawn [ 82.168415][ T3740] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 82.173307][ T3739] CPU: 1 PID: 3739 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 82.191628][ T3739] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 82.201762][ T3739] Call Trace: [ 82.205031][ T3739] [ 82.207967][ T3739] dump_stack_lvl+0x1b1/0x28e [ 82.212638][ T3739] ? nf_tcp_handle_invalid+0x62e/0x62e [ 82.218088][ T3739] ? panic+0x710/0x710 [ 82.222150][ T3739] ? kobject_uevent_env+0x46b/0x8e0 [ 82.227341][ T3739] ? do_raw_spin_unlock+0x134/0x8a0 [ 82.232543][ T3739] gfs2_withdraw+0xf33/0x1540 [ 82.237226][ T3739] ? gfs2_lm+0x220/0x220 [ 82.241456][ T3739] ? gfs2_dirent_scan+0xb6/0x650 [ 82.246387][ T3739] ? panic+0x710/0x710 [ 82.250448][ T3739] ? gfs2_permission+0x2ff/0x430 [ 82.255383][ T3739] ? gfs2_consist_inode_i+0xf3/0x110 [ 82.260666][ T3739] gfs2_dirent_scan+0x535/0x650 [ 82.265517][ T3739] ? gfs2_dirent_search+0xb10/0xb10 [ 82.270718][ T3739] gfs2_dirent_search+0x2ea/0xb10 [ 82.275740][ T3739] ? gfs2_dirent_search+0xb10/0xb10 [ 82.280936][ T3739] ? gfs2_dir_search+0x2a0/0x2a0 [ 82.285871][ T3739] ? gfs2_permission+0x3bf/0x430 [ 82.290812][ T3739] gfs2_dir_search+0x8c/0x2a0 [ 82.295487][ T3739] ? do_filldir_main+0x530/0x530 [ 82.300421][ T3739] ? inode_go_held+0xe4/0x1f0 [ 82.305093][ T3739] ? gfs2_glock_wait+0x213/0x2a0 [ 82.310548][ T3739] gfs2_lookupi+0x465/0x650 [ 82.315051][ T3739] ? gfs2_lookup_simple+0x170/0x170 [ 82.320251][ T3739] ? __gfs2_lookup+0x8c/0x260 [ 82.324945][ T3739] __gfs2_lookup+0x8c/0x260 [ 82.329451][ T3739] ? gfs2_atomic_open+0x230/0x230 [ 82.334487][ T3739] ? __d_lookup+0x6a4/0x770 [ 82.338989][ T3739] ? d_hash_and_lookup+0x1c0/0x1c0 [ 82.344112][ T3739] gfs2_atomic_open+0xa4/0x230 [ 82.348882][ T3739] path_openat+0xf39/0x2df0 [ 82.353391][ T3739] ? gfs2_rename2+0x3000/0x3000 [ 82.358446][ T3739] ? do_filp_open+0x4f0/0x4f0 [ 82.363223][ T3739] do_filp_open+0x264/0x4f0 [ 82.367738][ T3739] ? vfs_tmpfile+0x490/0x490 [ 82.372331][ T3739] ? do_raw_spin_unlock+0x134/0x8a0 [ 82.377555][ T3739] ? _raw_spin_unlock+0x24/0x40 [ 82.382404][ T3739] ? alloc_fd+0x5a7/0x640 [ 82.386752][ T3739] do_sys_openat2+0x124/0x4e0 [ 82.391425][ T3739] ? print_irqtrace_events+0x220/0x220 [ 82.396874][ T3739] ? ptrace_stop+0x74d/0x970 [ 82.401460][ T3739] ? do_sys_open+0x220/0x220 [ 82.406047][ T3739] ? lockdep_hardirqs_on+0x8d/0x130 [ 82.411241][ T3739] ? _raw_spin_unlock_irq+0x2a/0x40 [ 82.416445][ T3739] ? ptrace_notify+0x245/0x340 [ 82.421201][ T3739] __x64_sys_openat+0x243/0x290 [ 82.426049][ T3739] ? __ia32_sys_open+0x270/0x270 [ 82.430982][ T3739] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 82.436968][ T3739] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 82.442947][ T3739] do_syscall_64+0x3d/0xb0 [ 82.447355][ T3739] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 82.453242][ T3739] RIP: 0033:0x7fc8868064d9 [ 82.457652][ T3739] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 82.477254][ T3739] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 82.485663][ T3739] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 82.493627][ T3739] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 82.501593][ T3739] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3740] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3739] <... openat resumed>) = -1 EIO (Input/output error) [pid 3739] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3739] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3740] <... openat resumed>) = -1 EIO (Input/output error) [pid 3740] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3740] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3738] exit_group(0 [pid 3739] <... futex resumed>) = ? [pid 3738] <... exit_group resumed>) = ? [pid 3739] +++ exited with 0 +++ [pid 3740] <... futex resumed>) = ? [pid 3740] +++ exited with 0 +++ [pid 3738] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3738, si_uid=0, si_status=0, si_utime=0, si_stime=39} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./35", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./35/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./35/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./35/binderfs") = 0 [ 82.509557][ T3739] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 82.517517][ T3739] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 82.525491][ T3739] umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./35/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./35/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./35") = 0 mkdir("./36", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3741 ./strace-static-x86_64: Process 3741 attached [pid 3741] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3741] chdir("./36") = 0 [pid 3741] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3741] setpgid(0, 0) = 0 [pid 3741] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3741] write(3, "1000", 4) = 4 [pid 3741] close(3) = 0 [pid 3741] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3741] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3741] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3741] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3741] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3742], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3742 [pid 3741] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3741] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3742 attached [pid 3742] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3742] memfd_create("syzkaller", 0) = 3 [pid 3742] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3742] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3742] munmap(0x7fc87e392000, 16777216) = 0 [pid 3742] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3742] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3742] close(3) = 0 [pid 3742] mkdir("./file0", 0777) = 0 [ 82.842846][ T3742] loop0: detected capacity change from 0 to 32768 [ 82.854900][ T3742] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 82.863149][ T3742] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 82.873265][ T3742] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 82.882243][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 82.889125][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3742] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3742] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3742] chdir("./file0") = 0 [pid 3742] ioctl(4, LOOP_CLR_FD) = 0 [pid 3742] close(4) = 0 [pid 3742] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3741] <... futex resumed>) = 0 [pid 3742] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3741] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3742] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3741] <... futex resumed>) = 0 [pid 3742] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3741] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3742] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3742] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3741] <... futex resumed>) = 0 [pid 3742] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3741] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3742] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3741] <... futex resumed>) = 0 [pid 3742] openat(AT_FDCWD, "./file0", O_RDONLY [ 82.922591][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 82.931558][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 82.936791][ T3742] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 82.975552][ T3742] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 82.985897][ T3742] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 82.985897][ T3742] inode = 12 2341 [ 82.985897][ T3742] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 83.005410][ T3742] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 83.014796][ T3742] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3742 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3741] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3741] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3741] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [ 83.024992][ T3742] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 83.033608][ T3742] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 83.040994][ T3742] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 83.049814][ T3742] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 83.057424][ T3742] gfs2: fsid=syz:syz.0: File system withdrawn [ 83.063867][ T3742] CPU: 0 PID: 3742 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 83.074389][ T3742] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 83.084474][ T3742] Call Trace: [ 83.087758][ T3742] [ 83.090683][ T3742] dump_stack_lvl+0x1b1/0x28e [ 83.095376][ T3742] ? nf_tcp_handle_invalid+0x62e/0x62e [ 83.100947][ T3742] ? panic+0x710/0x710 [ 83.105039][ T3742] ? kobject_uevent_env+0x46b/0x8e0 [ 83.110247][ T3742] ? do_raw_spin_unlock+0x134/0x8a0 [ 83.115533][ T3742] gfs2_withdraw+0xf33/0x1540 [ 83.120232][ T3742] ? gfs2_lm+0x220/0x220 [ 83.124495][ T3742] ? gfs2_dirent_scan+0xb6/0x650 [ 83.129454][ T3742] ? panic+0x710/0x710 [ 83.133651][ T3742] ? gfs2_permission+0x2ff/0x430 [ 83.138606][ T3742] ? gfs2_consist_inode_i+0xf3/0x110 [ 83.143909][ T3742] gfs2_dirent_scan+0x535/0x650 [ 83.148797][ T3742] ? gfs2_dirent_search+0xb10/0xb10 [ 83.154007][ T3742] gfs2_dirent_search+0x2ea/0xb10 [ 83.159208][ T3742] ? gfs2_dirent_search+0xb10/0xb10 [ 83.164403][ T3742] ? gfs2_dir_search+0x2a0/0x2a0 [ 83.169355][ T3742] ? gfs2_permission+0x3bf/0x430 [ 83.174312][ T3742] gfs2_dir_search+0x8c/0x2a0 [ 83.179013][ T3742] ? do_filldir_main+0x530/0x530 [ 83.183958][ T3742] ? inode_go_held+0xe4/0x1f0 [ 83.188633][ T3742] ? gfs2_glock_wait+0x213/0x2a0 [ 83.193565][ T3742] gfs2_lookupi+0x465/0x650 [ 83.198072][ T3742] ? gfs2_lookup_simple+0x170/0x170 [ 83.203275][ T3742] ? __gfs2_lookup+0x8c/0x260 [ 83.207954][ T3742] __gfs2_lookup+0x8c/0x260 [ 83.212454][ T3742] ? gfs2_atomic_open+0x230/0x230 [ 83.217476][ T3742] ? __d_lookup+0x6a4/0x770 [ 83.221970][ T3742] ? d_hash_and_lookup+0x1c0/0x1c0 [ 83.227077][ T3742] gfs2_atomic_open+0xa4/0x230 [ 83.231843][ T3742] path_openat+0xf39/0x2df0 [ 83.236344][ T3742] ? gfs2_rename2+0x3000/0x3000 [ 83.241204][ T3742] ? do_filp_open+0x4f0/0x4f0 [ 83.245979][ T3742] do_filp_open+0x264/0x4f0 [ 83.250476][ T3742] ? vfs_tmpfile+0x490/0x490 [ 83.255092][ T3742] ? do_raw_spin_unlock+0x134/0x8a0 [ 83.260383][ T3742] ? _raw_spin_unlock+0x24/0x40 [ 83.265230][ T3742] ? alloc_fd+0x5a7/0x640 [ 83.269564][ T3742] do_sys_openat2+0x124/0x4e0 [ 83.274239][ T3742] ? print_irqtrace_events+0x220/0x220 [ 83.279691][ T3742] ? ptrace_stop+0x74d/0x970 [ 83.284548][ T3742] ? do_sys_open+0x220/0x220 [ 83.289134][ T3742] ? lockdep_hardirqs_on+0x8d/0x130 [ 83.294325][ T3742] ? _raw_spin_unlock_irq+0x2a/0x40 [ 83.299528][ T3742] ? ptrace_notify+0x245/0x340 [ 83.304283][ T3742] __x64_sys_openat+0x243/0x290 [ 83.309161][ T3742] ? __ia32_sys_open+0x270/0x270 [ 83.314094][ T3742] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 83.320080][ T3742] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 83.326067][ T3742] do_syscall_64+0x3d/0xb0 [ 83.330479][ T3742] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 83.336371][ T3742] RIP: 0033:0x7fc8868064d9 [ 83.340778][ T3742] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 83.360387][ T3742] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 83.368813][ T3742] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3741] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE [pid 3742] <... openat resumed>) = -1 EIO (Input/output error) [pid 3741] <... mprotect resumed>) = 0 [pid 3742] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3741] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3743 attached [pid 3742] <... futex resumed>) = 0 [pid 3741] <... clone resumed>, parent_tid=[3743], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3743 [pid 3743] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3743] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3742] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3741] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3743] <... futex resumed>) = 0 [pid 3741] <... futex resumed>) = 1 [pid 3743] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3743] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3743] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3741] exit_group(0) = ? [pid 3743] <... futex resumed>) = ? [pid 3742] <... futex resumed>) = ? [pid 3743] +++ exited with 0 +++ [pid 3742] +++ exited with 0 +++ [pid 3741] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3741, si_uid=0, si_status=0, si_utime=3, si_stime=28} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./36", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./36", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./36/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./36/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./36/binderfs") = 0 [ 83.376790][ T3742] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 83.384783][ T3742] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 83.392749][ T3742] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 83.400712][ T3742] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 83.408687][ T3742] umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./36/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./36/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./36/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./36") = 0 mkdir("./37", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3744 ./strace-static-x86_64: Process 3744 attached [pid 3744] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3744] chdir("./37") = 0 [pid 3744] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3744] setpgid(0, 0) = 0 [pid 3744] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3744] write(3, "1000", 4) = 4 [pid 3744] close(3) = 0 [pid 3744] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3744] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3744] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3744] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3744] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3745 attached , parent_tid=[3745], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3745 [pid 3744] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3744] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3745] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3745] memfd_create("syzkaller", 0) = 3 [pid 3745] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3745] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3745] munmap(0x7fc87e392000, 16777216) = 0 [pid 3745] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3745] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3745] close(3) = 0 [pid 3745] mkdir("./file0", 0777) = 0 [ 83.730790][ T3745] loop0: detected capacity change from 0 to 32768 [ 83.741732][ T3745] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 83.749903][ T3745] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 83.759461][ T3745] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 83.768470][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 83.775602][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3745] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3745] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3745] chdir("./file0") = 0 [pid 3745] ioctl(4, LOOP_CLR_FD) = 0 [pid 3745] close(4) = 0 [pid 3745] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3744] <... futex resumed>) = 0 [pid 3745] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3744] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3745] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3744] <... futex resumed>) = 0 [pid 3745] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3744] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3745] <... futex resumed>) = 0 [pid 3744] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3745] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3744] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 83.816279][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 83.823817][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 83.829068][ T3745] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 83.855517][ T3745] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3744] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3744] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3744] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3744] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3744] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3746], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3746 [pid 3744] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3746 attached [pid 3746] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3746] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [ 83.864078][ T3745] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 83.864078][ T3745] inode = 12 2341 [ 83.864078][ T3745] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 83.882930][ T3745] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 83.892009][ T3745] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3745 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 83.902052][ T3745] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3746] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 83.910548][ T3745] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 83.918267][ T3745] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 83.927447][ T3745] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 83.934154][ T3745] gfs2: fsid=syz:syz.0: File system withdrawn [ 83.940331][ T3745] CPU: 1 PID: 3745 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 83.950753][ T3745] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 83.961004][ T3745] Call Trace: [ 83.964297][ T3745] [ 83.967221][ T3745] dump_stack_lvl+0x1b1/0x28e [ 83.971908][ T3745] ? nf_tcp_handle_invalid+0x62e/0x62e [ 83.977463][ T3745] ? panic+0x710/0x710 [ 83.981553][ T3745] ? kobject_uevent_env+0x46b/0x8e0 [ 83.986761][ T3745] ? do_raw_spin_unlock+0x134/0x8a0 [ 83.993607][ T3745] gfs2_withdraw+0xf33/0x1540 [ 83.998286][ T3745] ? gfs2_lm+0x220/0x220 [ 84.002520][ T3745] ? gfs2_dirent_scan+0xb6/0x650 [ 84.007462][ T3745] ? panic+0x710/0x710 [ 84.011545][ T3745] ? gfs2_permission+0x2ff/0x430 [pid 3746] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3744] exit_group(0 [pid 3746] <... futex resumed>) = ? [pid 3744] <... exit_group resumed>) = ? [pid 3746] +++ exited with 0 +++ [ 84.016505][ T3745] ? gfs2_consist_inode_i+0xf3/0x110 [ 84.021796][ T3745] gfs2_dirent_scan+0x535/0x650 [ 84.026643][ T3745] ? gfs2_dirent_search+0xb10/0xb10 [ 84.031949][ T3745] gfs2_dirent_search+0x2ea/0xb10 [ 84.037001][ T3745] ? gfs2_dirent_search+0xb10/0xb10 [ 84.042409][ T3745] ? gfs2_dir_search+0x2a0/0x2a0 [ 84.047370][ T3745] ? gfs2_permission+0x3bf/0x430 [ 84.052328][ T3745] gfs2_dir_search+0x8c/0x2a0 [ 84.057012][ T3745] ? do_filldir_main+0x530/0x530 [ 84.061963][ T3745] ? inode_go_held+0xe4/0x1f0 [ 84.066647][ T3745] ? gfs2_glock_wait+0x213/0x2a0 [ 84.071597][ T3745] gfs2_lookupi+0x465/0x650 [ 84.076097][ T3745] ? gfs2_lookup_simple+0x170/0x170 [ 84.081287][ T3745] ? __gfs2_lookup+0x8c/0x260 [ 84.085978][ T3745] __gfs2_lookup+0x8c/0x260 [ 84.090489][ T3745] ? gfs2_atomic_open+0x230/0x230 [ 84.095694][ T3745] ? __d_lookup+0x6a4/0x770 [ 84.100201][ T3745] ? d_hash_and_lookup+0x1c0/0x1c0 [ 84.105319][ T3745] gfs2_atomic_open+0xa4/0x230 [ 84.110103][ T3745] path_openat+0xf39/0x2df0 [ 84.114615][ T3745] ? gfs2_rename2+0x3000/0x3000 [ 84.119471][ T3745] ? do_filp_open+0x4f0/0x4f0 [ 84.124148][ T3745] do_filp_open+0x264/0x4f0 [ 84.128655][ T3745] ? vfs_tmpfile+0x490/0x490 [ 84.133255][ T3745] ? do_raw_spin_unlock+0x134/0x8a0 [ 84.138463][ T3745] ? _raw_spin_unlock+0x24/0x40 [ 84.143331][ T3745] ? alloc_fd+0x5a7/0x640 [ 84.147657][ T3745] do_sys_openat2+0x124/0x4e0 [ 84.152364][ T3745] ? print_irqtrace_events+0x220/0x220 [ 84.157827][ T3745] ? ptrace_stop+0x74d/0x970 [ 84.162432][ T3745] ? do_sys_open+0x220/0x220 [ 84.167018][ T3745] ? lockdep_hardirqs_on+0x8d/0x130 [ 84.172214][ T3745] ? _raw_spin_unlock_irq+0x2a/0x40 [ 84.177498][ T3745] ? ptrace_notify+0x245/0x340 [ 84.182255][ T3745] __x64_sys_openat+0x243/0x290 [ 84.187102][ T3745] ? __ia32_sys_open+0x270/0x270 [ 84.192044][ T3745] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 84.198038][ T3745] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 84.204012][ T3745] do_syscall_64+0x3d/0xb0 [ 84.208423][ T3745] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 84.214317][ T3745] RIP: 0033:0x7fc8868064d9 [ 84.218743][ T3745] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 84.238343][ T3745] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 84.246748][ T3745] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 84.254715][ T3745] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3745] <... openat resumed>) = ? [pid 3745] +++ exited with 0 +++ [pid 3744] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3744, si_uid=0, si_status=0, si_utime=1, si_stime=29} --- umount2("./37", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./37", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./37/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./37/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./37/binderfs") = 0 [ 84.262770][ T3745] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 84.270749][ T3745] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 84.278728][ T3745] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 84.286701][ T3745] umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./37/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./37/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./37/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./37") = 0 mkdir("./38", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3747 ./strace-static-x86_64: Process 3747 attached [pid 3747] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3747] chdir("./38") = 0 [pid 3747] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3747] setpgid(0, 0) = 0 [pid 3747] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3747] write(3, "1000", 4) = 4 [pid 3747] close(3) = 0 [pid 3747] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3747] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3747] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3747] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3747] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3748], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3748 [pid 3747] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3747] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3748 attached [pid 3748] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3748] memfd_create("syzkaller", 0) = 3 [pid 3748] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3748] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3748] munmap(0x7fc87e392000, 16777216) = 0 [pid 3748] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3748] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3748] close(3) = 0 [pid 3748] mkdir("./file0", 0777) = 0 [ 84.608388][ T3748] loop0: detected capacity change from 0 to 32768 [ 84.618834][ T3748] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 84.627607][ T3748] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 84.636921][ T3748] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 84.645572][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 84.652428][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3748] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3748] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3748] chdir("./file0") = 0 [pid 3748] ioctl(4, LOOP_CLR_FD) = 0 [pid 3748] close(4) = 0 [pid 3748] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3747] <... futex resumed>) = 0 [pid 3747] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3747] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3748] <... futex resumed>) = 1 [pid 3748] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3748] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3747] <... futex resumed>) = 0 [pid 3747] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3747] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3748] <... futex resumed>) = 1 [ 84.687853][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 84.695431][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 84.700737][ T3748] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 84.715314][ T3748] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 84.723864][ T3748] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 84.723864][ T3748] inode = 12 2341 [pid 3748] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3747] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3747] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 84.723864][ T3748] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 84.742704][ T3748] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 84.752037][ T3748] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3748 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 84.762235][ T3748] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 84.770839][ T3748] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 84.778128][ T3748] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3747] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3747] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3747] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3749], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3749 [pid 3747] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3749 attached [pid 3749] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3749] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3749] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 84.787053][ T3748] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 84.793694][ T3748] gfs2: fsid=syz:syz.0: File system withdrawn [ 84.799801][ T3748] CPU: 0 PID: 3748 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 84.810209][ T3748] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 84.820263][ T3748] Call Trace: [ 84.823635][ T3748] [ 84.826570][ T3748] dump_stack_lvl+0x1b1/0x28e [ 84.831351][ T3748] ? nf_tcp_handle_invalid+0x62e/0x62e [ 84.836805][ T3748] ? panic+0x710/0x710 [ 84.840878][ T3748] ? kobject_uevent_env+0x46b/0x8e0 [ 84.846082][ T3748] ? do_raw_spin_unlock+0x134/0x8a0 [ 84.851280][ T3748] gfs2_withdraw+0xf33/0x1540 [ 84.855958][ T3748] ? gfs2_lm+0x220/0x220 [ 84.860196][ T3748] ? gfs2_dirent_scan+0xb6/0x650 [ 84.865127][ T3748] ? panic+0x710/0x710 [ 84.869192][ T3748] ? gfs2_permission+0x2ff/0x430 [ 84.874140][ T3748] ? gfs2_consist_inode_i+0xf3/0x110 [ 84.879418][ T3748] gfs2_dirent_scan+0x535/0x650 [ 84.884275][ T3748] ? gfs2_dirent_search+0xb10/0xb10 [ 84.889467][ T3748] gfs2_dirent_search+0x2ea/0xb10 [ 84.894498][ T3748] ? gfs2_dirent_search+0xb10/0xb10 [ 84.899707][ T3748] ? gfs2_dir_search+0x2a0/0x2a0 [ 84.904639][ T3748] ? gfs2_permission+0x3bf/0x430 [ 84.909579][ T3748] gfs2_dir_search+0x8c/0x2a0 [ 84.914257][ T3748] ? do_filldir_main+0x530/0x530 [ 84.919193][ T3748] ? inode_go_held+0xe4/0x1f0 [ 84.923871][ T3748] ? gfs2_glock_wait+0x213/0x2a0 [ 84.928801][ T3748] gfs2_lookupi+0x465/0x650 [ 84.933309][ T3748] ? gfs2_lookup_simple+0x170/0x170 [ 84.938504][ T3748] ? __gfs2_lookup+0x8c/0x260 [ 84.943200][ T3748] __gfs2_lookup+0x8c/0x260 [ 84.949352][ T3748] ? gfs2_atomic_open+0x230/0x230 [ 84.954374][ T3748] ? __d_lookup+0x6a4/0x770 [ 84.958869][ T3748] ? d_hash_and_lookup+0x1c0/0x1c0 [ 84.963978][ T3748] gfs2_atomic_open+0xa4/0x230 [ 84.968747][ T3748] path_openat+0xf39/0x2df0 [ 84.973249][ T3748] ? gfs2_rename2+0x3000/0x3000 [ 84.978124][ T3748] ? do_filp_open+0x4f0/0x4f0 [ 84.982807][ T3748] do_filp_open+0x264/0x4f0 [ 84.987318][ T3748] ? vfs_tmpfile+0x490/0x490 [ 84.991908][ T3748] ? do_raw_spin_unlock+0x134/0x8a0 [ 84.997102][ T3748] ? _raw_spin_unlock+0x24/0x40 [ 85.001944][ T3748] ? alloc_fd+0x5a7/0x640 [ 85.006278][ T3748] do_sys_openat2+0x124/0x4e0 [ 85.010965][ T3748] ? print_irqtrace_events+0x220/0x220 [ 85.016418][ T3748] ? ptrace_stop+0x74d/0x970 [ 85.021003][ T3748] ? do_sys_open+0x220/0x220 [ 85.025588][ T3748] ? lockdep_hardirqs_on+0x8d/0x130 [ 85.030779][ T3748] ? _raw_spin_unlock_irq+0x2a/0x40 [ 85.035976][ T3748] ? ptrace_notify+0x245/0x340 [ 85.040753][ T3748] __x64_sys_openat+0x243/0x290 [ 85.045599][ T3748] ? __ia32_sys_open+0x270/0x270 [ 85.050531][ T3748] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 85.056507][ T3748] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 85.062483][ T3748] do_syscall_64+0x3d/0xb0 [ 85.066890][ T3748] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 85.072771][ T3748] RIP: 0033:0x7fc8868064d9 [ 85.077183][ T3748] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 85.096779][ T3748] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 85.105185][ T3748] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 85.113167][ T3748] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 85.121128][ T3748] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 85.129090][ T3748] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3749] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3748] <... openat resumed>) = -1 EIO (Input/output error) [pid 3748] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3748] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3747] exit_group(0 [pid 3748] <... futex resumed>) = ? [pid 3747] <... exit_group resumed>) = ? [pid 3748] +++ exited with 0 +++ [pid 3749] <... futex resumed>) = ? [pid 3749] +++ exited with 0 +++ [pid 3747] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3747, si_uid=0, si_status=0, si_utime=3, si_stime=28} --- umount2("./38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./38/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./38/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./38/binderfs") = 0 [ 85.137067][ T3748] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 85.145041][ T3748] umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./38/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./38/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./38") = 0 mkdir("./39", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3750 ./strace-static-x86_64: Process 3750 attached [pid 3750] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3750] chdir("./39") = 0 [pid 3750] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3750] setpgid(0, 0) = 0 [pid 3750] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3750] write(3, "1000", 4) = 4 [pid 3750] close(3) = 0 [pid 3750] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3750] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3750] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3750] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3750] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3751], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3751 ./strace-static-x86_64: Process 3751 attached [pid 3750] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3750] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3751] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3751] memfd_create("syzkaller", 0) = 3 [pid 3751] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3751] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3751] munmap(0x7fc87e392000, 16777216) = 0 [pid 3751] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3751] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3751] close(3) = 0 [pid 3751] mkdir("./file0", 0777) = 0 [ 85.440584][ T3751] loop0: detected capacity change from 0 to 32768 [ 85.452071][ T3751] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 85.460392][ T3751] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 85.469299][ T3751] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 85.478378][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 85.485207][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3751] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3751] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3751] chdir("./file0") = 0 [pid 3751] ioctl(4, LOOP_CLR_FD) = 0 [pid 3751] close(4) = 0 [pid 3751] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3750] <... futex resumed>) = 0 [pid 3750] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3750] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3751] <... futex resumed>) = 1 [pid 3751] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3751] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3750] <... futex resumed>) = 0 [pid 3750] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3750] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3751] <... futex resumed>) = 1 [ 85.526813][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 85.535049][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 85.540521][ T3751] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 85.563199][ T3751] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3751] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3750] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 85.571922][ T3751] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 85.571922][ T3751] inode = 12 2341 [ 85.571922][ T3751] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 85.591544][ T3751] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 85.601971][ T3751] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3751 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 85.612719][ T3751] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3750] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3750] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3750] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3750] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3752], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3752 [pid 3750] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3752 attached [pid 3752] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3752] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3752] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 85.621707][ T3751] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 85.629302][ T3751] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 85.638693][ T3751] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 85.645509][ T3751] gfs2: fsid=syz:syz.0: File system withdrawn [ 85.652009][ T3751] CPU: 0 PID: 3751 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 85.662473][ T3751] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 85.672550][ T3751] Call Trace: [ 85.675825][ T3751] [ 85.678786][ T3751] dump_stack_lvl+0x1b1/0x28e [ 85.683461][ T3751] ? nf_tcp_handle_invalid+0x62e/0x62e [ 85.688933][ T3751] ? panic+0x710/0x710 [ 85.693008][ T3751] ? kobject_uevent_env+0x46b/0x8e0 [ 85.698219][ T3751] ? do_raw_spin_unlock+0x134/0x8a0 [ 85.703504][ T3751] gfs2_withdraw+0xf33/0x1540 [ 85.708184][ T3751] ? gfs2_lm+0x220/0x220 [ 85.712421][ T3751] ? gfs2_dirent_scan+0xb6/0x650 [ 85.717356][ T3751] ? panic+0x710/0x710 [ 85.721417][ T3751] ? gfs2_permission+0x2ff/0x430 [ 85.726388][ T3751] ? gfs2_consist_inode_i+0xf3/0x110 [ 85.731668][ T3751] gfs2_dirent_scan+0x535/0x650 [ 85.736522][ T3751] ? gfs2_dirent_search+0xb10/0xb10 [ 85.741719][ T3751] gfs2_dirent_search+0x2ea/0xb10 [ 85.746742][ T3751] ? gfs2_dirent_search+0xb10/0xb10 [ 85.751936][ T3751] ? gfs2_dir_search+0x2a0/0x2a0 [ 85.756863][ T3751] ? gfs2_permission+0x3bf/0x430 [ 85.761798][ T3751] gfs2_dir_search+0x8c/0x2a0 [ 85.766482][ T3751] ? do_filldir_main+0x530/0x530 [ 85.771412][ T3751] ? inode_go_held+0xe4/0x1f0 [ 85.776086][ T3751] ? gfs2_glock_wait+0x213/0x2a0 [ 85.781024][ T3751] gfs2_lookupi+0x465/0x650 [ 85.785528][ T3751] ? gfs2_lookup_simple+0x170/0x170 [ 85.790734][ T3751] ? __gfs2_lookup+0x8c/0x260 [ 85.795523][ T3751] __gfs2_lookup+0x8c/0x260 [ 85.800041][ T3751] ? gfs2_atomic_open+0x230/0x230 [ 85.805082][ T3751] ? __d_lookup+0x6a4/0x770 [ 85.809584][ T3751] ? d_hash_and_lookup+0x1c0/0x1c0 [ 85.814781][ T3751] gfs2_atomic_open+0xa4/0x230 [ 85.819543][ T3751] path_openat+0xf39/0x2df0 [ 85.824045][ T3751] ? gfs2_rename2+0x3000/0x3000 [ 85.828906][ T3751] ? do_filp_open+0x4f0/0x4f0 [ 85.833588][ T3751] do_filp_open+0x264/0x4f0 [ 85.838084][ T3751] ? vfs_tmpfile+0x490/0x490 [ 85.842701][ T3751] ? do_raw_spin_unlock+0x134/0x8a0 [ 85.847894][ T3751] ? _raw_spin_unlock+0x24/0x40 [ 85.852740][ T3751] ? alloc_fd+0x5a7/0x640 [ 85.857090][ T3751] do_sys_openat2+0x124/0x4e0 [ 85.861764][ T3751] ? print_irqtrace_events+0x220/0x220 [ 85.867212][ T3751] ? ptrace_stop+0x74d/0x970 [ 85.871792][ T3751] ? do_sys_open+0x220/0x220 [ 85.876378][ T3751] ? lockdep_hardirqs_on+0x8d/0x130 [ 85.881567][ T3751] ? _raw_spin_unlock_irq+0x2a/0x40 [ 85.886763][ T3751] ? ptrace_notify+0x245/0x340 [ 85.891536][ T3751] __x64_sys_openat+0x243/0x290 [ 85.896383][ T3751] ? __ia32_sys_open+0x270/0x270 [ 85.901314][ T3751] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 85.907287][ T3751] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 85.913259][ T3751] do_syscall_64+0x3d/0xb0 [ 85.917685][ T3751] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 85.923581][ T3751] RIP: 0033:0x7fc8868064d9 [ 85.928010][ T3751] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 85.947620][ T3751] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 85.956042][ T3751] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 85.964011][ T3751] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3752] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3751] <... openat resumed>) = -1 EIO (Input/output error) [pid 3751] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3750] exit_group(0 [pid 3752] <... futex resumed>) = ? [pid 3751] <... futex resumed>) = ? [pid 3750] <... exit_group resumed>) = ? [pid 3752] +++ exited with 0 +++ [pid 3751] +++ exited with 0 +++ [pid 3750] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3750, si_uid=0, si_status=0, si_utime=0, si_stime=27} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./39", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./39/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./39/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./39/binderfs") = 0 [ 85.971971][ T3751] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 85.979930][ T3751] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 85.987889][ T3751] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 85.995867][ T3751] umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./39/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./39/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./39") = 0 mkdir("./40", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3753 ./strace-static-x86_64: Process 3753 attached [pid 3753] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3753] chdir("./40") = 0 [pid 3753] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3753] setpgid(0, 0) = 0 [pid 3753] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3753] write(3, "1000", 4) = 4 [pid 3753] close(3) = 0 [pid 3753] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3753] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3753] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3753] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3753] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3754], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3754 ./strace-static-x86_64: Process 3754 attached [pid 3753] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3753] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3754] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3754] memfd_create("syzkaller", 0) = 3 [pid 3754] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3754] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3754] munmap(0x7fc87e392000, 16777216) = 0 [pid 3754] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3754] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3754] close(3) = 0 [pid 3754] mkdir("./file0", 0777) = 0 [ 86.309470][ T3754] loop0: detected capacity change from 0 to 32768 [ 86.321642][ T3754] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 86.329857][ T3754] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 86.339794][ T3754] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 86.348867][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 86.355786][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3754] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3754] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3754] chdir("./file0") = 0 [pid 3754] ioctl(4, LOOP_CLR_FD) = 0 [pid 3754] close(4) = 0 [pid 3754] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3753] <... futex resumed>) = 0 [pid 3754] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3753] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3754] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3753] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3754] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3753] <... futex resumed>) = 0 [pid 3753] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3754] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3753] <... futex resumed>) = 0 [ 86.389668][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 86.398473][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 86.403998][ T3754] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 86.445066][ T3754] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 86.453978][ T3754] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 86.453978][ T3754] inode = 12 2341 [ 86.453978][ T3754] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 86.473247][ T3754] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 86.482349][ T3754] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3754 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3753] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3753] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3753] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3753] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3753] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3755], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3755 [pid 3753] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3755 attached [pid 3755] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3755] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3755] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 86.492396][ T3754] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 86.500862][ T3754] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 86.508139][ T3754] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 86.517028][ T3754] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 86.523653][ T3754] gfs2: fsid=syz:syz.0: File system withdrawn [ 86.529753][ T3754] CPU: 0 PID: 3754 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 86.540183][ T3754] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 86.550263][ T3754] Call Trace: [ 86.553554][ T3754] [ 86.556485][ T3754] dump_stack_lvl+0x1b1/0x28e [ 86.561162][ T3754] ? nf_tcp_handle_invalid+0x62e/0x62e [ 86.566611][ T3754] ? panic+0x710/0x710 [ 86.570673][ T3754] ? kobject_uevent_env+0x46b/0x8e0 [ 86.575863][ T3754] ? do_raw_spin_unlock+0x134/0x8a0 [ 86.581083][ T3754] gfs2_withdraw+0xf33/0x1540 [ 86.585784][ T3754] ? gfs2_lm+0x220/0x220 [ 86.590015][ T3754] ? gfs2_dirent_scan+0xb6/0x650 [ 86.594945][ T3754] ? panic+0x710/0x710 [ 86.599005][ T3754] ? gfs2_permission+0x2ff/0x430 [ 86.603943][ T3754] ? gfs2_consist_inode_i+0xf3/0x110 [ 86.609240][ T3754] gfs2_dirent_scan+0x535/0x650 [ 86.614107][ T3754] ? gfs2_dirent_search+0xb10/0xb10 [ 86.619326][ T3754] gfs2_dirent_search+0x2ea/0xb10 [ 86.624451][ T3754] ? gfs2_dirent_search+0xb10/0xb10 [ 86.629650][ T3754] ? gfs2_dir_search+0x2a0/0x2a0 [ 86.634594][ T3754] ? gfs2_permission+0x3bf/0x430 [ 86.639547][ T3754] gfs2_dir_search+0x8c/0x2a0 [pid 3755] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3753] exit_group(0 [pid 3755] <... futex resumed>) = ? [pid 3753] <... exit_group resumed>) = ? [pid 3755] +++ exited with 0 +++ [ 86.644235][ T3754] ? do_filldir_main+0x530/0x530 [ 86.649284][ T3754] ? inode_go_held+0xe4/0x1f0 [ 86.654061][ T3754] ? gfs2_glock_wait+0x213/0x2a0 [ 86.659001][ T3754] gfs2_lookupi+0x465/0x650 [ 86.663515][ T3754] ? gfs2_lookup_simple+0x170/0x170 [ 86.668709][ T3754] ? __gfs2_lookup+0x8c/0x260 [ 86.673391][ T3754] __gfs2_lookup+0x8c/0x260 [ 86.677891][ T3754] ? gfs2_atomic_open+0x230/0x230 [ 86.682944][ T3754] ? __d_lookup+0x6a4/0x770 [ 86.687443][ T3754] ? d_hash_and_lookup+0x1c0/0x1c0 [ 86.692545][ T3754] gfs2_atomic_open+0xa4/0x230 [ 86.697315][ T3754] path_openat+0xf39/0x2df0 [ 86.701832][ T3754] ? gfs2_rename2+0x3000/0x3000 [ 86.706717][ T3754] ? do_filp_open+0x4f0/0x4f0 [ 86.711426][ T3754] do_filp_open+0x264/0x4f0 [ 86.715922][ T3754] ? vfs_tmpfile+0x490/0x490 [ 86.720528][ T3754] ? do_raw_spin_unlock+0x134/0x8a0 [ 86.725724][ T3754] ? _raw_spin_unlock+0x24/0x40 [ 86.730571][ T3754] ? alloc_fd+0x5a7/0x640 [ 86.734992][ T3754] do_sys_openat2+0x124/0x4e0 [ 86.739682][ T3754] ? print_irqtrace_events+0x220/0x220 [ 86.745140][ T3754] ? ptrace_stop+0x74d/0x970 [ 86.749735][ T3754] ? do_sys_open+0x220/0x220 [ 86.754332][ T3754] ? lockdep_hardirqs_on+0x8d/0x130 [ 86.759519][ T3754] ? _raw_spin_unlock_irq+0x2a/0x40 [ 86.764724][ T3754] ? ptrace_notify+0x245/0x340 [ 86.769494][ T3754] __x64_sys_openat+0x243/0x290 [ 86.774355][ T3754] ? __ia32_sys_open+0x270/0x270 [ 86.779302][ T3754] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 86.785283][ T3754] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 86.791273][ T3754] do_syscall_64+0x3d/0xb0 [ 86.795680][ T3754] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 86.801568][ T3754] RIP: 0033:0x7fc8868064d9 [ 86.805977][ T3754] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 86.825608][ T3754] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 86.834046][ T3754] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3754] <... openat resumed>) = ? [pid 3754] +++ exited with 0 +++ [pid 3753] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3753, si_uid=0, si_status=0, si_utime=4, si_stime=24} --- umount2("./40", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./40/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./40/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./40/binderfs") = 0 [ 86.842115][ T3754] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 86.850100][ T3754] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 86.858071][ T3754] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 86.866037][ T3754] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 86.874036][ T3754] umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./40/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./40/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./40") = 0 mkdir("./41", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3756 ./strace-static-x86_64: Process 3756 attached [pid 3756] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3756] chdir("./41") = 0 [pid 3756] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3756] setpgid(0, 0) = 0 [pid 3756] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3756] write(3, "1000", 4) = 4 [pid 3756] close(3) = 0 [pid 3756] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3756] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3756] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3756] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3756] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3757], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3757 [pid 3756] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 3757 attached ) = 0 [pid 3757] set_robust_list(0x7fc8867b29e0, 24 [pid 3756] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3757] <... set_robust_list resumed>) = 0 [pid 3757] memfd_create("syzkaller", 0) = 3 [pid 3757] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3757] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3757] munmap(0x7fc87e392000, 16777216) = 0 [pid 3757] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3757] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3757] close(3) = 0 [pid 3757] mkdir("./file0", 0777) = 0 [ 87.169387][ T3757] loop0: detected capacity change from 0 to 32768 [ 87.179987][ T3757] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 87.188254][ T3757] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 87.198073][ T3757] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 87.206928][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 87.213830][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3757] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3757] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3757] chdir("./file0") = 0 [pid 3757] ioctl(4, LOOP_CLR_FD) = 0 [pid 3757] close(4) = 0 [pid 3757] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3756] <... futex resumed>) = 0 [pid 3756] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3756] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3757] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3757] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3756] <... futex resumed>) = 0 [pid 3756] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3756] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 87.253132][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 87.260666][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 87.265885][ T3757] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 87.288796][ T3757] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3757] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3756] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3756] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3756] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3756] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3756] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3758], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3758 [pid 3756] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3758 attached [pid 3758] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3758] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3758] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 87.297964][ T3757] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 87.297964][ T3757] inode = 12 2341 [ 87.297964][ T3757] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 87.317089][ T3757] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 87.326556][ T3757] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3757 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 87.336830][ T3757] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 87.345895][ T3757] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 87.353551][ T3757] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 87.362495][ T3757] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 87.369040][ T3757] gfs2: fsid=syz:syz.0: File system withdrawn [ 87.375229][ T3757] CPU: 0 PID: 3757 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 87.385647][ T3757] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 87.395694][ T3757] Call Trace: [ 87.398965][ T3757] [ 87.401892][ T3757] dump_stack_lvl+0x1b1/0x28e [ 87.406564][ T3757] ? nf_tcp_handle_invalid+0x62e/0x62e [ 87.412020][ T3757] ? panic+0x710/0x710 [ 87.416436][ T3757] ? kobject_uevent_env+0x46b/0x8e0 [ 87.421620][ T3757] ? do_raw_spin_unlock+0x134/0x8a0 [ 87.426825][ T3757] gfs2_withdraw+0xf33/0x1540 [ 87.431529][ T3757] ? gfs2_lm+0x220/0x220 [ 87.435759][ T3757] ? gfs2_dirent_scan+0xb6/0x650 [ 87.440682][ T3757] ? panic+0x710/0x710 [ 87.444735][ T3757] ? gfs2_permission+0x2ff/0x430 [ 87.449697][ T3757] ? gfs2_consist_inode_i+0xf3/0x110 [ 87.454984][ T3757] gfs2_dirent_scan+0x535/0x650 [ 87.459845][ T3757] ? gfs2_dirent_search+0xb10/0xb10 [ 87.465131][ T3757] gfs2_dirent_search+0x2ea/0xb10 [ 87.470159][ T3757] ? gfs2_dirent_search+0xb10/0xb10 [ 87.475347][ T3757] ? gfs2_dir_search+0x2a0/0x2a0 [ 87.480280][ T3757] ? gfs2_permission+0x3bf/0x430 [ 87.485477][ T3757] gfs2_dir_search+0x8c/0x2a0 [ 87.490149][ T3757] ? do_filldir_main+0x530/0x530 [ 87.495077][ T3757] ? inode_go_held+0xe4/0x1f0 [ 87.499749][ T3757] ? gfs2_glock_wait+0x213/0x2a0 [ 87.504673][ T3757] gfs2_lookupi+0x465/0x650 [ 87.509169][ T3757] ? gfs2_lookup_simple+0x170/0x170 [ 87.514356][ T3757] ? __gfs2_lookup+0x8c/0x260 [ 87.519119][ T3757] __gfs2_lookup+0x8c/0x260 [ 87.523631][ T3757] ? gfs2_atomic_open+0x230/0x230 [ 87.528658][ T3757] ? __d_lookup+0x6a4/0x770 [ 87.533157][ T3757] ? d_hash_and_lookup+0x1c0/0x1c0 [ 87.538270][ T3757] gfs2_atomic_open+0xa4/0x230 [ 87.543026][ T3757] path_openat+0xf39/0x2df0 [ 87.547540][ T3757] ? gfs2_rename2+0x3000/0x3000 [pid 3758] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3756] exit_group(0 [pid 3758] <... futex resumed>) = ? [pid 3756] <... exit_group resumed>) = ? [pid 3758] +++ exited with 0 +++ [ 87.552413][ T3757] ? do_filp_open+0x4f0/0x4f0 [ 87.557276][ T3757] do_filp_open+0x264/0x4f0 [ 87.561768][ T3757] ? vfs_tmpfile+0x490/0x490 [ 87.566353][ T3757] ? do_raw_spin_unlock+0x134/0x8a0 [ 87.571555][ T3757] ? _raw_spin_unlock+0x24/0x40 [ 87.576410][ T3757] ? alloc_fd+0x5a7/0x640 [ 87.580743][ T3757] do_sys_openat2+0x124/0x4e0 [ 87.585416][ T3757] ? print_irqtrace_events+0x220/0x220 [ 87.590870][ T3757] ? ptrace_stop+0x74d/0x970 [ 87.595470][ T3757] ? do_sys_open+0x220/0x220 [ 87.600070][ T3757] ? lockdep_hardirqs_on+0x8d/0x130 [ 87.605272][ T3757] ? _raw_spin_unlock_irq+0x2a/0x40 [ 87.610470][ T3757] ? ptrace_notify+0x245/0x340 [ 87.615236][ T3757] __x64_sys_openat+0x243/0x290 [ 87.620087][ T3757] ? __ia32_sys_open+0x270/0x270 [ 87.625028][ T3757] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 87.631014][ T3757] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 87.637003][ T3757] do_syscall_64+0x3d/0xb0 [ 87.641406][ T3757] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 87.647286][ T3757] RIP: 0033:0x7fc8868064d9 [ 87.651703][ T3757] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 87.671392][ T3757] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 87.679795][ T3757] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 87.687764][ T3757] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 87.695733][ T3757] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3757] <... openat resumed>) = ? [pid 3757] +++ exited with 0 +++ [pid 3756] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3756, si_uid=0, si_status=0, si_utime=0, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./41", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./41", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./41/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./41/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./41/binderfs") = 0 [ 87.703720][ T3757] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 87.711708][ T3757] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 87.719691][ T3757] umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./41/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./41/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./41/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./41") = 0 mkdir("./42", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3759 ./strace-static-x86_64: Process 3759 attached [pid 3759] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3759] chdir("./42") = 0 [pid 3759] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3759] setpgid(0, 0) = 0 [pid 3759] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3759] write(3, "1000", 4) = 4 [pid 3759] close(3) = 0 [pid 3759] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3759] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3759] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3759] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3759] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3760 attached , parent_tid=[3760], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3760 [pid 3760] set_robust_list(0x7fc8867b29e0, 24 [pid 3759] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3760] <... set_robust_list resumed>) = 0 [pid 3759] <... futex resumed>) = 0 [pid 3759] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3760] memfd_create("syzkaller", 0) = 3 [pid 3760] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3760] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3760] munmap(0x7fc87e392000, 16777216) = 0 [pid 3760] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3760] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3760] close(3) = 0 [pid 3760] mkdir("./file0", 0777) = 0 [ 88.014108][ T3760] loop0: detected capacity change from 0 to 32768 [ 88.026566][ T3760] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 88.034991][ T3760] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 88.044107][ T3760] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 88.052744][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 88.059519][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3760] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3760] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3760] chdir("./file0") = 0 [pid 3760] ioctl(4, LOOP_CLR_FD) = 0 [pid 3760] close(4) = 0 [pid 3760] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3760] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3759] <... futex resumed>) = 0 [pid 3759] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3760] <... futex resumed>) = 0 [pid 3759] <... futex resumed>) = 1 [pid 3760] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3759] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3760] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3760] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3759] <... futex resumed>) = 0 [pid 3760] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3759] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3760] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3759] <... futex resumed>) = 0 [pid 3760] openat(AT_FDCWD, "./file0", O_RDONLY [ 88.095182][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 88.102772][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 88.108580][ T3760] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 88.141038][ T3760] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 88.149423][ T3760] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 88.149423][ T3760] inode = 12 2341 [ 88.149423][ T3760] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 88.168294][ T3760] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 88.177803][ T3760] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3760 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3759] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3759] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3759] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3759] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3759] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3761], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3761 [pid 3759] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3761 attached [pid 3761] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3761] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3761] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 88.187894][ T3760] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 88.196675][ T3760] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 88.204564][ T3760] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 88.213635][ T3760] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 88.221421][ T3760] gfs2: fsid=syz:syz.0: File system withdrawn [ 88.227516][ T3760] CPU: 0 PID: 3760 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 88.237930][ T3760] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 88.247973][ T3760] Call Trace: [ 88.251246][ T3760] [ 88.254165][ T3760] dump_stack_lvl+0x1b1/0x28e [ 88.258831][ T3760] ? nf_tcp_handle_invalid+0x62e/0x62e [ 88.264275][ T3760] ? panic+0x710/0x710 [ 88.268335][ T3760] ? kobject_uevent_env+0x46b/0x8e0 [ 88.273527][ T3760] ? do_raw_spin_unlock+0x134/0x8a0 [ 88.278720][ T3760] gfs2_withdraw+0xf33/0x1540 [ 88.283399][ T3760] ? gfs2_lm+0x220/0x220 [pid 3761] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3759] exit_group(0 [pid 3761] <... futex resumed>) = ? [pid 3759] <... exit_group resumed>) = ? [pid 3761] +++ exited with 0 +++ [ 88.287626][ T3760] ? gfs2_dirent_scan+0xb6/0x650 [ 88.292550][ T3760] ? panic+0x710/0x710 [ 88.296695][ T3760] ? gfs2_permission+0x2ff/0x430 [ 88.301661][ T3760] ? gfs2_consist_inode_i+0xf3/0x110 [ 88.306951][ T3760] gfs2_dirent_scan+0x535/0x650 [ 88.311807][ T3760] ? gfs2_dirent_search+0xb10/0xb10 [ 88.317010][ T3760] gfs2_dirent_search+0x2ea/0xb10 [ 88.322025][ T3760] ? gfs2_dirent_search+0xb10/0xb10 [ 88.327215][ T3760] ? gfs2_dir_search+0x2a0/0x2a0 [ 88.332139][ T3760] ? gfs2_permission+0x3bf/0x430 [ 88.337091][ T3760] gfs2_dir_search+0x8c/0x2a0 [ 88.341774][ T3760] ? do_filldir_main+0x530/0x530 [ 88.346698][ T3760] ? inode_go_held+0xe4/0x1f0 [ 88.351364][ T3760] ? gfs2_glock_wait+0x213/0x2a0 [ 88.356286][ T3760] gfs2_lookupi+0x465/0x650 [ 88.360777][ T3760] ? gfs2_lookup_simple+0x170/0x170 [ 88.365971][ T3760] ? __gfs2_lookup+0x8c/0x260 [ 88.370644][ T3760] __gfs2_lookup+0x8c/0x260 [ 88.375162][ T3760] ? gfs2_atomic_open+0x230/0x230 [ 88.380189][ T3760] ? __d_lookup+0x6a4/0x770 [ 88.384692][ T3760] ? d_hash_and_lookup+0x1c0/0x1c0 [ 88.389797][ T3760] gfs2_atomic_open+0xa4/0x230 [ 88.394564][ T3760] path_openat+0xf39/0x2df0 [ 88.399074][ T3760] ? gfs2_rename2+0x3000/0x3000 [ 88.403921][ T3760] ? do_filp_open+0x4f0/0x4f0 [ 88.408615][ T3760] do_filp_open+0x264/0x4f0 [ 88.413120][ T3760] ? vfs_tmpfile+0x490/0x490 [ 88.417701][ T3760] ? do_raw_spin_unlock+0x134/0x8a0 [ 88.422910][ T3760] ? _raw_spin_unlock+0x24/0x40 [ 88.427768][ T3760] ? alloc_fd+0x5a7/0x640 [ 88.432093][ T3760] do_sys_openat2+0x124/0x4e0 [ 88.436759][ T3760] ? print_irqtrace_events+0x220/0x220 [ 88.442200][ T3760] ? ptrace_stop+0x74d/0x970 [ 88.446785][ T3760] ? do_sys_open+0x220/0x220 [ 88.451379][ T3760] ? lockdep_hardirqs_on+0x8d/0x130 [ 88.456574][ T3760] ? _raw_spin_unlock_irq+0x2a/0x40 [ 88.461781][ T3760] ? ptrace_notify+0x245/0x340 [ 88.466532][ T3760] __x64_sys_openat+0x243/0x290 [ 88.471377][ T3760] ? __ia32_sys_open+0x270/0x270 [ 88.476307][ T3760] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 88.482276][ T3760] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 88.488257][ T3760] do_syscall_64+0x3d/0xb0 [ 88.492680][ T3760] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 88.498576][ T3760] RIP: 0033:0x7fc8868064d9 [ 88.502976][ T3760] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 88.522584][ T3760] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 88.531019][ T3760] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3760] <... openat resumed>) = ? [pid 3760] +++ exited with 0 +++ [pid 3759] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3759, si_uid=0, si_status=0, si_utime=2, si_stime=28} --- umount2("./42", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./42", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./42/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./42/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./42/binderfs") = 0 [ 88.539003][ T3760] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 88.546976][ T3760] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 88.554957][ T3760] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 88.562916][ T3760] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 88.570906][ T3760] umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./42/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./42/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./42/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./42") = 0 mkdir("./43", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3762 ./strace-static-x86_64: Process 3762 attached [pid 3762] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3762] chdir("./43") = 0 [pid 3762] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3762] setpgid(0, 0) = 0 [pid 3762] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3762] write(3, "1000", 4) = 4 [pid 3762] close(3) = 0 [pid 3762] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3762] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3762] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3762] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3762] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3763 attached , parent_tid=[3763], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3763 [pid 3763] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3763] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3762] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3763] <... futex resumed>) = 0 [pid 3762] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3763] memfd_create("syzkaller", 0) = 3 [pid 3763] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3763] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3763] munmap(0x7fc87e392000, 16777216) = 0 [pid 3763] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3763] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3763] close(3) = 0 [pid 3763] mkdir("./file0", 0777) = 0 [ 88.881270][ T3763] loop0: detected capacity change from 0 to 32768 [ 88.891527][ T3763] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 88.899719][ T3763] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 88.908912][ T3763] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 88.918065][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 88.925075][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3763] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3763] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3763] chdir("./file0") = 0 [pid 3763] ioctl(4, LOOP_CLR_FD) = 0 [pid 3763] close(4) = 0 [pid 3763] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3762] <... futex resumed>) = 0 [pid 3762] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3762] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3763] <... futex resumed>) = 1 [pid 3763] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3763] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3762] <... futex resumed>) = 0 [pid 3762] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3762] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3763] <... futex resumed>) = 1 [ 88.962436][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 88.970028][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 88.976229][ T3763] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 88.992055][ T3763] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 89.000798][ T3763] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 89.000798][ T3763] inode = 12 2341 [pid 3763] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3762] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3762] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 89.000798][ T3763] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 89.023897][ T3763] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 89.033351][ T3763] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3763 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 89.043736][ T3763] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 89.052998][ T3763] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3762] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3762] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3762] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3764], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3764 [pid 3762] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3764 attached [ 89.060554][ T3763] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 89.069845][ T3763] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 89.077060][ T3763] gfs2: fsid=syz:syz.0: File system withdrawn [ 89.083767][ T3763] CPU: 0 PID: 3763 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 89.094253][ T3763] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 89.104319][ T3763] Call Trace: [ 89.107589][ T3763] [ 89.110514][ T3763] dump_stack_lvl+0x1b1/0x28e [ 89.115211][ T3763] ? nf_tcp_handle_invalid+0x62e/0x62e [ 89.120679][ T3763] ? panic+0x710/0x710 [ 89.124740][ T3763] ? kobject_uevent_env+0x46b/0x8e0 [ 89.129936][ T3763] ? do_raw_spin_unlock+0x134/0x8a0 [ 89.135156][ T3763] gfs2_withdraw+0xf33/0x1540 [ 89.139870][ T3763] ? gfs2_lm+0x220/0x220 [ 89.144124][ T3763] ? gfs2_dirent_scan+0xb6/0x650 [ 89.149068][ T3763] ? panic+0x710/0x710 [ 89.153144][ T3763] ? gfs2_permission+0x2ff/0x430 [ 89.158089][ T3763] ? gfs2_consist_inode_i+0xf3/0x110 [ 89.163385][ T3763] gfs2_dirent_scan+0x535/0x650 [ 89.168243][ T3763] ? gfs2_dirent_search+0xb10/0xb10 [ 89.173468][ T3763] gfs2_dirent_search+0x2ea/0xb10 [ 89.178518][ T3763] ? gfs2_dirent_search+0xb10/0xb10 [ 89.183830][ T3763] ? gfs2_dir_search+0x2a0/0x2a0 [ 89.188868][ T3763] ? gfs2_permission+0x3bf/0x430 [ 89.193812][ T3763] gfs2_dir_search+0x8c/0x2a0 [ 89.198493][ T3763] ? do_filldir_main+0x530/0x530 [ 89.203423][ T3763] ? inode_go_held+0xe4/0x1f0 [ 89.208099][ T3763] ? gfs2_glock_wait+0x213/0x2a0 [ 89.213029][ T3763] gfs2_lookupi+0x465/0x650 [ 89.217531][ T3763] ? gfs2_lookup_simple+0x170/0x170 [ 89.222723][ T3763] ? __gfs2_lookup+0x8c/0x260 [ 89.227398][ T3763] __gfs2_lookup+0x8c/0x260 [ 89.231898][ T3763] ? gfs2_atomic_open+0x230/0x230 [ 89.237003][ T3763] ? __d_lookup+0x6a4/0x770 [ 89.241842][ T3763] ? d_hash_and_lookup+0x1c0/0x1c0 [ 89.246943][ T3763] gfs2_atomic_open+0xa4/0x230 [ 89.251700][ T3763] path_openat+0xf39/0x2df0 [ 89.256200][ T3763] ? gfs2_rename2+0x3000/0x3000 [ 89.261056][ T3763] ? do_filp_open+0x4f0/0x4f0 [ 89.265748][ T3763] do_filp_open+0x264/0x4f0 [ 89.270242][ T3763] ? vfs_tmpfile+0x490/0x490 [ 89.274831][ T3763] ? do_raw_spin_unlock+0x134/0x8a0 [ 89.280026][ T3763] ? _raw_spin_unlock+0x24/0x40 [ 89.284874][ T3763] ? alloc_fd+0x5a7/0x640 [ 89.289206][ T3763] do_sys_openat2+0x124/0x4e0 [ 89.293876][ T3763] ? print_irqtrace_events+0x220/0x220 [ 89.299333][ T3763] ? ptrace_stop+0x74d/0x970 [ 89.303914][ T3763] ? do_sys_open+0x220/0x220 [ 89.308495][ T3763] ? lockdep_hardirqs_on+0x8d/0x130 [ 89.313693][ T3763] ? _raw_spin_unlock_irq+0x2a/0x40 [ 89.318883][ T3763] ? ptrace_notify+0x245/0x340 [ 89.323635][ T3763] __x64_sys_openat+0x243/0x290 [ 89.328487][ T3763] ? __ia32_sys_open+0x270/0x270 [ 89.333417][ T3763] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 89.339391][ T3763] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 89.345362][ T3763] do_syscall_64+0x3d/0xb0 [ 89.349792][ T3763] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 89.355676][ T3763] RIP: 0033:0x7fc8868064d9 [ 89.360095][ T3763] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 89.379707][ T3763] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 89.388108][ T3763] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 89.396072][ T3763] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 89.404038][ T3763] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3764] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3764] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3764] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3764] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3763] <... openat resumed>) = -1 EIO (Input/output error) [pid 3763] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3762] exit_group(0 [pid 3764] <... futex resumed>) = ? [pid 3762] <... exit_group resumed>) = ? [pid 3764] +++ exited with 0 +++ [pid 3763] +++ exited with 0 +++ [pid 3762] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3762, si_uid=0, si_status=0, si_utime=0, si_stime=32} --- umount2("./43", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./43", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./43/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./43/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./43/binderfs") = 0 [ 89.411999][ T3763] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 89.419960][ T3763] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 89.427931][ T3763] umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./43/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./43/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./43/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./43") = 0 mkdir("./44", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3765 ./strace-static-x86_64: Process 3765 attached [pid 3765] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3765] chdir("./44") = 0 [pid 3765] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3765] setpgid(0, 0) = 0 [pid 3765] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3765] write(3, "1000", 4) = 4 [pid 3765] close(3) = 0 [pid 3765] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3765] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3765] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3765] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3765] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3766], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3766 [pid 3765] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3765] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3766 attached [pid 3766] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3766] memfd_create("syzkaller", 0) = 3 [pid 3766] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3766] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3766] munmap(0x7fc87e392000, 16777216) = 0 [pid 3766] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3766] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3766] close(3) = 0 [pid 3766] mkdir("./file0", 0777) = 0 [ 89.747976][ T3766] loop0: detected capacity change from 0 to 32768 [ 89.759477][ T3766] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 89.768422][ T3766] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 89.778051][ T3766] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 89.786625][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 89.793516][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3766] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3766] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3766] chdir("./file0") = 0 [pid 3766] ioctl(4, LOOP_CLR_FD) = 0 [pid 3766] close(4) = 0 [pid 3766] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3765] <... futex resumed>) = 0 [pid 3766] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3765] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3766] <... futex resumed>) = 0 [pid 3765] <... futex resumed>) = 1 [pid 3766] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3765] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3766] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3766] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3765] <... futex resumed>) = 0 [pid 3766] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3765] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3766] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3765] <... futex resumed>) = 0 [ 89.829169][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 89.836730][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 89.842028][ T3766] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3766] openat(AT_FDCWD, "./file0", O_RDONLY [ 89.873138][ T3766] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 89.881935][ T3766] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 89.881935][ T3766] inode = 12 2341 [ 89.881935][ T3766] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 89.900990][ T3766] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 89.910066][ T3766] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3766 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3765] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3765] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3765] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3765] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3765] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3767], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3767 [pid 3765] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3767 attached [pid 3767] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3767] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3767] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 89.920546][ T3766] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 89.928964][ T3766] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 89.936284][ T3766] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 89.945132][ T3766] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 89.951765][ T3766] gfs2: fsid=syz:syz.0: File system withdrawn [ 89.957838][ T3766] CPU: 0 PID: 3766 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 89.968250][ T3766] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 89.978307][ T3766] Call Trace: [ 89.981577][ T3766] [ 89.984497][ T3766] dump_stack_lvl+0x1b1/0x28e [ 89.989167][ T3766] ? nf_tcp_handle_invalid+0x62e/0x62e [ 89.994631][ T3766] ? panic+0x710/0x710 [ 89.998715][ T3766] ? kobject_uevent_env+0x46b/0x8e0 [ 90.004009][ T3766] ? do_raw_spin_unlock+0x134/0x8a0 [ 90.009227][ T3766] gfs2_withdraw+0xf33/0x1540 [ 90.013912][ T3766] ? gfs2_lm+0x220/0x220 [ 90.018142][ T3766] ? gfs2_dirent_scan+0xb6/0x650 [ 90.023080][ T3766] ? panic+0x710/0x710 [ 90.027161][ T3766] ? gfs2_permission+0x2ff/0x430 [ 90.032127][ T3766] ? gfs2_consist_inode_i+0xf3/0x110 [ 90.037413][ T3766] gfs2_dirent_scan+0x535/0x650 [ 90.042267][ T3766] ? gfs2_dirent_search+0xb10/0xb10 [ 90.047455][ T3766] gfs2_dirent_search+0x2ea/0xb10 [ 90.052471][ T3766] ? gfs2_dirent_search+0xb10/0xb10 [ 90.057669][ T3766] ? gfs2_dir_search+0x2a0/0x2a0 [ 90.062600][ T3766] ? gfs2_permission+0x3bf/0x430 [ 90.067569][ T3766] gfs2_dir_search+0x8c/0x2a0 [pid 3767] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3765] exit_group(0 [pid 3767] <... futex resumed>) = ? [pid 3765] <... exit_group resumed>) = ? [pid 3767] +++ exited with 0 +++ [ 90.072254][ T3766] ? do_filldir_main+0x530/0x530 [ 90.077214][ T3766] ? inode_go_held+0xe4/0x1f0 [ 90.081902][ T3766] ? gfs2_glock_wait+0x213/0x2a0 [ 90.086832][ T3766] gfs2_lookupi+0x465/0x650 [ 90.091330][ T3766] ? gfs2_lookup_simple+0x170/0x170 [ 90.096518][ T3766] ? __gfs2_lookup+0x8c/0x260 [ 90.101198][ T3766] __gfs2_lookup+0x8c/0x260 [ 90.105705][ T3766] ? gfs2_atomic_open+0x230/0x230 [ 90.110738][ T3766] ? __d_lookup+0x6a4/0x770 [ 90.115238][ T3766] ? d_hash_and_lookup+0x1c0/0x1c0 [ 90.120355][ T3766] gfs2_atomic_open+0xa4/0x230 [ 90.125109][ T3766] path_openat+0xf39/0x2df0 [ 90.129602][ T3766] ? gfs2_rename2+0x3000/0x3000 [ 90.134478][ T3766] ? do_filp_open+0x4f0/0x4f0 [ 90.139181][ T3766] do_filp_open+0x264/0x4f0 [ 90.143682][ T3766] ? vfs_tmpfile+0x490/0x490 [ 90.148270][ T3766] ? do_raw_spin_unlock+0x134/0x8a0 [ 90.153472][ T3766] ? _raw_spin_unlock+0x24/0x40 [ 90.158336][ T3766] ? alloc_fd+0x5a7/0x640 [ 90.162701][ T3766] do_sys_openat2+0x124/0x4e0 [ 90.167388][ T3766] ? print_irqtrace_events+0x220/0x220 [ 90.172848][ T3766] ? ptrace_stop+0x74d/0x970 [ 90.177517][ T3766] ? do_sys_open+0x220/0x220 [ 90.182111][ T3766] ? lockdep_hardirqs_on+0x8d/0x130 [ 90.187325][ T3766] ? _raw_spin_unlock_irq+0x2a/0x40 [ 90.192534][ T3766] ? ptrace_notify+0x245/0x340 [ 90.197293][ T3766] __x64_sys_openat+0x243/0x290 [ 90.202137][ T3766] ? __ia32_sys_open+0x270/0x270 [ 90.207064][ T3766] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 90.213034][ T3766] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 90.219016][ T3766] do_syscall_64+0x3d/0xb0 [ 90.223439][ T3766] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 90.229321][ T3766] RIP: 0033:0x7fc8868064d9 [ 90.233724][ T3766] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 90.253334][ T3766] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 90.261763][ T3766] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3766] <... openat resumed>) = ? [pid 3766] +++ exited with 0 +++ [pid 3765] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3765, si_uid=0, si_status=0, si_utime=2, si_stime=29} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./44", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./44/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./44/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./44/binderfs") = 0 [ 90.269737][ T3766] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 90.277793][ T3766] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 90.285753][ T3766] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 90.293720][ T3766] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 90.301781][ T3766] umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./44/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./44/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./44") = 0 mkdir("./45", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3768 ./strace-static-x86_64: Process 3768 attached [pid 3768] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3768] chdir("./45") = 0 [pid 3768] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3768] setpgid(0, 0) = 0 [pid 3768] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3768] write(3, "1000", 4) = 4 [pid 3768] close(3) = 0 [pid 3768] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3768] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3768] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3768] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3768] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3769 attached , parent_tid=[3769], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3769 [pid 3768] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3768] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3769] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3769] memfd_create("syzkaller", 0) = 3 [pid 3769] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3769] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3769] munmap(0x7fc87e392000, 16777216) = 0 [pid 3769] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3769] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3769] close(3) = 0 [pid 3769] mkdir("./file0", 0777) = 0 [ 90.593314][ T3769] loop0: detected capacity change from 0 to 32768 [ 90.602864][ T3769] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 90.611127][ T3769] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 90.620775][ T3769] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 90.629149][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 90.636039][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3769] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3769] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3769] chdir("./file0") = 0 [pid 3769] ioctl(4, LOOP_CLR_FD) = 0 [pid 3769] close(4) = 0 [pid 3769] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3768] <... futex resumed>) = 0 [pid 3768] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3768] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3769] <... futex resumed>) = 1 [pid 3769] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3769] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3768] <... futex resumed>) = 0 [pid 3768] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3768] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3769] <... futex resumed>) = 1 [ 90.669502][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 90.677307][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 90.682993][ T3769] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 90.697371][ T3769] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 90.705974][ T3769] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 90.705974][ T3769] inode = 12 2341 [pid 3769] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3768] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3768] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 90.705974][ T3769] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 90.724848][ T3769] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 90.734012][ T3769] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3769 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 90.744196][ T3769] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 90.752708][ T3769] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 90.760328][ T3769] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 90.769143][ T3769] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 90.775838][ T3769] gfs2: fsid=syz:syz.0: File system withdrawn [ 90.781997][ T3769] CPU: 0 PID: 3769 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 90.792447][ T3769] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 90.802505][ T3769] Call Trace: [ 90.805777][ T3769] [ 90.808713][ T3769] dump_stack_lvl+0x1b1/0x28e [ 90.813389][ T3769] ? nf_tcp_handle_invalid+0x62e/0x62e [ 90.818842][ T3769] ? panic+0x710/0x710 [ 90.822902][ T3769] ? kobject_uevent_env+0x46b/0x8e0 [ 90.828094][ T3769] ? do_raw_spin_unlock+0x134/0x8a0 [ 90.833290][ T3769] gfs2_withdraw+0xf33/0x1540 [ 90.837977][ T3769] ? gfs2_lm+0x220/0x220 [ 90.842210][ T3769] ? gfs2_dirent_scan+0xb6/0x650 [ 90.847153][ T3769] ? panic+0x710/0x710 [ 90.851209][ T3769] ? gfs2_permission+0x2ff/0x430 [ 90.856142][ T3769] ? gfs2_consist_inode_i+0xf3/0x110 [ 90.861420][ T3769] gfs2_dirent_scan+0x535/0x650 [ 90.866271][ T3769] ? gfs2_dirent_search+0xb10/0xb10 [ 90.871471][ T3769] gfs2_dirent_search+0x2ea/0xb10 [ 90.876499][ T3769] ? gfs2_dirent_search+0xb10/0xb10 [ 90.881696][ T3769] ? gfs2_dir_search+0x2a0/0x2a0 [ 90.886623][ T3769] ? gfs2_permission+0x3bf/0x430 [ 90.891588][ T3769] gfs2_dir_search+0x8c/0x2a0 [ 90.896261][ T3769] ? do_filldir_main+0x530/0x530 [ 90.901192][ T3769] ? inode_go_held+0xe4/0x1f0 [ 90.905861][ T3769] ? gfs2_glock_wait+0x213/0x2a0 [ 90.910793][ T3769] gfs2_lookupi+0x465/0x650 [ 90.915296][ T3769] ? gfs2_lookup_simple+0x170/0x170 [ 90.920488][ T3769] ? __gfs2_lookup+0x8c/0x260 [ 90.925165][ T3769] __gfs2_lookup+0x8c/0x260 [ 90.929661][ T3769] ? gfs2_atomic_open+0x230/0x230 [ 90.934679][ T3769] ? __d_lookup+0x6a4/0x770 [ 90.939175][ T3769] ? d_hash_and_lookup+0x1c0/0x1c0 [ 90.944281][ T3769] gfs2_atomic_open+0xa4/0x230 [ 90.949040][ T3769] path_openat+0xf39/0x2df0 [ 90.953542][ T3769] ? gfs2_rename2+0x3000/0x3000 [ 90.958409][ T3769] ? do_filp_open+0x4f0/0x4f0 [ 90.963099][ T3769] do_filp_open+0x264/0x4f0 [ 90.967593][ T3769] ? vfs_tmpfile+0x490/0x490 [ 90.972180][ T3769] ? do_raw_spin_unlock+0x134/0x8a0 [ 90.977378][ T3769] ? _raw_spin_unlock+0x24/0x40 [ 90.982250][ T3769] ? alloc_fd+0x5a7/0x640 [ 90.986579][ T3769] do_sys_openat2+0x124/0x4e0 [ 90.991251][ T3769] ? print_irqtrace_events+0x220/0x220 [ 90.996697][ T3769] ? ptrace_stop+0x74d/0x970 [ 91.001282][ T3769] ? do_sys_open+0x220/0x220 [ 91.005869][ T3769] ? lockdep_hardirqs_on+0x8d/0x130 [ 91.011061][ T3769] ? _raw_spin_unlock_irq+0x2a/0x40 [ 91.016253][ T3769] ? ptrace_notify+0x245/0x340 [ 91.021008][ T3769] __x64_sys_openat+0x243/0x290 [ 91.025855][ T3769] ? __ia32_sys_open+0x270/0x270 [ 91.030788][ T3769] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 91.036763][ T3769] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 91.042738][ T3769] do_syscall_64+0x3d/0xb0 [ 91.047143][ T3769] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 91.053023][ T3769] RIP: 0033:0x7fc8868064d9 [ 91.057427][ T3769] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 91.077031][ T3769] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 91.085692][ T3769] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 91.093652][ T3769] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 91.101611][ T3769] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 91.109570][ T3769] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3768] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3768] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3768] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 3769] <... openat resumed>) = -1 EIO (Input/output error) [pid 3769] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3768] <... clone resumed>, parent_tid=[3770], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3770 [pid 3769] <... futex resumed>) = 0 [pid 3768] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3769] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3768] <... futex resumed>) = 0 ./strace-static-x86_64: Process 3770 attached [pid 3770] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3770] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3770] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3768] exit_group(0 [pid 3769] <... futex resumed>) = ? [pid 3768] <... exit_group resumed>) = ? [pid 3769] +++ exited with 0 +++ [pid 3770] +++ exited with 0 +++ [pid 3768] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3768, si_uid=0, si_status=0, si_utime=3, si_stime=27} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./45", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./45", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./45/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./45/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./45/binderfs") = 0 [ 91.117532][ T3769] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 91.125772][ T3769] umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./45/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./45/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./45/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./45") = 0 mkdir("./46", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3771 ./strace-static-x86_64: Process 3771 attached [pid 3771] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3771] chdir("./46") = 0 [pid 3771] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3771] setpgid(0, 0) = 0 [pid 3771] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3771] write(3, "1000", 4) = 4 [pid 3771] close(3) = 0 [pid 3771] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3771] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3771] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3771] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3771] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3772 attached [pid 3772] set_robust_list(0x7fc8867b29e0, 24 [pid 3771] <... clone resumed>, parent_tid=[3772], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3772 [pid 3772] <... set_robust_list resumed>) = 0 [pid 3771] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3771] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3772] memfd_create("syzkaller", 0) = 3 [pid 3772] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3772] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3772] munmap(0x7fc87e392000, 16777216) = 0 [pid 3772] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3772] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3772] close(3) = 0 [pid 3772] mkdir("./file0", 0777) = 0 [ 91.417691][ T3772] loop0: detected capacity change from 0 to 32768 [ 91.428959][ T3772] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 91.437358][ T3772] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 91.447148][ T3772] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 91.455853][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 91.462762][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3772] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3772] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3772] chdir("./file0") = 0 [pid 3772] ioctl(4, LOOP_CLR_FD) = 0 [pid 3772] close(4) = 0 [pid 3772] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3771] <... futex resumed>) = 0 [pid 3771] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3771] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3772] <... futex resumed>) = 1 [pid 3772] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3772] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3771] <... futex resumed>) = 0 [pid 3771] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3771] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3772] <... futex resumed>) = 1 [ 91.495106][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 91.502686][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 91.507914][ T3772] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 91.537248][ T3772] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 91.546588][ T3772] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 91.546588][ T3772] inode = 12 2341 [ 91.546588][ T3772] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 91.565466][ T3772] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 91.574593][ T3772] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3772 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3772] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3771] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3771] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3771] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3771] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [ 91.584729][ T3772] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 91.593357][ T3772] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 91.600697][ T3772] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 91.609644][ T3772] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 91.616311][ T3772] gfs2: fsid=syz:syz.0: File system withdrawn [ 91.623191][ T3772] CPU: 0 PID: 3772 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 91.633638][ T3772] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 91.643708][ T3772] Call Trace: [ 91.646988][ T3772] [ 91.649910][ T3772] dump_stack_lvl+0x1b1/0x28e [ 91.654583][ T3772] ? nf_tcp_handle_invalid+0x62e/0x62e [ 91.660027][ T3772] ? panic+0x710/0x710 [ 91.664086][ T3772] ? kobject_uevent_env+0x46b/0x8e0 [ 91.669278][ T3772] ? do_raw_spin_unlock+0x134/0x8a0 [ 91.674492][ T3772] gfs2_withdraw+0xf33/0x1540 [ 91.679182][ T3772] ? gfs2_lm+0x220/0x220 [ 91.683410][ T3772] ? gfs2_dirent_scan+0xb6/0x650 [ 91.688342][ T3772] ? panic+0x710/0x710 [ 91.692399][ T3772] ? gfs2_permission+0x2ff/0x430 [ 91.697327][ T3772] ? gfs2_consist_inode_i+0xf3/0x110 [ 91.702601][ T3772] gfs2_dirent_scan+0x535/0x650 [ 91.707446][ T3772] ? gfs2_dirent_search+0xb10/0xb10 [ 91.712634][ T3772] gfs2_dirent_search+0x2ea/0xb10 [ 91.717650][ T3772] ? gfs2_dirent_search+0xb10/0xb10 [ 91.722854][ T3772] ? gfs2_dir_search+0x2a0/0x2a0 [ 91.727974][ T3772] ? gfs2_permission+0x3bf/0x430 [ 91.732908][ T3772] gfs2_dir_search+0x8c/0x2a0 [ 91.737584][ T3772] ? do_filldir_main+0x530/0x530 [ 91.742530][ T3772] ? inode_go_held+0xe4/0x1f0 [ 91.747204][ T3772] ? gfs2_glock_wait+0x213/0x2a0 [ 91.752137][ T3772] gfs2_lookupi+0x465/0x650 [ 91.756642][ T3772] ? gfs2_lookup_simple+0x170/0x170 [ 91.761836][ T3772] ? __gfs2_lookup+0x8c/0x260 [ 91.766781][ T3772] __gfs2_lookup+0x8c/0x260 [ 91.771279][ T3772] ? gfs2_atomic_open+0x230/0x230 [ 91.776300][ T3772] ? __d_lookup+0x6a4/0x770 [ 91.780791][ T3772] ? d_hash_and_lookup+0x1c0/0x1c0 [ 91.785895][ T3772] gfs2_atomic_open+0xa4/0x230 [ 91.790655][ T3772] path_openat+0xf39/0x2df0 [ 91.795155][ T3772] ? gfs2_rename2+0x3000/0x3000 [ 91.800026][ T3772] ? do_filp_open+0x4f0/0x4f0 [ 91.804849][ T3772] do_filp_open+0x264/0x4f0 [ 91.809399][ T3772] ? vfs_tmpfile+0x490/0x490 [ 91.814008][ T3772] ? do_raw_spin_unlock+0x134/0x8a0 [ 91.819218][ T3772] ? _raw_spin_unlock+0x24/0x40 [ 91.824087][ T3772] ? alloc_fd+0x5a7/0x640 [ 91.828421][ T3772] do_sys_openat2+0x124/0x4e0 [ 91.833094][ T3772] ? print_irqtrace_events+0x220/0x220 [ 91.838541][ T3772] ? ptrace_stop+0x74d/0x970 [ 91.843144][ T3772] ? do_sys_open+0x220/0x220 [ 91.847747][ T3772] ? lockdep_hardirqs_on+0x8d/0x130 [ 91.852963][ T3772] ? _raw_spin_unlock_irq+0x2a/0x40 [ 91.858167][ T3772] ? ptrace_notify+0x245/0x340 [ 91.862932][ T3772] __x64_sys_openat+0x243/0x290 [ 91.867796][ T3772] ? __ia32_sys_open+0x270/0x270 [ 91.872752][ T3772] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 91.878776][ T3772] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 91.884757][ T3772] do_syscall_64+0x3d/0xb0 [ 91.889166][ T3772] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 91.895052][ T3772] RIP: 0033:0x7fc8868064d9 [ 91.899457][ T3772] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 91.919139][ T3772] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 91.927544][ T3772] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3771] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 3772] <... openat resumed>) = -1 EIO (Input/output error) ./strace-static-x86_64: Process 3773 attached [pid 3771] <... clone resumed>, parent_tid=[3773], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3773 [pid 3773] set_robust_list(0x7fc87f3919e0, 24 [pid 3771] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3773] <... set_robust_list resumed>) = 0 [pid 3771] <... futex resumed>) = 0 [pid 3773] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3772] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3773] <... openat resumed>) = -1 EIO (Input/output error) [pid 3772] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3773] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3773] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3771] exit_group(0) = ? [pid 3772] <... futex resumed>) = ? [pid 3772] +++ exited with 0 +++ [pid 3773] <... futex resumed>) = ? [pid 3773] +++ exited with 0 +++ [pid 3771] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3771, si_uid=0, si_status=0, si_utime=2, si_stime=29} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./46", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./46", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./46/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./46/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./46/binderfs") = 0 [ 91.935511][ T3772] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 91.943472][ T3772] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 91.951433][ T3772] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 91.959402][ T3772] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 91.967383][ T3772] umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./46/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./46/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./46/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./46") = 0 mkdir("./47", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3774 ./strace-static-x86_64: Process 3774 attached [pid 3774] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3774] chdir("./47") = 0 [pid 3774] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3774] setpgid(0, 0) = 0 [pid 3774] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3774] write(3, "1000", 4) = 4 [pid 3774] close(3) = 0 [pid 3774] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3774] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3774] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3774] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3774] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3775], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3775 [pid 3774] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3774] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3775 attached [pid 3775] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3775] memfd_create("syzkaller", 0) = 3 [pid 3775] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3775] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3775] munmap(0x7fc87e392000, 16777216) = 0 [pid 3775] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3775] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3775] close(3) = 0 [pid 3775] mkdir("./file0", 0777) = 0 [ 92.270547][ T3775] loop0: detected capacity change from 0 to 32768 [ 92.281639][ T3775] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 92.290041][ T3775] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 92.300061][ T3775] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 92.308818][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 92.316032][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3775] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3775] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3775] chdir("./file0") = 0 [pid 3775] ioctl(4, LOOP_CLR_FD) = 0 [pid 3775] close(4) = 0 [pid 3775] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3774] <... futex resumed>) = 0 [pid 3774] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3774] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3775] <... futex resumed>) = 1 [pid 3775] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3775] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3774] <... futex resumed>) = 0 [pid 3774] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3774] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3775] <... futex resumed>) = 1 [ 92.349475][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 92.358322][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 92.363631][ T3775] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 92.378469][ T3775] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 92.386941][ T3775] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 92.386941][ T3775] inode = 12 2341 [pid 3775] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3774] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 92.386941][ T3775] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 92.417065][ T3775] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 92.426684][ T3775] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3775 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 92.437100][ T3775] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3774] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3774] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3774] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3774] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3776], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3776 [pid 3774] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 92.445873][ T3775] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 92.453228][ T3775] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 92.462134][ T3775] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 92.469005][ T3775] gfs2: fsid=syz:syz.0: File system withdrawn [ 92.475959][ T3775] CPU: 0 PID: 3775 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 92.486405][ T3775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 92.496488][ T3775] Call Trace: [ 92.499787][ T3775] [ 92.502711][ T3775] dump_stack_lvl+0x1b1/0x28e [ 92.507416][ T3775] ? nf_tcp_handle_invalid+0x62e/0x62e [ 92.512875][ T3775] ? panic+0x710/0x710 [ 92.516954][ T3775] ? kobject_uevent_env+0x46b/0x8e0 [ 92.522151][ T3775] ? do_raw_spin_unlock+0x134/0x8a0 [ 92.527372][ T3775] gfs2_withdraw+0xf33/0x1540 [ 92.532053][ T3775] ? gfs2_lm+0x220/0x220 [ 92.536308][ T3775] ? gfs2_dirent_scan+0xb6/0x650 [ 92.541250][ T3775] ? panic+0x710/0x710 [ 92.545320][ T3775] ? gfs2_permission+0x2ff/0x430 [ 92.550254][ T3775] ? gfs2_consist_inode_i+0xf3/0x110 [ 92.555544][ T3775] gfs2_dirent_scan+0x535/0x650 [ 92.560412][ T3775] ? gfs2_dirent_search+0xb10/0xb10 [ 92.565612][ T3775] gfs2_dirent_search+0x2ea/0xb10 [ 92.570654][ T3775] ? gfs2_dirent_search+0xb10/0xb10 [ 92.575855][ T3775] ? gfs2_dir_search+0x2a0/0x2a0 [ 92.580795][ T3775] ? gfs2_permission+0x3bf/0x430 [ 92.585745][ T3775] gfs2_dir_search+0x8c/0x2a0 [ 92.590426][ T3775] ? do_filldir_main+0x530/0x530 [ 92.595361][ T3775] ? inode_go_held+0xe4/0x1f0 [ 92.600041][ T3775] ? gfs2_glock_wait+0x213/0x2a0 [ 92.604975][ T3775] gfs2_lookupi+0x465/0x650 [ 92.609565][ T3775] ? gfs2_lookup_simple+0x170/0x170 [ 92.614933][ T3775] ? __gfs2_lookup+0x8c/0x260 [ 92.619700][ T3775] __gfs2_lookup+0x8c/0x260 [ 92.624312][ T3775] ? gfs2_atomic_open+0x230/0x230 [ 92.629346][ T3775] ? __d_lookup+0x6a4/0x770 [ 92.633843][ T3775] ? d_hash_and_lookup+0x1c0/0x1c0 [ 92.638945][ T3775] gfs2_atomic_open+0xa4/0x230 [ 92.643975][ T3775] path_openat+0xf39/0x2df0 [ 92.648514][ T3775] ? gfs2_rename2+0x3000/0x3000 [ 92.653371][ T3775] ? do_filp_open+0x4f0/0x4f0 [ 92.658055][ T3775] do_filp_open+0x264/0x4f0 [ 92.662549][ T3775] ? vfs_tmpfile+0x490/0x490 [ 92.667141][ T3775] ? do_raw_spin_unlock+0x134/0x8a0 [ 92.672341][ T3775] ? _raw_spin_unlock+0x24/0x40 [ 92.677190][ T3775] ? alloc_fd+0x5a7/0x640 [ 92.681519][ T3775] do_sys_openat2+0x124/0x4e0 [ 92.686190][ T3775] ? print_irqtrace_events+0x220/0x220 [ 92.691638][ T3775] ? ptrace_stop+0x74d/0x970 [ 92.696222][ T3775] ? do_sys_open+0x220/0x220 [ 92.700813][ T3775] ? lockdep_hardirqs_on+0x8d/0x130 [ 92.706004][ T3775] ? _raw_spin_unlock_irq+0x2a/0x40 [ 92.711198][ T3775] ? ptrace_notify+0x245/0x340 [ 92.715952][ T3775] __x64_sys_openat+0x243/0x290 [ 92.720794][ T3775] ? __ia32_sys_open+0x270/0x270 [ 92.725729][ T3775] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 92.731976][ T3775] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 92.737962][ T3775] do_syscall_64+0x3d/0xb0 [ 92.742384][ T3775] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 92.748281][ T3775] RIP: 0033:0x7fc8868064d9 [ 92.752688][ T3775] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 92.772293][ T3775] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 92.780696][ T3775] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 92.788743][ T3775] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c ./strace-static-x86_64: Process 3776 attached [pid 3775] <... openat resumed>) = -1 EIO (Input/output error) [pid 3776] set_robust_list(0x7fc87f3919e0, 24 [pid 3775] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3776] <... set_robust_list resumed>) = 0 [pid 3775] <... futex resumed>) = 0 [pid 3776] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3775] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3776] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3776] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3774] exit_group(0 [pid 3776] <... futex resumed>) = ? [pid 3775] <... futex resumed>) = ? [pid 3774] <... exit_group resumed>) = ? [pid 3776] +++ exited with 0 +++ [pid 3775] +++ exited with 0 +++ [pid 3774] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3774, si_uid=0, si_status=0, si_utime=2, si_stime=25} --- umount2("./47", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./47", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./47/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./47/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./47/binderfs") = 0 [ 92.796703][ T3775] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 92.804662][ T3775] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 92.812638][ T3775] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 92.820613][ T3775] umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./47/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./47/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./47/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./47") = 0 mkdir("./48", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3778 ./strace-static-x86_64: Process 3778 attached [pid 3778] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3778] chdir("./48") = 0 [pid 3778] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3778] setpgid(0, 0) = 0 [pid 3778] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3778] write(3, "1000", 4) = 4 [pid 3778] close(3) = 0 [pid 3778] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3778] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3778] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3778] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3778] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3779], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3779 ./strace-static-x86_64: Process 3779 attached [pid 3778] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3778] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3779] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3779] memfd_create("syzkaller", 0) = 3 [pid 3779] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3779] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3779] munmap(0x7fc87e392000, 16777216) = 0 [pid 3779] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3779] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3779] close(3) = 0 [pid 3779] mkdir("./file0", 0777) = 0 [ 93.137459][ T3779] loop0: detected capacity change from 0 to 32768 [ 93.148018][ T3779] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 93.156307][ T3779] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 93.166265][ T3779] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 93.175238][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 93.182157][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3779] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3779] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3779] chdir("./file0") = 0 [pid 3779] ioctl(4, LOOP_CLR_FD) = 0 [pid 3779] close(4) = 0 [pid 3779] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3778] <... futex resumed>) = 0 [pid 3778] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3778] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3779] <... futex resumed>) = 1 [pid 3779] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3779] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3778] <... futex resumed>) = 0 [pid 3779] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3778] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 93.215507][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 93.223055][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 93.228302][ T3779] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 93.253774][ T3779] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3778] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3778] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3778] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3778] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [ 93.263416][ T3779] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 93.263416][ T3779] inode = 12 2341 [ 93.263416][ T3779] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 93.282596][ T3779] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 93.292293][ T3779] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3779 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 93.302642][ T3779] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3778] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3782], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3782 [pid 3778] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3782 attached [pid 3782] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3782] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3782] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 93.311226][ T3779] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 93.318819][ T3779] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 93.328419][ T3779] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 93.336064][ T3779] gfs2: fsid=syz:syz.0: File system withdrawn [ 93.342581][ T3779] CPU: 0 PID: 3779 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 93.352983][ T3779] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 93.363024][ T3779] Call Trace: [ 93.366290][ T3779] [ 93.369208][ T3779] dump_stack_lvl+0x1b1/0x28e [ 93.373873][ T3779] ? nf_tcp_handle_invalid+0x62e/0x62e [ 93.379315][ T3779] ? panic+0x710/0x710 [ 93.383368][ T3779] ? kobject_uevent_env+0x46b/0x8e0 [ 93.388548][ T3779] ? do_raw_spin_unlock+0x134/0x8a0 [ 93.393734][ T3779] gfs2_withdraw+0xf33/0x1540 [ 93.398430][ T3779] ? gfs2_lm+0x220/0x220 [ 93.402659][ T3779] ? gfs2_dirent_scan+0xb6/0x650 [ 93.407594][ T3779] ? panic+0x710/0x710 [ 93.411652][ T3779] ? gfs2_permission+0x2ff/0x430 [ 93.416588][ T3779] ? gfs2_consist_inode_i+0xf3/0x110 [ 93.421872][ T3779] gfs2_dirent_scan+0x535/0x650 [ 93.426723][ T3779] ? gfs2_dirent_search+0xb10/0xb10 [ 93.431919][ T3779] gfs2_dirent_search+0x2ea/0xb10 [ 93.436963][ T3779] ? gfs2_dirent_search+0xb10/0xb10 [ 93.442188][ T3779] ? gfs2_dir_search+0x2a0/0x2a0 [ 93.447140][ T3779] ? gfs2_permission+0x3bf/0x430 [ 93.452085][ T3779] gfs2_dir_search+0x8c/0x2a0 [ 93.456764][ T3779] ? do_filldir_main+0x530/0x530 [ 93.461694][ T3779] ? inode_go_held+0xe4/0x1f0 [ 93.466368][ T3779] ? gfs2_glock_wait+0x213/0x2a0 [ 93.471296][ T3779] gfs2_lookupi+0x465/0x650 [ 93.475815][ T3779] ? gfs2_lookup_simple+0x170/0x170 [ 93.481007][ T3779] ? __gfs2_lookup+0x8c/0x260 [ 93.485683][ T3779] __gfs2_lookup+0x8c/0x260 [ 93.490180][ T3779] ? gfs2_atomic_open+0x230/0x230 [ 93.495201][ T3779] ? __d_lookup+0x6a4/0x770 [ 93.499714][ T3779] ? d_hash_and_lookup+0x1c0/0x1c0 [ 93.504839][ T3779] gfs2_atomic_open+0xa4/0x230 [ 93.509613][ T3779] path_openat+0xf39/0x2df0 [ 93.514187][ T3779] ? gfs2_rename2+0x3000/0x3000 [ 93.519052][ T3779] ? do_filp_open+0x4f0/0x4f0 [ 93.523744][ T3779] do_filp_open+0x264/0x4f0 [ 93.528238][ T3779] ? vfs_tmpfile+0x490/0x490 [ 93.532830][ T3779] ? do_raw_spin_unlock+0x134/0x8a0 [ 93.538025][ T3779] ? _raw_spin_unlock+0x24/0x40 [ 93.542869][ T3779] ? alloc_fd+0x5a7/0x640 [ 93.547200][ T3779] do_sys_openat2+0x124/0x4e0 [ 93.551938][ T3779] ? print_irqtrace_events+0x220/0x220 [ 93.557386][ T3779] ? ptrace_stop+0x74d/0x970 [ 93.561969][ T3779] ? do_sys_open+0x220/0x220 [ 93.566568][ T3779] ? lockdep_hardirqs_on+0x8d/0x130 [ 93.571764][ T3779] ? _raw_spin_unlock_irq+0x2a/0x40 [ 93.576958][ T3779] ? ptrace_notify+0x245/0x340 [ 93.581801][ T3779] __x64_sys_openat+0x243/0x290 [ 93.586645][ T3779] ? __ia32_sys_open+0x270/0x270 [ 93.591587][ T3779] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 93.597591][ T3779] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 93.603590][ T3779] do_syscall_64+0x3d/0xb0 [ 93.608030][ T3779] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 93.613924][ T3779] RIP: 0033:0x7fc8868064d9 [ 93.618333][ T3779] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 93.637961][ T3779] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 93.646376][ T3779] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 93.654337][ T3779] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3782] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3779] <... openat resumed>) = -1 EIO (Input/output error) [pid 3779] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3779] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3778] exit_group(0) = ? [pid 3782] <... futex resumed>) = ? [pid 3779] <... futex resumed>) = ? [pid 3782] +++ exited with 0 +++ [pid 3779] +++ exited with 0 +++ [pid 3778] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3778, si_uid=0, si_status=0, si_utime=1, si_stime=29} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./48", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./48/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./48/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./48/binderfs") = 0 [ 93.662303][ T3779] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 93.670265][ T3779] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 93.678240][ T3779] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 93.686219][ T3779] umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./48/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./48/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./48") = 0 mkdir("./49", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3784 ./strace-static-x86_64: Process 3784 attached [pid 3784] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3784] chdir("./49") = 0 [pid 3784] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3784] setpgid(0, 0) = 0 [pid 3784] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3784] write(3, "1000", 4) = 4 [pid 3784] close(3) = 0 [pid 3784] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3784] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3784] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3784] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3784] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3785], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3785 [pid 3784] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3785 attached [pid 3784] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3785] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3785] memfd_create("syzkaller", 0) = 3 [pid 3785] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3785] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3785] munmap(0x7fc87e392000, 16777216) = 0 [pid 3785] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3785] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3785] close(3) = 0 [pid 3785] mkdir("./file0", 0777) = 0 [ 94.010865][ T3785] loop0: detected capacity change from 0 to 32768 [ 94.020365][ T3785] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 94.028559][ T3785] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 94.037850][ T3785] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 94.046615][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 94.053510][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3785] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3785] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3785] chdir("./file0") = 0 [pid 3785] ioctl(4, LOOP_CLR_FD) = 0 [pid 3785] close(4) = 0 [pid 3785] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3784] <... futex resumed>) = 0 [pid 3784] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3784] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3785] <... futex resumed>) = 1 [pid 3785] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3785] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3784] <... futex resumed>) = 0 [pid 3784] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3784] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3785] <... futex resumed>) = 1 [ 94.092816][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 94.100358][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 94.105616][ T3785] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 94.125018][ T3785] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 94.133498][ T3785] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3785] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3784] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3784] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 94.133498][ T3785] inode = 12 2341 [ 94.133498][ T3785] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 94.152778][ T3785] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 94.162309][ T3785] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3785 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 94.173020][ T3785] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 94.182008][ T3785] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3784] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3784] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3784] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3787], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3787 [pid 3784] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3787 attached [pid 3787] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 94.189311][ T3785] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 94.198749][ T3785] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 94.205714][ T3785] gfs2: fsid=syz:syz.0: File system withdrawn [ 94.212173][ T3785] CPU: 0 PID: 3785 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 94.222599][ T3785] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 94.232656][ T3785] Call Trace: [ 94.235950][ T3785] [ 94.238985][ T3785] dump_stack_lvl+0x1b1/0x28e [ 94.243767][ T3785] ? nf_tcp_handle_invalid+0x62e/0x62e [ 94.250090][ T3785] ? panic+0x710/0x710 [ 94.254174][ T3785] ? kobject_uevent_env+0x46b/0x8e0 [ 94.259380][ T3785] ? do_raw_spin_unlock+0x134/0x8a0 [ 94.264570][ T3785] gfs2_withdraw+0xf33/0x1540 [ 94.269248][ T3785] ? gfs2_lm+0x220/0x220 [ 94.273533][ T3785] ? gfs2_dirent_scan+0xb6/0x650 [ 94.278466][ T3785] ? panic+0x710/0x710 [ 94.282540][ T3785] ? gfs2_permission+0x2ff/0x430 [ 94.287504][ T3785] ? gfs2_consist_inode_i+0xf3/0x110 [ 94.292778][ T3785] gfs2_dirent_scan+0x535/0x650 [ 94.297640][ T3785] ? gfs2_dirent_search+0xb10/0xb10 [ 94.302829][ T3785] gfs2_dirent_search+0x2ea/0xb10 [ 94.307933][ T3785] ? gfs2_dirent_search+0xb10/0xb10 [ 94.313311][ T3785] ? gfs2_dir_search+0x2a0/0x2a0 [ 94.318254][ T3785] ? gfs2_permission+0x3bf/0x430 [ 94.323196][ T3785] gfs2_dir_search+0x8c/0x2a0 [ 94.327874][ T3785] ? do_filldir_main+0x530/0x530 [ 94.332805][ T3785] ? inode_go_held+0xe4/0x1f0 [ 94.337478][ T3785] ? gfs2_glock_wait+0x213/0x2a0 [ 94.342412][ T3785] gfs2_lookupi+0x465/0x650 [ 94.346916][ T3785] ? gfs2_lookup_simple+0x170/0x170 [ 94.352110][ T3785] ? __gfs2_lookup+0x8c/0x260 [ 94.356788][ T3785] __gfs2_lookup+0x8c/0x260 [ 94.361291][ T3785] ? gfs2_atomic_open+0x230/0x230 [ 94.366312][ T3785] ? __d_lookup+0x6a4/0x770 [ 94.370809][ T3785] ? d_hash_and_lookup+0x1c0/0x1c0 [ 94.375913][ T3785] gfs2_atomic_open+0xa4/0x230 [ 94.380676][ T3785] path_openat+0xf39/0x2df0 [ 94.385872][ T3785] ? gfs2_rename2+0x3000/0x3000 [ 94.390729][ T3785] ? do_filp_open+0x4f0/0x4f0 [ 94.395412][ T3785] do_filp_open+0x264/0x4f0 [ 94.399905][ T3785] ? vfs_tmpfile+0x490/0x490 [ 94.404494][ T3785] ? do_raw_spin_unlock+0x134/0x8a0 [ 94.409692][ T3785] ? _raw_spin_unlock+0x24/0x40 [ 94.414544][ T3785] ? alloc_fd+0x5a7/0x640 [ 94.418874][ T3785] do_sys_openat2+0x124/0x4e0 [ 94.423553][ T3785] ? print_irqtrace_events+0x220/0x220 [ 94.429005][ T3785] ? ptrace_stop+0x74d/0x970 [ 94.433588][ T3785] ? do_sys_open+0x220/0x220 [ 94.438171][ T3785] ? lockdep_hardirqs_on+0x8d/0x130 [ 94.443369][ T3785] ? _raw_spin_unlock_irq+0x2a/0x40 [ 94.448562][ T3785] ? ptrace_notify+0x245/0x340 [ 94.453319][ T3785] __x64_sys_openat+0x243/0x290 [ 94.458252][ T3785] ? __ia32_sys_open+0x270/0x270 [ 94.463185][ T3785] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 94.469163][ T3785] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 94.475146][ T3785] do_syscall_64+0x3d/0xb0 [ 94.479558][ T3785] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 94.485442][ T3785] RIP: 0033:0x7fc8868064d9 [ 94.489845][ T3785] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 94.509441][ T3785] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 94.517845][ T3785] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 94.525812][ T3785] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 94.533862][ T3785] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3787] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3787] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3787] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3785] <... openat resumed>) = -1 EIO (Input/output error) [pid 3785] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3784] exit_group(0) = ? [pid 3787] <... futex resumed>) = ? [pid 3785] <... futex resumed>) = ? [pid 3787] +++ exited with 0 +++ [pid 3785] +++ exited with 0 +++ [pid 3784] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3784, si_uid=0, si_status=0, si_utime=1, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./49", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./49/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./49/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./49/binderfs") = 0 [ 94.541821][ T3785] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 94.550390][ T3785] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 94.558365][ T3785] umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./49/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./49/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./49") = 0 mkdir("./50", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3788 ./strace-static-x86_64: Process 3788 attached [pid 3788] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3788] chdir("./50") = 0 [pid 3788] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3788] setpgid(0, 0) = 0 [pid 3788] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3788] write(3, "1000", 4) = 4 [pid 3788] close(3) = 0 [pid 3788] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3788] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3788] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3788] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3788] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3789], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3789 [pid 3788] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3788] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3789 attached [pid 3789] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3789] memfd_create("syzkaller", 0) = 3 [pid 3789] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3789] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3789] munmap(0x7fc87e392000, 16777216) = 0 [pid 3789] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3789] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3789] close(3) = 0 [pid 3789] mkdir("./file0", 0777) = 0 [ 94.869037][ T3789] loop0: detected capacity change from 0 to 32768 [ 94.878960][ T3789] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 94.887654][ T3789] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 94.897860][ T3789] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 94.906963][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 94.914129][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3789] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3789] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3789] chdir("./file0") = 0 [pid 3789] ioctl(4, LOOP_CLR_FD) = 0 [pid 3789] close(4) = 0 [pid 3789] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3788] <... futex resumed>) = 0 [pid 3788] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3788] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3789] <... futex resumed>) = 1 [pid 3789] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3789] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3788] <... futex resumed>) = 0 [pid 3788] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3788] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3789] <... futex resumed>) = 1 [ 94.947354][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 94.954921][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 94.960507][ T3789] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 94.985614][ T3789] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3789] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3788] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3788] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3788] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3788] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3788] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3790], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3790 [pid 3788] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3790 attached [pid 3790] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3790] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3790] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 94.994457][ T3789] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 94.994457][ T3789] inode = 12 2341 [ 94.994457][ T3789] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 95.013707][ T3789] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 95.022974][ T3789] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3789 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 95.033475][ T3789] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 95.042073][ T3789] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 95.049450][ T3789] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 95.058451][ T3789] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 95.065273][ T3789] gfs2: fsid=syz:syz.0: File system withdrawn [ 95.071819][ T3789] CPU: 0 PID: 3789 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 95.082228][ T3789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 95.092274][ T3789] Call Trace: [ 95.095542][ T3789] [ 95.098458][ T3789] dump_stack_lvl+0x1b1/0x28e [ 95.103123][ T3789] ? nf_tcp_handle_invalid+0x62e/0x62e [ 95.108563][ T3789] ? panic+0x710/0x710 [ 95.112617][ T3789] ? kobject_uevent_env+0x46b/0x8e0 [ 95.117905][ T3789] ? do_raw_spin_unlock+0x134/0x8a0 [ 95.123123][ T3789] gfs2_withdraw+0xf33/0x1540 [ 95.127819][ T3789] ? gfs2_lm+0x220/0x220 [ 95.132044][ T3789] ? gfs2_dirent_scan+0xb6/0x650 [ 95.136970][ T3789] ? panic+0x710/0x710 [ 95.141196][ T3789] ? gfs2_permission+0x2ff/0x430 [ 95.146126][ T3789] ? gfs2_consist_inode_i+0xf3/0x110 [ 95.151398][ T3789] gfs2_dirent_scan+0x535/0x650 [ 95.156240][ T3789] ? gfs2_dirent_search+0xb10/0xb10 [ 95.161426][ T3789] gfs2_dirent_search+0x2ea/0xb10 [ 95.166437][ T3789] ? gfs2_dirent_search+0xb10/0xb10 [ 95.171622][ T3789] ? gfs2_dir_search+0x2a0/0x2a0 [ 95.177934][ T3789] ? gfs2_permission+0x3bf/0x430 [ 95.182884][ T3789] gfs2_dir_search+0x8c/0x2a0 [ 95.187550][ T3789] ? do_filldir_main+0x530/0x530 [ 95.192474][ T3789] ? inode_go_held+0xe4/0x1f0 [ 95.197138][ T3789] ? gfs2_glock_wait+0x213/0x2a0 [ 95.202059][ T3789] gfs2_lookupi+0x465/0x650 [ 95.206553][ T3789] ? gfs2_lookup_simple+0x170/0x170 [ 95.211739][ T3789] ? __gfs2_lookup+0x8c/0x260 [ 95.216405][ T3789] __gfs2_lookup+0x8c/0x260 [ 95.220892][ T3789] ? gfs2_atomic_open+0x230/0x230 [ 95.225903][ T3789] ? __d_lookup+0x6a4/0x770 [ 95.230390][ T3789] ? d_hash_and_lookup+0x1c0/0x1c0 [ 95.235485][ T3789] gfs2_atomic_open+0xa4/0x230 [ 95.240234][ T3789] path_openat+0xf39/0x2df0 [ 95.244723][ T3789] ? gfs2_rename2+0x3000/0x3000 [ 95.249575][ T3789] ? do_filp_open+0x4f0/0x4f0 [ 95.254246][ T3789] do_filp_open+0x264/0x4f0 [ 95.258740][ T3789] ? vfs_tmpfile+0x490/0x490 [ 95.263406][ T3789] ? do_raw_spin_unlock+0x134/0x8a0 [ 95.268625][ T3789] ? _raw_spin_unlock+0x24/0x40 [ 95.273464][ T3789] ? alloc_fd+0x5a7/0x640 [ 95.277785][ T3789] do_sys_openat2+0x124/0x4e0 [ 95.282452][ T3789] ? print_irqtrace_events+0x220/0x220 [ 95.287891][ T3789] ? ptrace_stop+0x74d/0x970 [ 95.292551][ T3789] ? do_sys_open+0x220/0x220 [ 95.297126][ T3789] ? lockdep_hardirqs_on+0x8d/0x130 [ 95.302305][ T3789] ? _raw_spin_unlock_irq+0x2a/0x40 [ 95.307487][ T3789] ? ptrace_notify+0x245/0x340 [ 95.312231][ T3789] __x64_sys_openat+0x243/0x290 [ 95.317067][ T3789] ? __ia32_sys_open+0x270/0x270 [ 95.321989][ T3789] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 95.327955][ T3789] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 95.333925][ T3789] do_syscall_64+0x3d/0xb0 [ 95.338330][ T3789] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 95.344209][ T3789] RIP: 0033:0x7fc8868064d9 [ 95.348606][ T3789] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 95.368280][ T3789] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 95.376697][ T3789] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 95.384654][ T3789] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3790] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3789] <... openat resumed>) = -1 EIO (Input/output error) [pid 3789] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3789] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3788] exit_group(0) = ? [pid 3790] <... futex resumed>) = ? [pid 3790] +++ exited with 0 +++ [pid 3789] <... futex resumed>) = ? [pid 3789] +++ exited with 0 +++ [pid 3788] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3788, si_uid=0, si_status=0, si_utime=1, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./50", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./50", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./50/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./50/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./50/binderfs") = 0 [ 95.392609][ T3789] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 95.400563][ T3789] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 95.408514][ T3789] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 95.417186][ T3789] umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./50/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./50/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./50/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./50") = 0 mkdir("./51", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3792 ./strace-static-x86_64: Process 3792 attached [pid 3792] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3792] chdir("./51") = 0 [pid 3792] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3792] setpgid(0, 0) = 0 [pid 3792] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3792] write(3, "1000", 4) = 4 [pid 3792] close(3) = 0 [pid 3792] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3792] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3792] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3792] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3792] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3793], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3793 [pid 3792] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3792] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3793 attached [pid 3793] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3793] memfd_create("syzkaller", 0) = 3 [pid 3793] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3793] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3793] munmap(0x7fc87e392000, 16777216) = 0 [pid 3793] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3793] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3793] close(3) = 0 [pid 3793] mkdir("./file0", 0777) = 0 [ 95.712116][ T3793] loop0: detected capacity change from 0 to 32768 [ 95.723306][ T3793] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 95.731931][ T3793] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 95.741909][ T3793] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 95.750627][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 95.758546][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3793] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3793] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3793] chdir("./file0") = 0 [pid 3793] ioctl(4, LOOP_CLR_FD) = 0 [pid 3793] close(4) = 0 [pid 3793] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3792] <... futex resumed>) = 0 [pid 3792] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3793] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3793] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3793] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3792] <... futex resumed>) = 1 [pid 3792] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 3792] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3792] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3793] <... futex resumed>) = 0 [ 95.791539][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 95.800499][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 95.805723][ T3793] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3793] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3792] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3792] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3792] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3792] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3792] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3794], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3794 [pid 3792] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 95.841654][ T3793] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 95.850435][ T3793] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 95.850435][ T3793] inode = 12 2341 [ 95.850435][ T3793] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 95.869543][ T3793] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 95.878821][ T3793] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3793 [syz-executor337] __gfs2_lookup+0x8c/0x260 ./strace-static-x86_64: Process 3794 attached [pid 3794] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3794] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3794] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 95.889196][ T3793] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 95.898057][ T3793] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 95.905625][ T3793] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 95.914643][ T3793] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 95.922856][ T3793] gfs2: fsid=syz:syz.0: File system withdrawn [ 95.928928][ T3793] CPU: 0 PID: 3793 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 95.939427][ T3793] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 95.949557][ T3793] Call Trace: [ 95.952853][ T3793] [ 95.955877][ T3793] dump_stack_lvl+0x1b1/0x28e [ 95.960581][ T3793] ? nf_tcp_handle_invalid+0x62e/0x62e [ 95.966234][ T3793] ? panic+0x710/0x710 [ 95.970300][ T3793] ? kobject_uevent_env+0x46b/0x8e0 [ 95.975580][ T3793] ? do_raw_spin_unlock+0x134/0x8a0 [ 95.980795][ T3793] gfs2_withdraw+0xf33/0x1540 [ 95.985497][ T3793] ? gfs2_lm+0x220/0x220 [pid 3794] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3792] exit_group(0 [pid 3794] <... futex resumed>) = ? [pid 3792] <... exit_group resumed>) = ? [pid 3794] +++ exited with 0 +++ [ 95.989728][ T3793] ? gfs2_dirent_scan+0xb6/0x650 [ 95.994671][ T3793] ? panic+0x710/0x710 [ 95.998751][ T3793] ? gfs2_permission+0x2ff/0x430 [ 96.003703][ T3793] ? gfs2_consist_inode_i+0xf3/0x110 [ 96.008990][ T3793] gfs2_dirent_scan+0x535/0x650 [ 96.013848][ T3793] ? gfs2_dirent_search+0xb10/0xb10 [ 96.019042][ T3793] gfs2_dirent_search+0x2ea/0xb10 [ 96.024075][ T3793] ? gfs2_dirent_search+0xb10/0xb10 [ 96.029313][ T3793] ? gfs2_dir_search+0x2a0/0x2a0 [ 96.034276][ T3793] ? gfs2_permission+0x3bf/0x430 [ 96.039305][ T3793] gfs2_dir_search+0x8c/0x2a0 [ 96.043981][ T3793] ? do_filldir_main+0x530/0x530 [ 96.048910][ T3793] ? inode_go_held+0xe4/0x1f0 [ 96.053582][ T3793] ? gfs2_glock_wait+0x213/0x2a0 [ 96.058513][ T3793] gfs2_lookupi+0x465/0x650 [ 96.063013][ T3793] ? gfs2_lookup_simple+0x170/0x170 [ 96.068204][ T3793] ? __gfs2_lookup+0x8c/0x260 [ 96.072878][ T3793] __gfs2_lookup+0x8c/0x260 [ 96.077374][ T3793] ? gfs2_atomic_open+0x230/0x230 [ 96.082393][ T3793] ? __d_lookup+0x6a4/0x770 [ 96.086885][ T3793] ? d_hash_and_lookup+0x1c0/0x1c0 [ 96.091984][ T3793] gfs2_atomic_open+0xa4/0x230 [ 96.096742][ T3793] path_openat+0xf39/0x2df0 [ 96.101241][ T3793] ? gfs2_rename2+0x3000/0x3000 [ 96.106100][ T3793] ? do_filp_open+0x4f0/0x4f0 [ 96.110780][ T3793] do_filp_open+0x264/0x4f0 [ 96.115273][ T3793] ? vfs_tmpfile+0x490/0x490 [ 96.119867][ T3793] ? do_raw_spin_unlock+0x134/0x8a0 [ 96.125061][ T3793] ? _raw_spin_unlock+0x24/0x40 [ 96.129907][ T3793] ? alloc_fd+0x5a7/0x640 [ 96.134241][ T3793] do_sys_openat2+0x124/0x4e0 [ 96.138908][ T3793] ? print_irqtrace_events+0x220/0x220 [ 96.144377][ T3793] ? ptrace_stop+0x74d/0x970 [ 96.148961][ T3793] ? do_sys_open+0x220/0x220 [ 96.153541][ T3793] ? lockdep_hardirqs_on+0x8d/0x130 [ 96.158732][ T3793] ? _raw_spin_unlock_irq+0x2a/0x40 [ 96.163924][ T3793] ? ptrace_notify+0x245/0x340 [ 96.168676][ T3793] __x64_sys_openat+0x243/0x290 [ 96.173519][ T3793] ? __ia32_sys_open+0x270/0x270 [ 96.178449][ T3793] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 96.184424][ T3793] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 96.190398][ T3793] do_syscall_64+0x3d/0xb0 [ 96.194805][ T3793] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 96.200684][ T3793] RIP: 0033:0x7fc8868064d9 [ 96.205176][ T3793] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 96.224770][ T3793] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 96.233170][ T3793] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3793] <... openat resumed>) = ? [pid 3793] +++ exited with 0 +++ [pid 3792] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3792, si_uid=0, si_status=0, si_utime=3, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./51", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./51/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./51/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./51/binderfs") = 0 [ 96.241150][ T3793] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 96.249107][ T3793] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 96.257072][ T3793] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 96.265028][ T3793] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 96.272998][ T3793] umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./51/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./51/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./51") = 0 mkdir("./52", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3795 ./strace-static-x86_64: Process 3795 attached [pid 3795] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3795] chdir("./52") = 0 [pid 3795] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3795] setpgid(0, 0) = 0 [pid 3795] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3795] write(3, "1000", 4) = 4 [pid 3795] close(3) = 0 [pid 3795] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3795] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3795] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3795] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3795] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3796 attached , parent_tid=[3796], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3796 [pid 3796] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3796] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3795] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3796] <... futex resumed>) = 0 [pid 3795] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3796] memfd_create("syzkaller", 0) = 3 [pid 3796] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3796] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3796] munmap(0x7fc87e392000, 16777216) = 0 [pid 3796] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3796] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3796] close(3) = 0 [pid 3796] mkdir("./file0", 0777) = 0 [ 96.576584][ T3796] loop0: detected capacity change from 0 to 32768 [ 96.588502][ T3796] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 96.597093][ T3796] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 96.607439][ T3796] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 96.616427][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 96.623673][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3796] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3796] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3796] chdir("./file0") = 0 [pid 3796] ioctl(4, LOOP_CLR_FD) = 0 [pid 3796] close(4) = 0 [pid 3796] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3795] <... futex resumed>) = 0 [pid 3795] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3795] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3796] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3796] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3795] <... futex resumed>) = 0 [pid 3795] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3795] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 96.662224][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 96.671574][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 96.676832][ T3796] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 96.695935][ T3796] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 96.705044][ T3796] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3796] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3795] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3795] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3795] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3795] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3795] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3797], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3797 [pid 3795] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3797 attached [pid 3797] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 96.705044][ T3796] inode = 12 2341 [ 96.705044][ T3796] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 96.724347][ T3796] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 96.733750][ T3796] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3796 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 96.744344][ T3796] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 96.751641][ T3797] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 96.753469][ T3796] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 96.761688][ T3797] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 96.768599][ T3796] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 96.777970][ T3797] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3796 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 96.786669][ T3796] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 96.796867][ T3797] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3797 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 96.803152][ T3796] gfs2: fsid=syz:syz.0: File system withdrawn [ 96.813019][ T3797] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 96.820418][ T3796] CPU: 1 PID: 3796 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 96.837830][ T3796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 96.847888][ T3796] Call Trace: [ 96.851162][ T3796] [ 96.854085][ T3796] dump_stack_lvl+0x1b1/0x28e [ 96.858760][ T3796] ? nf_tcp_handle_invalid+0x62e/0x62e [ 96.864221][ T3796] ? panic+0x710/0x710 [ 96.868288][ T3796] ? kobject_uevent_env+0x46b/0x8e0 [ 96.873482][ T3796] ? do_raw_spin_unlock+0x134/0x8a0 [ 96.878681][ T3796] gfs2_withdraw+0xf33/0x1540 [ 96.883365][ T3796] ? gfs2_lm+0x220/0x220 [ 96.887598][ T3796] ? gfs2_dirent_scan+0xb6/0x650 [ 96.892529][ T3796] ? panic+0x710/0x710 [ 96.896585][ T3796] ? gfs2_permission+0x2ff/0x430 [ 96.901517][ T3796] ? gfs2_consist_inode_i+0xf3/0x110 [ 96.906798][ T3796] gfs2_dirent_scan+0x535/0x650 [ 96.911644][ T3796] ? gfs2_dirent_search+0xb10/0xb10 [ 96.916841][ T3796] gfs2_dirent_search+0x2ea/0xb10 [ 96.921860][ T3796] ? gfs2_dirent_search+0xb10/0xb10 [ 96.927313][ T3796] ? gfs2_dir_search+0x2a0/0x2a0 [ 96.932242][ T3796] ? gfs2_permission+0x3bf/0x430 [ 96.937176][ T3796] gfs2_dir_search+0x8c/0x2a0 [ 96.941850][ T3796] ? do_filldir_main+0x530/0x530 [ 96.946780][ T3796] ? inode_go_held+0xe4/0x1f0 [ 96.951457][ T3796] ? gfs2_glock_wait+0x213/0x2a0 [ 96.956389][ T3796] gfs2_lookupi+0x465/0x650 [ 96.960889][ T3796] ? gfs2_lookup_simple+0x170/0x170 [ 96.966085][ T3796] ? __gfs2_lookup+0x8c/0x260 [ 96.970849][ T3796] __gfs2_lookup+0x8c/0x260 [ 96.975355][ T3796] ? gfs2_atomic_open+0x230/0x230 [ 96.980379][ T3796] ? __d_lookup+0x6a4/0x770 [ 96.984875][ T3796] ? d_hash_and_lookup+0x1c0/0x1c0 [ 96.989980][ T3796] gfs2_atomic_open+0xa4/0x230 [ 96.994752][ T3796] path_openat+0xf39/0x2df0 [ 96.999252][ T3796] ? gfs2_rename2+0x3000/0x3000 [ 97.004198][ T3796] ? do_filp_open+0x4f0/0x4f0 [ 97.008967][ T3796] do_filp_open+0x264/0x4f0 [ 97.013466][ T3796] ? vfs_tmpfile+0x490/0x490 [ 97.018080][ T3796] ? do_raw_spin_unlock+0x134/0x8a0 [ 97.023277][ T3796] ? _raw_spin_unlock+0x24/0x40 [ 97.028121][ T3796] ? alloc_fd+0x5a7/0x640 [ 97.032461][ T3796] do_sys_openat2+0x124/0x4e0 [ 97.037216][ T3796] ? print_irqtrace_events+0x220/0x220 [ 97.042669][ T3796] ? ptrace_stop+0x74d/0x970 [ 97.047252][ T3796] ? do_sys_open+0x220/0x220 [ 97.051839][ T3796] ? lockdep_hardirqs_on+0x8d/0x130 [ 97.057029][ T3796] ? _raw_spin_unlock_irq+0x2a/0x40 [ 97.062221][ T3796] ? ptrace_notify+0x245/0x340 [ 97.066978][ T3796] __x64_sys_openat+0x243/0x290 [ 97.071831][ T3796] ? __ia32_sys_open+0x270/0x270 [ 97.076763][ T3796] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 97.082735][ T3796] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 97.088709][ T3796] do_syscall_64+0x3d/0xb0 [ 97.093116][ T3796] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 97.098997][ T3796] RIP: 0033:0x7fc8868064d9 [ 97.103428][ T3796] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 97.123117][ T3796] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 97.131521][ T3796] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 97.139485][ T3796] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 97.147460][ T3796] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 97.155420][ T3796] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3797] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3797] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3797] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3796] <... openat resumed>) = -1 EIO (Input/output error) [pid 3796] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3796] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3795] exit_group(0) = ? [pid 3797] <... futex resumed>) = ? [pid 3797] +++ exited with 0 +++ [pid 3796] <... futex resumed>) = ? [pid 3796] +++ exited with 0 +++ [pid 3795] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3795, si_uid=0, si_status=0, si_utime=0, si_stime=44} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./52", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./52", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./52/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./52/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./52/binderfs") = 0 [ 97.163384][ T3796] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 97.171456][ T3796] umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./52/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./52/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./52/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./52") = 0 mkdir("./53", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3798 ./strace-static-x86_64: Process 3798 attached [pid 3798] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3798] chdir("./53") = 0 [pid 3798] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3798] setpgid(0, 0) = 0 [pid 3798] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3798] write(3, "1000", 4) = 4 [pid 3798] close(3) = 0 [pid 3798] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3798] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3798] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3798] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3798] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3799 attached , parent_tid=[3799], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3799 [pid 3798] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3798] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3799] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3799] memfd_create("syzkaller", 0) = 3 [pid 3799] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3799] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3799] munmap(0x7fc87e392000, 16777216) = 0 [pid 3799] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3799] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3799] close(3) = 0 [pid 3799] mkdir("./file0", 0777) = 0 [ 97.474323][ T3799] loop0: detected capacity change from 0 to 32768 [ 97.484427][ T3799] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 97.492689][ T3799] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 97.501601][ T3799] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 97.509986][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 97.517003][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3799] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3799] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3799] chdir("./file0") = 0 [pid 3799] ioctl(4, LOOP_CLR_FD) = 0 [pid 3799] close(4) = 0 [pid 3799] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3798] <... futex resumed>) = 0 [pid 3798] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3798] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3799] <... futex resumed>) = 1 [pid 3799] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3799] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3798] <... futex resumed>) = 0 [pid 3798] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3798] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3799] <... futex resumed>) = 1 [ 97.552962][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 97.560599][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 97.565834][ T3799] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 97.581704][ T3799] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 97.590574][ T3799] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 97.590574][ T3799] inode = 12 2341 [pid 3799] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3798] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3798] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3798] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3798] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3798] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3800], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3800 [pid 3798] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3800 attached [ 97.590574][ T3799] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 97.609700][ T3799] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 97.619069][ T3799] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3799 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 97.629612][ T3799] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 97.641130][ T3799] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3800] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3800] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3800] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 97.648521][ T3799] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 97.657855][ T3799] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 97.665790][ T3799] gfs2: fsid=syz:syz.0: File system withdrawn [ 97.672294][ T3799] CPU: 1 PID: 3799 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 97.682740][ T3799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 97.692816][ T3799] Call Trace: [ 97.696104][ T3799] [ 97.699025][ T3799] dump_stack_lvl+0x1b1/0x28e [ 97.703709][ T3799] ? nf_tcp_handle_invalid+0x62e/0x62e [ 97.709176][ T3799] ? panic+0x710/0x710 [ 97.713325][ T3799] ? kobject_uevent_env+0x46b/0x8e0 [ 97.718529][ T3799] ? do_raw_spin_unlock+0x134/0x8a0 [ 97.723838][ T3799] gfs2_withdraw+0xf33/0x1540 [ 97.728539][ T3799] ? gfs2_lm+0x220/0x220 [ 97.732800][ T3799] ? gfs2_dirent_scan+0xb6/0x650 [ 97.737762][ T3799] ? panic+0x710/0x710 [ 97.741855][ T3799] ? gfs2_permission+0x2ff/0x430 [ 97.746823][ T3799] ? gfs2_consist_inode_i+0xf3/0x110 [ 97.752101][ T3799] gfs2_dirent_scan+0x535/0x650 [ 97.756949][ T3799] ? gfs2_dirent_search+0xb10/0xb10 [ 97.762148][ T3799] gfs2_dirent_search+0x2ea/0xb10 [ 97.767178][ T3799] ? gfs2_dirent_search+0xb10/0xb10 [ 97.772379][ T3799] ? gfs2_dir_search+0x2a0/0x2a0 [ 97.777309][ T3799] ? gfs2_permission+0x3bf/0x430 [ 97.782247][ T3799] gfs2_dir_search+0x8c/0x2a0 [ 97.786923][ T3799] ? do_filldir_main+0x530/0x530 [ 97.791860][ T3799] ? inode_go_held+0xe4/0x1f0 [ 97.796531][ T3799] ? gfs2_glock_wait+0x213/0x2a0 [ 97.801469][ T3799] gfs2_lookupi+0x465/0x650 [ 97.805972][ T3799] ? gfs2_lookup_simple+0x170/0x170 [ 97.811168][ T3799] ? __gfs2_lookup+0x8c/0x260 [ 97.815845][ T3799] __gfs2_lookup+0x8c/0x260 [ 97.820343][ T3799] ? gfs2_atomic_open+0x230/0x230 [ 97.825368][ T3799] ? __d_lookup+0x6a4/0x770 [ 97.829861][ T3799] ? d_hash_and_lookup+0x1c0/0x1c0 [ 97.834964][ T3799] gfs2_atomic_open+0xa4/0x230 [ 97.839725][ T3799] path_openat+0xf39/0x2df0 [ 97.844245][ T3799] ? gfs2_rename2+0x3000/0x3000 [ 97.849103][ T3799] ? do_filp_open+0x4f0/0x4f0 [ 97.853863][ T3799] do_filp_open+0x264/0x4f0 [ 97.858359][ T3799] ? vfs_tmpfile+0x490/0x490 [ 97.862946][ T3799] ? do_raw_spin_unlock+0x134/0x8a0 [ 97.868143][ T3799] ? _raw_spin_unlock+0x24/0x40 [ 97.872988][ T3799] ? alloc_fd+0x5a7/0x640 [ 97.877317][ T3799] do_sys_openat2+0x124/0x4e0 [ 97.882106][ T3799] ? print_irqtrace_events+0x220/0x220 [ 97.887651][ T3799] ? ptrace_stop+0x74d/0x970 [ 97.892235][ T3799] ? do_sys_open+0x220/0x220 [ 97.896822][ T3799] ? lockdep_hardirqs_on+0x8d/0x130 [ 97.902026][ T3799] ? _raw_spin_unlock_irq+0x2a/0x40 [ 97.907305][ T3799] ? ptrace_notify+0x245/0x340 [ 97.912058][ T3799] __x64_sys_openat+0x243/0x290 [ 97.917025][ T3799] ? __ia32_sys_open+0x270/0x270 [ 97.921959][ T3799] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 97.927935][ T3799] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 97.933912][ T3799] do_syscall_64+0x3d/0xb0 [ 97.938320][ T3799] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 97.944202][ T3799] RIP: 0033:0x7fc8868064d9 [ 97.948608][ T3799] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 97.968203][ T3799] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 97.976617][ T3799] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 97.984599][ T3799] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 97.992581][ T3799] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3800] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3799] <... openat resumed>) = -1 EIO (Input/output error) [pid 3799] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3799] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3798] exit_group(0 [pid 3799] <... futex resumed>) = ? [pid 3799] +++ exited with 0 +++ [pid 3800] <... futex resumed>) = ? [pid 3798] <... exit_group resumed>) = ? [pid 3800] +++ exited with 0 +++ [pid 3798] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3798, si_uid=0, si_status=0, si_utime=1, si_stime=31} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./53", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./53/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./53/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./53/binderfs") = 0 [ 98.000548][ T3799] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 98.008511][ T3799] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 98.016575][ T3799] umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./53/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./53/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./53") = 0 mkdir("./54", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3801 ./strace-static-x86_64: Process 3801 attached [pid 3801] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3801] chdir("./54") = 0 [pid 3801] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3801] setpgid(0, 0) = 0 [pid 3801] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3801] write(3, "1000", 4) = 4 [pid 3801] close(3) = 0 [pid 3801] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3801] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3801] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3801] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3801] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3802 attached , parent_tid=[3802], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3802 [pid 3801] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3802] set_robust_list(0x7fc8867b29e0, 24 [pid 3801] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3802] <... set_robust_list resumed>) = 0 [pid 3802] memfd_create("syzkaller", 0) = 3 [pid 3802] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3802] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3802] munmap(0x7fc87e392000, 16777216) = 0 [pid 3802] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3802] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3802] close(3) = 0 [pid 3802] mkdir("./file0", 0777) = 0 [ 98.338734][ T3802] loop0: detected capacity change from 0 to 32768 [ 98.348783][ T3802] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 98.357602][ T3802] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 98.367679][ T3802] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 98.376511][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 98.383760][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3802] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3802] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3802] chdir("./file0") = 0 [pid 3802] ioctl(4, LOOP_CLR_FD) = 0 [pid 3802] close(4) = 0 [pid 3802] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3801] <... futex resumed>) = 0 [pid 3802] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3801] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3801] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3802] <... futex resumed>) = 0 [pid 3802] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3802] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3801] <... futex resumed>) = 0 [pid 3802] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3801] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3802] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3801] <... futex resumed>) = 0 [pid 3802] openat(AT_FDCWD, "./file0", O_RDONLY [ 98.423486][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 98.431259][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 98.436517][ T3802] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 98.459165][ T3802] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3801] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3801] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3801] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3801] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3801] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3803], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3803 [pid 3801] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 98.467799][ T3802] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 98.467799][ T3802] inode = 12 2341 [ 98.467799][ T3802] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 98.486662][ T3802] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 98.496257][ T3802] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3802 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 98.506442][ T3802] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 98.515460][ T3802] gfs2: fsid=syz:syz.0: about to withdraw this file system ./strace-static-x86_64: Process 3803 attached [pid 3803] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3803] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3803] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 98.522810][ T3802] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 98.531838][ T3802] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 98.538383][ T3802] gfs2: fsid=syz:syz.0: File system withdrawn [ 98.544541][ T3802] CPU: 0 PID: 3802 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 98.554954][ T3802] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 98.565006][ T3802] Call Trace: [ 98.568287][ T3802] [ 98.571231][ T3802] dump_stack_lvl+0x1b1/0x28e [ 98.575918][ T3802] ? nf_tcp_handle_invalid+0x62e/0x62e [ 98.581543][ T3802] ? panic+0x710/0x710 [ 98.585792][ T3802] ? kobject_uevent_env+0x46b/0x8e0 [ 98.591073][ T3802] ? do_raw_spin_unlock+0x134/0x8a0 [ 98.596280][ T3802] gfs2_withdraw+0xf33/0x1540 [ 98.600984][ T3802] ? gfs2_lm+0x220/0x220 [ 98.605217][ T3802] ? gfs2_dirent_scan+0xb6/0x650 [ 98.610166][ T3802] ? panic+0x710/0x710 [ 98.614781][ T3802] ? gfs2_permission+0x2ff/0x430 [ 98.619744][ T3802] ? gfs2_consist_inode_i+0xf3/0x110 [ 98.625023][ T3802] gfs2_dirent_scan+0x535/0x650 [ 98.629892][ T3802] ? gfs2_dirent_search+0xb10/0xb10 [ 98.635105][ T3802] gfs2_dirent_search+0x2ea/0xb10 [ 98.640144][ T3802] ? gfs2_dirent_search+0xb10/0xb10 [ 98.645361][ T3802] ? gfs2_dir_search+0x2a0/0x2a0 [ 98.650305][ T3802] ? gfs2_permission+0x3bf/0x430 [ 98.655248][ T3802] gfs2_dir_search+0x8c/0x2a0 [ 98.659934][ T3802] ? do_filldir_main+0x530/0x530 [ 98.664868][ T3802] ? inode_go_held+0xe4/0x1f0 [ 98.669542][ T3802] ? gfs2_glock_wait+0x213/0x2a0 [ 98.674474][ T3802] gfs2_lookupi+0x465/0x650 [ 98.678976][ T3802] ? gfs2_lookup_simple+0x170/0x170 [ 98.684166][ T3802] ? __gfs2_lookup+0x8c/0x260 [ 98.688873][ T3802] __gfs2_lookup+0x8c/0x260 [ 98.693376][ T3802] ? gfs2_atomic_open+0x230/0x230 [ 98.698398][ T3802] ? __d_lookup+0x6a4/0x770 [ 98.702915][ T3802] ? d_hash_and_lookup+0x1c0/0x1c0 [ 98.708021][ T3802] gfs2_atomic_open+0xa4/0x230 [ 98.712784][ T3802] path_openat+0xf39/0x2df0 [ 98.717305][ T3802] ? gfs2_rename2+0x3000/0x3000 [ 98.722186][ T3802] ? do_filp_open+0x4f0/0x4f0 [ 98.726883][ T3802] do_filp_open+0x264/0x4f0 [ 98.731385][ T3802] ? vfs_tmpfile+0x490/0x490 [ 98.735978][ T3802] ? do_raw_spin_unlock+0x134/0x8a0 [ 98.741174][ T3802] ? _raw_spin_unlock+0x24/0x40 [ 98.746023][ T3802] ? alloc_fd+0x5a7/0x640 [ 98.750375][ T3802] do_sys_openat2+0x124/0x4e0 [ 98.755051][ T3802] ? print_irqtrace_events+0x220/0x220 [ 98.760500][ T3802] ? ptrace_stop+0x74d/0x970 [ 98.765088][ T3802] ? do_sys_open+0x220/0x220 [ 98.769672][ T3802] ? lockdep_hardirqs_on+0x8d/0x130 [ 98.774866][ T3802] ? _raw_spin_unlock_irq+0x2a/0x40 [ 98.780063][ T3802] ? ptrace_notify+0x245/0x340 [ 98.784848][ T3802] __x64_sys_openat+0x243/0x290 [ 98.789695][ T3802] ? __ia32_sys_open+0x270/0x270 [ 98.794716][ T3802] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 98.800691][ T3802] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 98.806665][ T3802] do_syscall_64+0x3d/0xb0 [ 98.811074][ T3802] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 98.816962][ T3802] RIP: 0033:0x7fc8868064d9 [ 98.821369][ T3802] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 98.840970][ T3802] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 98.849374][ T3802] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 98.857350][ T3802] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 98.865310][ T3802] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3803] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3802] <... openat resumed>) = -1 EIO (Input/output error) [pid 3802] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3802] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3801] exit_group(0 [pid 3803] <... futex resumed>) = ? [pid 3802] <... futex resumed>) = ? [pid 3801] <... exit_group resumed>) = ? [pid 3803] +++ exited with 0 +++ [pid 3802] +++ exited with 0 +++ [pid 3801] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3801, si_uid=0, si_status=0, si_utime=3, si_stime=29} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./54", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./54/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./54/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./54/binderfs") = 0 [ 98.873270][ T3802] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 98.881234][ T3802] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 98.889208][ T3802] umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./54/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./54/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./54") = 0 mkdir("./55", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3804 ./strace-static-x86_64: Process 3804 attached [pid 3804] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3804] chdir("./55") = 0 [pid 3804] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3804] setpgid(0, 0) = 0 [pid 3804] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3804] write(3, "1000", 4) = 4 [pid 3804] close(3) = 0 [pid 3804] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3804] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3804] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3804] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3804] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3805 attached , parent_tid=[3805], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3805 [pid 3804] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3804] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3805] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3805] memfd_create("syzkaller", 0) = 3 [pid 3805] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3805] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3805] munmap(0x7fc87e392000, 16777216) = 0 [pid 3805] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3805] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3805] close(3) = 0 [pid 3805] mkdir("./file0", 0777) = 0 [ 99.189043][ T3805] loop0: detected capacity change from 0 to 32768 [ 99.198920][ T3805] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 99.207523][ T3805] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 99.216675][ T3805] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 99.225613][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 99.232471][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3805] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3805] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3805] chdir("./file0") = 0 [pid 3805] ioctl(4, LOOP_CLR_FD) = 0 [pid 3805] close(4) = 0 [pid 3805] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3804] <... futex resumed>) = 0 [pid 3804] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3804] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3805] <... futex resumed>) = 1 [pid 3805] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3805] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3804] <... futex resumed>) = 0 [pid 3805] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3804] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 99.272167][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 99.279670][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 99.285002][ T3805] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 99.298456][ T3805] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 99.307235][ T3805] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 99.307235][ T3805] inode = 12 2341 [pid 3804] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3804] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3804] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3804] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3804] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3804] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3806], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3806 [pid 3804] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3806 attached [pid 3806] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3806] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3806] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 99.307235][ T3805] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 99.326059][ T3805] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 99.335625][ T3805] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3805 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 99.346373][ T3805] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 99.355137][ T3805] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 99.363230][ T3805] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 99.372965][ T3805] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 99.379852][ T3805] gfs2: fsid=syz:syz.0: File system withdrawn [ 99.386401][ T3805] CPU: 0 PID: 3805 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 99.396834][ T3805] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 99.406901][ T3805] Call Trace: [ 99.410189][ T3805] [ 99.413112][ T3805] dump_stack_lvl+0x1b1/0x28e [ 99.417796][ T3805] ? nf_tcp_handle_invalid+0x62e/0x62e [ 99.423251][ T3805] ? panic+0x710/0x710 [ 99.427321][ T3805] ? kobject_uevent_env+0x46b/0x8e0 [ 99.432526][ T3805] ? do_raw_spin_unlock+0x134/0x8a0 [ 99.437741][ T3805] gfs2_withdraw+0xf33/0x1540 [ 99.442680][ T3805] ? gfs2_lm+0x220/0x220 [ 99.446914][ T3805] ? gfs2_dirent_scan+0xb6/0x650 [ 99.451847][ T3805] ? panic+0x710/0x710 [ 99.455902][ T3805] ? gfs2_permission+0x2ff/0x430 [ 99.460845][ T3805] ? gfs2_consist_inode_i+0xf3/0x110 [ 99.466136][ T3805] gfs2_dirent_scan+0x535/0x650 [ 99.471077][ T3805] ? gfs2_dirent_search+0xb10/0xb10 [ 99.476276][ T3805] gfs2_dirent_search+0x2ea/0xb10 [ 99.481334][ T3805] ? gfs2_dirent_search+0xb10/0xb10 [ 99.486566][ T3805] ? gfs2_dir_search+0x2a0/0x2a0 [ 99.491495][ T3805] ? gfs2_permission+0x3bf/0x430 [ 99.496434][ T3805] gfs2_dir_search+0x8c/0x2a0 [ 99.501111][ T3805] ? do_filldir_main+0x530/0x530 [ 99.506044][ T3805] ? inode_go_held+0xe4/0x1f0 [ 99.510718][ T3805] ? gfs2_glock_wait+0x213/0x2a0 [ 99.515647][ T3805] gfs2_lookupi+0x465/0x650 [ 99.520154][ T3805] ? gfs2_lookup_simple+0x170/0x170 [ 99.525350][ T3805] ? __gfs2_lookup+0x8c/0x260 [ 99.530030][ T3805] __gfs2_lookup+0x8c/0x260 [ 99.534530][ T3805] ? gfs2_atomic_open+0x230/0x230 [ 99.539554][ T3805] ? __d_lookup+0x6a4/0x770 [ 99.544048][ T3805] ? d_hash_and_lookup+0x1c0/0x1c0 [ 99.549152][ T3805] gfs2_atomic_open+0xa4/0x230 [ 99.553910][ T3805] path_openat+0xf39/0x2df0 [ 99.558408][ T3805] ? gfs2_rename2+0x3000/0x3000 [ 99.563265][ T3805] ? do_filp_open+0x4f0/0x4f0 [ 99.567947][ T3805] do_filp_open+0x264/0x4f0 [ 99.572440][ T3805] ? vfs_tmpfile+0x490/0x490 [ 99.577030][ T3805] ? do_raw_spin_unlock+0x134/0x8a0 [ 99.582230][ T3805] ? _raw_spin_unlock+0x24/0x40 [ 99.587077][ T3805] ? alloc_fd+0x5a7/0x640 [ 99.591408][ T3805] do_sys_openat2+0x124/0x4e0 [ 99.596077][ T3805] ? print_irqtrace_events+0x220/0x220 [ 99.601524][ T3805] ? ptrace_stop+0x74d/0x970 [ 99.606106][ T3805] ? do_sys_open+0x220/0x220 [ 99.610690][ T3805] ? lockdep_hardirqs_on+0x8d/0x130 [ 99.615968][ T3805] ? _raw_spin_unlock_irq+0x2a/0x40 [ 99.621159][ T3805] ? ptrace_notify+0x245/0x340 [ 99.625915][ T3805] __x64_sys_openat+0x243/0x290 [ 99.630765][ T3805] ? __ia32_sys_open+0x270/0x270 [ 99.635695][ T3805] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 99.641679][ T3805] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 99.647666][ T3805] do_syscall_64+0x3d/0xb0 [ 99.652074][ T3805] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 99.657956][ T3805] RIP: 0033:0x7fc8868064d9 [ 99.662360][ T3805] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 99.681970][ T3805] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 99.690383][ T3805] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 99.698355][ T3805] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 99.706317][ T3805] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 99.714277][ T3805] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3806] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3805] <... openat resumed>) = -1 EIO (Input/output error) [pid 3805] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3805] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3804] exit_group(0 [pid 3806] <... futex resumed>) = ? [pid 3805] <... futex resumed>) = ? [pid 3804] <... exit_group resumed>) = ? [pid 3806] +++ exited with 0 +++ [pid 3805] +++ exited with 0 +++ [pid 3804] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3804, si_uid=0, si_status=0, si_utime=2, si_stime=29} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./55", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./55/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./55/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./55/binderfs") = 0 [ 99.722238][ T3805] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 99.730215][ T3805] umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./55/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./55/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./55") = 0 mkdir("./56", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3807 ./strace-static-x86_64: Process 3807 attached [pid 3807] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3807] chdir("./56") = 0 [pid 3807] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3807] setpgid(0, 0) = 0 [pid 3807] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3807] write(3, "1000", 4) = 4 [pid 3807] close(3) = 0 [pid 3807] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3807] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3807] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3807] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3807] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3808 attached [pid 3808] set_robust_list(0x7fc8867b29e0, 24 [pid 3807] <... clone resumed>, parent_tid=[3808], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3808 [pid 3808] <... set_robust_list resumed>) = 0 [pid 3808] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3807] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3808] <... futex resumed>) = 0 [pid 3807] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3808] memfd_create("syzkaller", 0) = 3 [pid 3808] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3808] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3808] munmap(0x7fc87e392000, 16777216) = 0 [pid 3808] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3808] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3808] close(3) = 0 [pid 3808] mkdir("./file0", 0777) = 0 [ 100.035158][ T3808] loop0: detected capacity change from 0 to 32768 [ 100.046048][ T3808] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 100.054510][ T3808] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 100.064308][ T3808] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 100.073236][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 100.080008][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3808] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3808] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3808] chdir("./file0") = 0 [pid 3808] ioctl(4, LOOP_CLR_FD) = 0 [pid 3808] close(4) = 0 [pid 3808] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3808] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3807] <... futex resumed>) = 0 [pid 3807] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3807] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3808] <... futex resumed>) = 0 [pid 3808] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3808] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3808] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3807] <... futex resumed>) = 0 [pid 3807] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3808] <... futex resumed>) = 0 [pid 3807] <... futex resumed>) = 1 [pid 3808] openat(AT_FDCWD, "./file0", O_RDONLY [ 100.118413][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 100.125956][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 100.131483][ T3808] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 100.158380][ T3808] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3807] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3807] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3807] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3807] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3807] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3809], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3809 [pid 3807] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3809 attached [pid 3809] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3809] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3809] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 100.167190][ T3808] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 100.167190][ T3808] inode = 12 2341 [ 100.167190][ T3808] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 100.185968][ T3808] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 100.195352][ T3808] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3808 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 100.205463][ T3808] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 100.215022][ T3808] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 100.222503][ T3808] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 100.231315][ T3808] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 100.238444][ T3808] gfs2: fsid=syz:syz.0: File system withdrawn [ 100.244868][ T3808] CPU: 1 PID: 3808 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 100.255287][ T3808] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 100.265335][ T3808] Call Trace: [ 100.268616][ T3808] [ 100.271537][ T3808] dump_stack_lvl+0x1b1/0x28e [ 100.276229][ T3808] ? nf_tcp_handle_invalid+0x62e/0x62e [ 100.281701][ T3808] ? panic+0x710/0x710 [ 100.285786][ T3808] ? kobject_uevent_env+0x46b/0x8e0 [ 100.290993][ T3808] ? do_raw_spin_unlock+0x134/0x8a0 [ 100.296190][ T3808] gfs2_withdraw+0xf33/0x1540 [ 100.300869][ T3808] ? gfs2_lm+0x220/0x220 [ 100.305099][ T3808] ? gfs2_dirent_scan+0xb6/0x650 [ 100.310036][ T3808] ? panic+0x710/0x710 [ 100.314119][ T3808] ? gfs2_permission+0x2ff/0x430 [ 100.319066][ T3808] ? gfs2_consist_inode_i+0xf3/0x110 [ 100.324346][ T3808] gfs2_dirent_scan+0x535/0x650 [ 100.329197][ T3808] ? gfs2_dirent_search+0xb10/0xb10 [ 100.334391][ T3808] gfs2_dirent_search+0x2ea/0xb10 [ 100.339412][ T3808] ? gfs2_dirent_search+0xb10/0xb10 [ 100.344605][ T3808] ? gfs2_dir_search+0x2a0/0x2a0 [ 100.349535][ T3808] ? gfs2_permission+0x3bf/0x430 [ 100.354472][ T3808] gfs2_dir_search+0x8c/0x2a0 [ 100.359147][ T3808] ? do_filldir_main+0x530/0x530 [ 100.364163][ T3808] ? inode_go_held+0xe4/0x1f0 [ 100.368836][ T3808] ? gfs2_glock_wait+0x213/0x2a0 [ 100.373765][ T3808] gfs2_lookupi+0x465/0x650 [ 100.378267][ T3808] ? gfs2_lookup_simple+0x170/0x170 [ 100.383464][ T3808] ? __gfs2_lookup+0x8c/0x260 [ 100.390142][ T3808] __gfs2_lookup+0x8c/0x260 [ 100.394640][ T3808] ? gfs2_atomic_open+0x230/0x230 [ 100.399660][ T3808] ? __d_lookup+0x6a4/0x770 [ 100.404153][ T3808] ? d_hash_and_lookup+0x1c0/0x1c0 [ 100.409259][ T3808] gfs2_atomic_open+0xa4/0x230 [ 100.414109][ T3808] path_openat+0xf39/0x2df0 [ 100.418608][ T3808] ? gfs2_rename2+0x3000/0x3000 [ 100.423465][ T3808] ? do_filp_open+0x4f0/0x4f0 [ 100.428146][ T3808] do_filp_open+0x264/0x4f0 [ 100.432642][ T3808] ? vfs_tmpfile+0x490/0x490 [ 100.437232][ T3808] ? do_raw_spin_unlock+0x134/0x8a0 [ 100.442427][ T3808] ? _raw_spin_unlock+0x24/0x40 [ 100.447273][ T3808] ? alloc_fd+0x5a7/0x640 [ 100.451606][ T3808] do_sys_openat2+0x124/0x4e0 [ 100.456277][ T3808] ? print_irqtrace_events+0x220/0x220 [ 100.461763][ T3808] ? ptrace_stop+0x74d/0x970 [ 100.466352][ T3808] ? do_sys_open+0x220/0x220 [ 100.470966][ T3808] ? lockdep_hardirqs_on+0x8d/0x130 [ 100.476158][ T3808] ? _raw_spin_unlock_irq+0x2a/0x40 [ 100.481354][ T3808] ? ptrace_notify+0x245/0x340 [ 100.486108][ T3808] __x64_sys_openat+0x243/0x290 [ 100.490957][ T3808] ? __ia32_sys_open+0x270/0x270 [ 100.495891][ T3808] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 100.501868][ T3808] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 100.507846][ T3808] do_syscall_64+0x3d/0xb0 [ 100.512258][ T3808] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 100.518146][ T3808] RIP: 0033:0x7fc8868064d9 [ 100.522555][ T3808] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 100.542153][ T3808] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 100.550560][ T3808] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 100.558547][ T3808] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3809] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3808] <... openat resumed>) = -1 EIO (Input/output error) [pid 3808] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3808] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3807] exit_group(0 [pid 3809] <... futex resumed>) = ? [pid 3808] <... futex resumed>) = ? [pid 3809] +++ exited with 0 +++ [pid 3808] +++ exited with 0 +++ [pid 3807] <... exit_group resumed>) = ? [pid 3807] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3807, si_uid=0, si_status=0, si_utime=2, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./56", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./56/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./56/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./56/binderfs") = 0 [ 100.566508][ T3808] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 100.574507][ T3808] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 100.582480][ T3808] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 100.590466][ T3808] umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./56/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./56/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./56") = 0 mkdir("./57", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3810 ./strace-static-x86_64: Process 3810 attached [pid 3810] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3810] chdir("./57") = 0 [pid 3810] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3810] setpgid(0, 0) = 0 [pid 3810] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3810] write(3, "1000", 4) = 4 [pid 3810] close(3) = 0 [pid 3810] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3810] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3810] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3810] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3810] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3811], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3811 [pid 3810] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3810] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3811 attached [pid 3811] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3811] memfd_create("syzkaller", 0) = 3 [pid 3811] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3811] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3811] munmap(0x7fc87e392000, 16777216) = 0 [pid 3811] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3811] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3811] close(3) = 0 [pid 3811] mkdir("./file0", 0777) = 0 [ 100.909432][ T3811] loop0: detected capacity change from 0 to 32768 [ 100.920536][ T3811] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 100.928716][ T3811] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 100.938516][ T3811] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 100.947479][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 100.954470][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3811] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3811] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3811] chdir("./file0") = 0 [pid 3811] ioctl(4, LOOP_CLR_FD) = 0 [pid 3811] close(4) = 0 [pid 3811] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3810] <... futex resumed>) = 0 [pid 3811] <... futex resumed>) = 1 [pid 3810] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3810] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3811] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3811] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3810] <... futex resumed>) = 0 [pid 3810] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3810] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 100.988301][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 100.995989][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 101.001418][ T3811] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3811] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3810] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3810] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3810] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3810] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [ 101.030805][ T3811] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 101.039366][ T3811] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 101.039366][ T3811] inode = 12 2341 [ 101.039366][ T3811] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 101.058681][ T3811] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 101.068547][ T3811] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3811 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3810] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3812], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3812 [pid 3810] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3812 attached [pid 3812] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 101.078957][ T3811] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 101.087245][ T3812] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 101.087813][ T3811] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 101.095833][ T3812] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 101.095870][ T3812] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3811 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 101.103560][ T3811] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 101.112248][ T3812] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3812 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 101.122586][ T3811] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 101.131231][ T3812] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 101.142234][ T3811] gfs2: fsid=syz:syz.0: File system withdrawn [ 101.162064][ T3811] CPU: 0 PID: 3811 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 101.173693][ T3811] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 101.183755][ T3811] Call Trace: [ 101.187027][ T3811] [ 101.189947][ T3811] dump_stack_lvl+0x1b1/0x28e [ 101.194617][ T3811] ? nf_tcp_handle_invalid+0x62e/0x62e [ 101.200071][ T3811] ? panic+0x710/0x710 [ 101.204235][ T3811] ? kobject_uevent_env+0x46b/0x8e0 [ 101.209440][ T3811] ? do_raw_spin_unlock+0x134/0x8a0 [ 101.214667][ T3811] gfs2_withdraw+0xf33/0x1540 [ 101.219417][ T3811] ? gfs2_lm+0x220/0x220 [ 101.223657][ T3811] ? gfs2_dirent_scan+0xb6/0x650 [pid 3812] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3810] exit_group(0) = ? [ 101.228603][ T3811] ? panic+0x710/0x710 [ 101.232694][ T3811] ? gfs2_permission+0x2ff/0x430 [ 101.237654][ T3811] ? gfs2_consist_inode_i+0xf3/0x110 [ 101.243209][ T3811] gfs2_dirent_scan+0x535/0x650 [ 101.248069][ T3811] ? gfs2_dirent_search+0xb10/0xb10 [ 101.253262][ T3811] gfs2_dirent_search+0x2ea/0xb10 [ 101.258289][ T3811] ? gfs2_dirent_search+0xb10/0xb10 [ 101.263498][ T3811] ? gfs2_dir_search+0x2a0/0x2a0 [ 101.268428][ T3811] ? gfs2_permission+0x3bf/0x430 [ 101.273362][ T3811] gfs2_dir_search+0x8c/0x2a0 [ 101.278041][ T3811] ? do_filldir_main+0x530/0x530 [ 101.282989][ T3811] ? inode_go_held+0xe4/0x1f0 [ 101.287665][ T3811] ? gfs2_glock_wait+0x213/0x2a0 [ 101.292607][ T3811] gfs2_lookupi+0x465/0x650 [ 101.297106][ T3811] ? gfs2_lookup_simple+0x170/0x170 [ 101.302295][ T3811] ? __gfs2_lookup+0x8c/0x260 [ 101.307156][ T3811] __gfs2_lookup+0x8c/0x260 [ 101.311756][ T3811] ? gfs2_atomic_open+0x230/0x230 [ 101.316785][ T3811] ? __d_lookup+0x6a4/0x770 [ 101.321289][ T3811] ? d_hash_and_lookup+0x1c0/0x1c0 [ 101.326421][ T3811] gfs2_atomic_open+0xa4/0x230 [ 101.331195][ T3811] path_openat+0xf39/0x2df0 [ 101.335713][ T3811] ? gfs2_rename2+0x3000/0x3000 [ 101.340571][ T3811] ? do_filp_open+0x4f0/0x4f0 [ 101.345259][ T3811] do_filp_open+0x264/0x4f0 [ 101.349766][ T3811] ? vfs_tmpfile+0x490/0x490 [ 101.354361][ T3811] ? do_raw_spin_unlock+0x134/0x8a0 [ 101.359552][ T3811] ? _raw_spin_unlock+0x24/0x40 [ 101.364390][ T3811] ? alloc_fd+0x5a7/0x640 [ 101.368714][ T3811] do_sys_openat2+0x124/0x4e0 [ 101.373397][ T3811] ? print_irqtrace_events+0x220/0x220 [ 101.378858][ T3811] ? ptrace_stop+0x74d/0x970 [ 101.383443][ T3811] ? do_sys_open+0x220/0x220 [ 101.388023][ T3811] ? lockdep_hardirqs_on+0x8d/0x130 [ 101.393210][ T3811] ? _raw_spin_unlock_irq+0x2a/0x40 [ 101.398403][ T3811] ? ptrace_notify+0x245/0x340 [ 101.403158][ T3811] __x64_sys_openat+0x243/0x290 [ 101.408000][ T3811] ? __ia32_sys_open+0x270/0x270 [ 101.412936][ T3811] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 101.418921][ T3811] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 101.424888][ T3811] do_syscall_64+0x3d/0xb0 [ 101.429294][ T3811] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 101.435184][ T3811] RIP: 0033:0x7fc8868064d9 [ 101.439598][ T3811] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 101.459190][ T3811] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 101.467591][ T3811] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3812] <... openat resumed>) = ? [pid 3811] <... openat resumed>) = ? [pid 3812] +++ exited with 0 +++ [pid 3811] +++ exited with 0 +++ [pid 3810] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3810, si_uid=0, si_status=0, si_utime=2, si_stime=38} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./57", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./57/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./57/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./57/binderfs") = 0 [ 101.475552][ T3811] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 101.483514][ T3811] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 101.491481][ T3811] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 101.499452][ T3811] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 101.507425][ T3811] umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./57/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./57/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./57") = 0 mkdir("./58", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3813 ./strace-static-x86_64: Process 3813 attached [pid 3813] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3813] chdir("./58") = 0 [pid 3813] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3813] setpgid(0, 0) = 0 [pid 3813] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3813] write(3, "1000", 4) = 4 [pid 3813] close(3) = 0 [pid 3813] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3813] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3813] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3813] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3813] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3814 attached [pid 3814] set_robust_list(0x7fc8867b29e0, 24 [pid 3813] <... clone resumed>, parent_tid=[3814], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3814 [pid 3813] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3813] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3814] <... set_robust_list resumed>) = 0 [pid 3814] memfd_create("syzkaller", 0) = 3 [pid 3814] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3814] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3814] munmap(0x7fc87e392000, 16777216) = 0 [pid 3814] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3814] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3814] close(3) = 0 [pid 3814] mkdir("./file0", 0777) = 0 [ 101.808487][ T3814] loop0: detected capacity change from 0 to 32768 [ 101.819429][ T3814] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 101.827906][ T3814] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 101.838080][ T3814] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 101.846957][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 101.854052][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3814] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3814] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3814] chdir("./file0") = 0 [pid 3814] ioctl(4, LOOP_CLR_FD) = 0 [pid 3814] close(4) = 0 [pid 3814] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3813] <... futex resumed>) = 0 [pid 3813] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3813] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3814] <... futex resumed>) = 1 [pid 3814] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3814] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3813] <... futex resumed>) = 0 [pid 3814] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3813] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3814] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3813] <... futex resumed>) = 0 [pid 3814] openat(AT_FDCWD, "./file0", O_RDONLY [ 101.893913][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 101.901460][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 101.906703][ T3814] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3813] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3813] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 101.941128][ T3814] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 101.949844][ T3814] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 101.949844][ T3814] inode = 12 2341 [ 101.949844][ T3814] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 101.968632][ T3814] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 101.978205][ T3814] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3814 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3813] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3813] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3813] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3815], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3815 [pid 3813] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3815 attached [pid 3815] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3815] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3815] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 101.988585][ T3814] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 101.997888][ T3814] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 102.005397][ T3814] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 102.014511][ T3814] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 102.021264][ T3814] gfs2: fsid=syz:syz.0: File system withdrawn [ 102.027718][ T3814] CPU: 0 PID: 3814 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 102.038125][ T3814] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 102.048179][ T3814] Call Trace: [ 102.051469][ T3814] [ 102.054385][ T3814] dump_stack_lvl+0x1b1/0x28e [ 102.059067][ T3814] ? nf_tcp_handle_invalid+0x62e/0x62e [ 102.064505][ T3814] ? panic+0x710/0x710 [ 102.068565][ T3814] ? kobject_uevent_env+0x46b/0x8e0 [ 102.073774][ T3814] ? do_raw_spin_unlock+0x134/0x8a0 [ 102.078977][ T3814] gfs2_withdraw+0xf33/0x1540 [ 102.083649][ T3814] ? gfs2_lm+0x220/0x220 [ 102.087877][ T3814] ? gfs2_dirent_scan+0xb6/0x650 [ 102.092804][ T3814] ? panic+0x710/0x710 [ 102.096854][ T3814] ? gfs2_permission+0x2ff/0x430 [ 102.101809][ T3814] ? gfs2_consist_inode_i+0xf3/0x110 [ 102.107078][ T3814] gfs2_dirent_scan+0x535/0x650 [ 102.111918][ T3814] ? gfs2_dirent_search+0xb10/0xb10 [ 102.117113][ T3814] gfs2_dirent_search+0x2ea/0xb10 [ 102.122129][ T3814] ? gfs2_dirent_search+0xb10/0xb10 [ 102.127314][ T3814] ? gfs2_dir_search+0x2a0/0x2a0 [ 102.132234][ T3814] ? gfs2_permission+0x3bf/0x430 [ 102.137158][ T3814] gfs2_dir_search+0x8c/0x2a0 [ 102.141822][ T3814] ? do_filldir_main+0x530/0x530 [ 102.146744][ T3814] ? inode_go_held+0xe4/0x1f0 [ 102.151407][ T3814] ? gfs2_glock_wait+0x213/0x2a0 [ 102.156330][ T3814] gfs2_lookupi+0x465/0x650 [ 102.160822][ T3814] ? gfs2_lookup_simple+0x170/0x170 [ 102.166006][ T3814] ? __gfs2_lookup+0x8c/0x260 [ 102.170677][ T3814] __gfs2_lookup+0x8c/0x260 [ 102.175167][ T3814] ? gfs2_atomic_open+0x230/0x230 [ 102.180178][ T3814] ? __d_lookup+0x6a4/0x770 [ 102.184666][ T3814] ? d_hash_and_lookup+0x1c0/0x1c0 [ 102.189760][ T3814] gfs2_atomic_open+0xa4/0x230 [ 102.194511][ T3814] path_openat+0xf39/0x2df0 [ 102.199000][ T3814] ? gfs2_rename2+0x3000/0x3000 [ 102.203844][ T3814] ? do_filp_open+0x4f0/0x4f0 [ 102.208511][ T3814] do_filp_open+0x264/0x4f0 [ 102.212996][ T3814] ? vfs_tmpfile+0x490/0x490 [ 102.217586][ T3814] ? do_raw_spin_unlock+0x134/0x8a0 [ 102.222772][ T3814] ? _raw_spin_unlock+0x24/0x40 [ 102.227614][ T3814] ? alloc_fd+0x5a7/0x640 [ 102.231936][ T3814] do_sys_openat2+0x124/0x4e0 [ 102.236602][ T3814] ? print_irqtrace_events+0x220/0x220 [ 102.242043][ T3814] ? ptrace_stop+0x74d/0x970 [ 102.246618][ T3814] ? do_sys_open+0x220/0x220 [ 102.251198][ T3814] ? lockdep_hardirqs_on+0x8d/0x130 [ 102.256380][ T3814] ? _raw_spin_unlock_irq+0x2a/0x40 [ 102.261563][ T3814] ? ptrace_notify+0x245/0x340 [ 102.266308][ T3814] __x64_sys_openat+0x243/0x290 [ 102.271157][ T3814] ? __ia32_sys_open+0x270/0x270 [ 102.276080][ T3814] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 102.282048][ T3814] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 102.288011][ T3814] do_syscall_64+0x3d/0xb0 [ 102.292411][ T3814] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 102.298288][ T3814] RIP: 0033:0x7fc8868064d9 [ 102.302687][ T3814] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 102.322280][ T3814] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 102.330675][ T3814] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3815] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3814] <... openat resumed>) = -1 EIO (Input/output error) [pid 3814] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3814] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3813] exit_group(0 [pid 3815] <... futex resumed>) = ? [pid 3813] <... exit_group resumed>) = ? [pid 3815] +++ exited with 0 +++ [pid 3814] <... futex resumed>) = ? [pid 3814] +++ exited with 0 +++ [pid 3813] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3813, si_uid=0, si_status=0, si_utime=0, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./58", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./58/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./58/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./58/binderfs") = 0 [ 102.338628][ T3814] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 102.346585][ T3814] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 102.354546][ T3814] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 102.362500][ T3814] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 102.370467][ T3814] umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./58/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./58/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./58") = 0 mkdir("./59", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3816 ./strace-static-x86_64: Process 3816 attached [pid 3816] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3816] chdir("./59") = 0 [pid 3816] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3816] setpgid(0, 0) = 0 [pid 3816] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3816] write(3, "1000", 4) = 4 [pid 3816] close(3) = 0 [pid 3816] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3816] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3816] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3816] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3816] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3817], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3817 [pid 3816] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3816] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3817 attached [pid 3817] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3817] memfd_create("syzkaller", 0) = 3 [pid 3817] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3817] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3817] munmap(0x7fc87e392000, 16777216) = 0 [pid 3817] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3817] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3817] close(3) = 0 [pid 3817] mkdir("./file0", 0777) = 0 [ 102.675246][ T3817] loop0: detected capacity change from 0 to 32768 [ 102.684832][ T3817] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 102.693429][ T3817] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 102.702807][ T3817] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 102.711459][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 102.718238][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3817] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3817] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3817] chdir("./file0") = 0 [pid 3817] ioctl(4, LOOP_CLR_FD) = 0 [pid 3817] close(4) = 0 [pid 3817] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3816] <... futex resumed>) = 0 [pid 3816] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3816] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3817] <... futex resumed>) = 1 [pid 3817] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3817] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3816] <... futex resumed>) = 0 [pid 3816] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3816] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3817] <... futex resumed>) = 1 [ 102.752393][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 102.759899][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 102.765198][ T3817] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 102.779897][ T3817] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 102.788484][ T3817] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 102.788484][ T3817] inode = 12 2341 [pid 3817] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3816] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 102.788484][ T3817] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 102.810249][ T3817] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 102.827358][ T3817] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3817 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 102.837785][ T3817] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3816] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3816] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [ 102.846678][ T3817] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 102.853966][ T3817] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 102.862846][ T3817] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 102.869477][ T3817] gfs2: fsid=syz:syz.0: File system withdrawn [ 102.876482][ T3817] CPU: 0 PID: 3817 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 102.887875][ T3817] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 102.897924][ T3817] Call Trace: [ 102.901198][ T3817] [ 102.904120][ T3817] dump_stack_lvl+0x1b1/0x28e [ 102.908826][ T3817] ? nf_tcp_handle_invalid+0x62e/0x62e [ 102.914290][ T3817] ? panic+0x710/0x710 [ 102.918387][ T3817] ? kobject_uevent_env+0x46b/0x8e0 [ 102.923600][ T3817] ? do_raw_spin_unlock+0x134/0x8a0 [ 102.928796][ T3817] gfs2_withdraw+0xf33/0x1540 [ 102.933507][ T3817] ? gfs2_lm+0x220/0x220 [ 102.937770][ T3817] ? gfs2_dirent_scan+0xb6/0x650 [ 102.942710][ T3817] ? panic+0x710/0x710 [ 102.946775][ T3817] ? gfs2_permission+0x2ff/0x430 [ 102.951722][ T3817] ? gfs2_consist_inode_i+0xf3/0x110 [ 102.957024][ T3817] gfs2_dirent_scan+0x535/0x650 [ 102.961899][ T3817] ? gfs2_dirent_search+0xb10/0xb10 [ 102.967101][ T3817] gfs2_dirent_search+0x2ea/0xb10 [ 102.972120][ T3817] ? gfs2_dirent_search+0xb10/0xb10 [ 102.977315][ T3817] ? gfs2_dir_search+0x2a0/0x2a0 [ 102.982269][ T3817] ? gfs2_permission+0x3bf/0x430 [ 102.987213][ T3817] gfs2_dir_search+0x8c/0x2a0 [ 102.991890][ T3817] ? do_filldir_main+0x530/0x530 [ 102.996825][ T3817] ? inode_go_held+0xe4/0x1f0 [ 103.001498][ T3817] ? gfs2_glock_wait+0x213/0x2a0 [ 103.006430][ T3817] gfs2_lookupi+0x465/0x650 [ 103.010934][ T3817] ? gfs2_lookup_simple+0x170/0x170 [ 103.016125][ T3817] ? __gfs2_lookup+0x8c/0x260 [ 103.020804][ T3817] __gfs2_lookup+0x8c/0x260 [ 103.025305][ T3817] ? gfs2_atomic_open+0x230/0x230 [ 103.030330][ T3817] ? __d_lookup+0x6a4/0x770 [ 103.034826][ T3817] ? d_hash_and_lookup+0x1c0/0x1c0 [ 103.039929][ T3817] gfs2_atomic_open+0xa4/0x230 [ 103.044690][ T3817] path_openat+0xf39/0x2df0 [ 103.049188][ T3817] ? gfs2_rename2+0x3000/0x3000 [ 103.054043][ T3817] ? do_filp_open+0x4f0/0x4f0 [ 103.058724][ T3817] do_filp_open+0x264/0x4f0 [ 103.063219][ T3817] ? vfs_tmpfile+0x490/0x490 [ 103.067808][ T3817] ? do_raw_spin_unlock+0x134/0x8a0 [ 103.073002][ T3817] ? _raw_spin_unlock+0x24/0x40 [ 103.077855][ T3817] ? alloc_fd+0x5a7/0x640 [ 103.082186][ T3817] do_sys_openat2+0x124/0x4e0 [ 103.086856][ T3817] ? print_irqtrace_events+0x220/0x220 [ 103.092303][ T3817] ? ptrace_stop+0x74d/0x970 [ 103.096885][ T3817] ? do_sys_open+0x220/0x220 [ 103.101467][ T3817] ? lockdep_hardirqs_on+0x8d/0x130 [ 103.106657][ T3817] ? _raw_spin_unlock_irq+0x2a/0x40 [ 103.111848][ T3817] ? ptrace_notify+0x245/0x340 [ 103.116603][ T3817] __x64_sys_openat+0x243/0x290 [ 103.121447][ T3817] ? __ia32_sys_open+0x270/0x270 [ 103.126382][ T3817] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 103.132359][ T3817] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 103.138332][ T3817] do_syscall_64+0x3d/0xb0 [ 103.142740][ T3817] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 103.148619][ T3817] RIP: 0033:0x7fc8868064d9 [ 103.153023][ T3817] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 103.172704][ T3817] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 103.181199][ T3817] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 103.189160][ T3817] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3816] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3817] <... openat resumed>) = -1 EIO (Input/output error) [pid 3816] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 3817] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3817] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 3818 attached [pid 3816] <... clone resumed>, parent_tid=[3818], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3818 [pid 3818] set_robust_list(0x7fc87f3919e0, 24 [pid 3816] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3818] <... set_robust_list resumed>) = 0 [pid 3816] <... futex resumed>) = 0 [pid 3818] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3818] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3818] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3816] exit_group(0 [pid 3818] <... futex resumed>) = ? [pid 3816] <... exit_group resumed>) = ? [pid 3817] <... futex resumed>) = ? [pid 3817] +++ exited with 0 +++ [pid 3818] +++ exited with 0 +++ [pid 3816] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3816, si_uid=0, si_status=0, si_utime=1, si_stime=30} --- umount2("./59", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./59/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./59/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./59/binderfs") = 0 [ 103.197123][ T3817] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 103.205086][ T3817] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 103.213069][ T3817] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 103.221042][ T3817] umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./59/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./59/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./59") = 0 mkdir("./60", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3819 ./strace-static-x86_64: Process 3819 attached [pid 3819] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3819] chdir("./60") = 0 [pid 3819] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3819] setpgid(0, 0) = 0 [pid 3819] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3819] write(3, "1000", 4) = 4 [pid 3819] close(3) = 0 [pid 3819] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3819] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3819] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3819] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3819] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3820 attached , parent_tid=[3820], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3820 [pid 3819] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3819] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3820] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3820] memfd_create("syzkaller", 0) = 3 [pid 3820] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3820] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3820] munmap(0x7fc87e392000, 16777216) = 0 [pid 3820] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3820] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3820] close(3) = 0 [pid 3820] mkdir("./file0", 0777) = 0 [ 103.519156][ T3820] loop0: detected capacity change from 0 to 32768 [ 103.528984][ T3820] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 103.537303][ T3820] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 103.546410][ T3820] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 103.555058][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 103.562113][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3820] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3820] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3820] chdir("./file0") = 0 [pid 3820] ioctl(4, LOOP_CLR_FD) = 0 [pid 3820] close(4) = 0 [pid 3820] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3819] <... futex resumed>) = 0 [pid 3820] <... futex resumed>) = 1 [pid 3819] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3820] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3819] <... futex resumed>) = 0 [pid 3820] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3819] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3820] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3819] <... futex resumed>) = 0 [pid 3820] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3819] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 103.599264][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 103.606847][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 103.612237][ T3820] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 103.625497][ T3820] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 103.634272][ T3820] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 103.634272][ T3820] inode = 12 2341 [pid 3819] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 103.634272][ T3820] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 103.653259][ T3820] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 103.662573][ T3820] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3820 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 103.672765][ T3820] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 103.681457][ T3820] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 103.688737][ T3820] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3819] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3819] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3819] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3819] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3821], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3821 [pid 3819] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3821 attached [pid 3821] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3821] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3821] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 103.697667][ T3820] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 103.704593][ T3820] gfs2: fsid=syz:syz.0: File system withdrawn [ 103.712711][ T3820] CPU: 0 PID: 3820 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 103.723151][ T3820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 103.733211][ T3820] Call Trace: [ 103.736486][ T3820] [ 103.739406][ T3820] dump_stack_lvl+0x1b1/0x28e [ 103.744090][ T3820] ? nf_tcp_handle_invalid+0x62e/0x62e [ 103.749648][ T3820] ? panic+0x710/0x710 [ 103.753723][ T3820] ? kobject_uevent_env+0x46b/0x8e0 [ 103.758927][ T3820] ? do_raw_spin_unlock+0x134/0x8a0 [ 103.764120][ T3820] gfs2_withdraw+0xf33/0x1540 [ 103.768793][ T3820] ? gfs2_lm+0x220/0x220 [ 103.773028][ T3820] ? gfs2_dirent_scan+0xb6/0x650 [ 103.777963][ T3820] ? panic+0x710/0x710 [ 103.782032][ T3820] ? gfs2_permission+0x2ff/0x430 [ 103.786963][ T3820] ? gfs2_consist_inode_i+0xf3/0x110 [ 103.792250][ T3820] gfs2_dirent_scan+0x535/0x650 [ 103.797115][ T3820] ? gfs2_dirent_search+0xb10/0xb10 [ 103.802326][ T3820] gfs2_dirent_search+0x2ea/0xb10 [ 103.807363][ T3820] ? gfs2_dirent_search+0xb10/0xb10 [ 103.812552][ T3820] ? gfs2_dir_search+0x2a0/0x2a0 [ 103.817477][ T3820] ? gfs2_permission+0x3bf/0x430 [ 103.822427][ T3820] gfs2_dir_search+0x8c/0x2a0 [ 103.827104][ T3820] ? do_filldir_main+0x530/0x530 [ 103.832033][ T3820] ? inode_go_held+0xe4/0x1f0 [ 103.836708][ T3820] ? gfs2_glock_wait+0x213/0x2a0 [ 103.841643][ T3820] gfs2_lookupi+0x465/0x650 [ 103.846146][ T3820] ? gfs2_lookup_simple+0x170/0x170 [ 103.851339][ T3820] ? __gfs2_lookup+0x8c/0x260 [ 103.856015][ T3820] __gfs2_lookup+0x8c/0x260 [ 103.860517][ T3820] ? gfs2_atomic_open+0x230/0x230 [ 103.865539][ T3820] ? __d_lookup+0x6a4/0x770 [ 103.870031][ T3820] ? d_hash_and_lookup+0x1c0/0x1c0 [ 103.875135][ T3820] gfs2_atomic_open+0xa4/0x230 [ 103.879897][ T3820] path_openat+0xf39/0x2df0 [ 103.884395][ T3820] ? gfs2_rename2+0x3000/0x3000 [ 103.889247][ T3820] ? do_filp_open+0x4f0/0x4f0 [ 103.893931][ T3820] do_filp_open+0x264/0x4f0 [ 103.898429][ T3820] ? vfs_tmpfile+0x490/0x490 [ 103.903034][ T3820] ? do_raw_spin_unlock+0x134/0x8a0 [ 103.908257][ T3820] ? _raw_spin_unlock+0x24/0x40 [ 103.913116][ T3820] ? alloc_fd+0x5a7/0x640 [ 103.917478][ T3820] do_sys_openat2+0x124/0x4e0 [ 103.922151][ T3820] ? print_irqtrace_events+0x220/0x220 [ 103.927604][ T3820] ? ptrace_stop+0x74d/0x970 [ 103.932188][ T3820] ? do_sys_open+0x220/0x220 [ 103.936773][ T3820] ? lockdep_hardirqs_on+0x8d/0x130 [ 103.941964][ T3820] ? _raw_spin_unlock_irq+0x2a/0x40 [ 103.947156][ T3820] ? ptrace_notify+0x245/0x340 [ 103.951914][ T3820] __x64_sys_openat+0x243/0x290 [ 103.956762][ T3820] ? __ia32_sys_open+0x270/0x270 [ 103.961695][ T3820] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 103.967669][ T3820] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 103.973644][ T3820] do_syscall_64+0x3d/0xb0 [ 103.978056][ T3820] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 103.983942][ T3820] RIP: 0033:0x7fc8868064d9 [ 103.988346][ T3820] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 104.008118][ T3820] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 104.016523][ T3820] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 104.024485][ T3820] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 104.032452][ T3820] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 104.040416][ T3820] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3821] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3820] <... openat resumed>) = -1 EIO (Input/output error) [pid 3820] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3819] exit_group(0 [pid 3820] <... futex resumed>) = ? [pid 3819] <... exit_group resumed>) = ? [pid 3820] +++ exited with 0 +++ [pid 3821] <... futex resumed>) = ? [pid 3821] +++ exited with 0 +++ [pid 3819] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3819, si_uid=0, si_status=0, si_utime=3, si_stime=27} --- umount2("./60", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./60/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./60/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./60/binderfs") = 0 [ 104.048379][ T3820] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 104.056350][ T3820] umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./60/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./60/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./60") = 0 mkdir("./61", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3822 ./strace-static-x86_64: Process 3822 attached [pid 3822] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3822] chdir("./61") = 0 [pid 3822] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3822] setpgid(0, 0) = 0 [pid 3822] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3822] write(3, "1000", 4) = 4 [pid 3822] close(3) = 0 [pid 3822] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3822] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3822] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3822] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3822] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3823 attached , parent_tid=[3823], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3823 [pid 3823] set_robust_list(0x7fc8867b29e0, 24 [pid 3822] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3822] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3823] <... set_robust_list resumed>) = 0 [pid 3823] memfd_create("syzkaller", 0) = 3 [pid 3823] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3823] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3823] munmap(0x7fc87e392000, 16777216) = 0 [pid 3823] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3823] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3823] close(3) = 0 [pid 3823] mkdir("./file0", 0777) = 0 [ 104.358106][ T3823] loop0: detected capacity change from 0 to 32768 [ 104.369111][ T3823] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 104.377845][ T3823] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 104.388068][ T3823] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 104.396955][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 104.404205][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3823] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3823] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3823] chdir("./file0") = 0 [pid 3823] ioctl(4, LOOP_CLR_FD) = 0 [pid 3823] close(4) = 0 [pid 3823] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3822] <... futex resumed>) = 0 [pid 3822] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3822] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3823] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3823] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3822] <... futex resumed>) = 0 [pid 3822] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3822] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 104.436587][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 104.444146][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 104.449372][ T3823] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 104.483735][ T3823] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 104.492909][ T3823] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 104.492909][ T3823] inode = 12 2341 [ 104.492909][ T3823] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 104.512015][ T3823] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 104.521361][ T3823] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3823 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3823] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3822] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3822] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3822] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3822] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3822] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3824], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3824 [pid 3822] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3824 attached [pid 3824] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3824] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3824] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 104.531566][ T3823] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 104.540196][ T3823] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 104.548203][ T3823] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 104.557061][ T3823] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 104.563853][ T3823] gfs2: fsid=syz:syz.0: File system withdrawn [ 104.570023][ T3823] CPU: 0 PID: 3823 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 104.580455][ T3823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 104.590526][ T3823] Call Trace: [ 104.593906][ T3823] [ 104.596829][ T3823] dump_stack_lvl+0x1b1/0x28e [ 104.601510][ T3823] ? nf_tcp_handle_invalid+0x62e/0x62e [ 104.606990][ T3823] ? panic+0x710/0x710 [ 104.611120][ T3823] ? kobject_uevent_env+0x46b/0x8e0 [ 104.616338][ T3823] ? do_raw_spin_unlock+0x134/0x8a0 [ 104.621918][ T3823] gfs2_withdraw+0xf33/0x1540 [ 104.626615][ T3823] ? gfs2_lm+0x220/0x220 [ 104.630850][ T3823] ? gfs2_dirent_scan+0xb6/0x650 [ 104.635792][ T3823] ? panic+0x710/0x710 [ 104.639872][ T3823] ? gfs2_permission+0x2ff/0x430 [ 104.644820][ T3823] ? gfs2_consist_inode_i+0xf3/0x110 [ 104.650129][ T3823] gfs2_dirent_scan+0x535/0x650 [ 104.654977][ T3823] ? gfs2_dirent_search+0xb10/0xb10 [ 104.660179][ T3823] gfs2_dirent_search+0x2ea/0xb10 [ 104.665223][ T3823] ? gfs2_dirent_search+0xb10/0xb10 [ 104.670438][ T3823] ? gfs2_dir_search+0x2a0/0x2a0 [ 104.675367][ T3823] ? gfs2_permission+0x3bf/0x430 [ 104.680297][ T3823] gfs2_dir_search+0x8c/0x2a0 [pid 3824] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3822] exit_group(0) = ? [ 104.684965][ T3823] ? do_filldir_main+0x530/0x530 [ 104.689896][ T3823] ? inode_go_held+0xe4/0x1f0 [ 104.694567][ T3823] ? gfs2_glock_wait+0x213/0x2a0 [ 104.699492][ T3823] gfs2_lookupi+0x465/0x650 [ 104.704003][ T3823] ? gfs2_lookup_simple+0x170/0x170 [ 104.709205][ T3823] ? __gfs2_lookup+0x8c/0x260 [ 104.713896][ T3823] __gfs2_lookup+0x8c/0x260 [ 104.718409][ T3823] ? gfs2_atomic_open+0x230/0x230 [ 104.723447][ T3823] ? __d_lookup+0x6a4/0x770 [ 104.727952][ T3823] ? d_hash_and_lookup+0x1c0/0x1c0 [ 104.733149][ T3823] gfs2_atomic_open+0xa4/0x230 [ 104.737925][ T3823] path_openat+0xf39/0x2df0 [ 104.742422][ T3823] ? gfs2_rename2+0x3000/0x3000 [ 104.747279][ T3823] ? do_filp_open+0x4f0/0x4f0 [ 104.751953][ T3823] do_filp_open+0x264/0x4f0 [ 104.756457][ T3823] ? vfs_tmpfile+0x490/0x490 [ 104.761057][ T3823] ? do_raw_spin_unlock+0x134/0x8a0 [ 104.766252][ T3823] ? _raw_spin_unlock+0x24/0x40 [ 104.771093][ T3823] ? alloc_fd+0x5a7/0x640 [ 104.775418][ T3823] do_sys_openat2+0x124/0x4e0 [ 104.780099][ T3823] ? print_irqtrace_events+0x220/0x220 [ 104.785557][ T3823] ? ptrace_stop+0x74d/0x970 [ 104.790136][ T3823] ? do_sys_open+0x220/0x220 [ 104.794737][ T3823] ? lockdep_hardirqs_on+0x8d/0x130 [ 104.799954][ T3823] ? _raw_spin_unlock_irq+0x2a/0x40 [ 104.805151][ T3823] ? ptrace_notify+0x245/0x340 [ 104.809907][ T3823] __x64_sys_openat+0x243/0x290 [ 104.814771][ T3823] ? __ia32_sys_open+0x270/0x270 [ 104.819729][ T3823] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 104.825709][ T3823] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 104.831697][ T3823] do_syscall_64+0x3d/0xb0 [ 104.836120][ T3823] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 104.842006][ T3823] RIP: 0033:0x7fc8868064d9 [ 104.846410][ T3823] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 104.866015][ T3823] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 104.874442][ T3823] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3824] <... futex resumed>) = ? [pid 3823] <... openat resumed>) = ? [pid 3824] +++ exited with 0 +++ [pid 3823] +++ exited with 0 +++ [pid 3822] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3822, si_uid=0, si_status=0, si_utime=2, si_stime=31} --- umount2("./61", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./61/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./61/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./61/binderfs") = 0 [ 104.882416][ T3823] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 104.890388][ T3823] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 104.898354][ T3823] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 104.906330][ T3823] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 104.914315][ T3823] umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./61/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./61/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./61") = 0 mkdir("./62", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3825 ./strace-static-x86_64: Process 3825 attached [pid 3825] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3825] chdir("./62") = 0 [pid 3825] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3825] setpgid(0, 0) = 0 [pid 3825] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3825] write(3, "1000", 4) = 4 [pid 3825] close(3) = 0 [pid 3825] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3825] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3825] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3825] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3825] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3826], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3826 [pid 3825] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3825] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3826 attached [pid 3826] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3826] memfd_create("syzkaller", 0) = 3 [pid 3826] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3826] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3826] munmap(0x7fc87e392000, 16777216) = 0 [pid 3826] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3826] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3826] close(3) = 0 [pid 3826] mkdir("./file0", 0777) = 0 [ 105.215226][ T3826] loop0: detected capacity change from 0 to 32768 [ 105.224983][ T3826] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 105.233285][ T3826] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 105.243200][ T3826] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 105.251793][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 105.258568][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3826] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3826] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3826] chdir("./file0") = 0 [pid 3826] ioctl(4, LOOP_CLR_FD) = 0 [pid 3826] close(4) = 0 [pid 3826] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3825] <... futex resumed>) = 0 [pid 3825] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3825] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3826] <... futex resumed>) = 1 [pid 3826] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3826] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3825] <... futex resumed>) = 0 [pid 3825] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3825] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3826] <... futex resumed>) = 1 [ 105.299365][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 105.306925][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 105.312285][ T3826] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 105.325569][ T3826] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 105.334014][ T3826] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 105.334014][ T3826] inode = 12 2341 [pid 3826] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3825] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3825] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3825] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3825] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3825] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3827], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3827 [pid 3825] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3827 attached [pid 3827] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 105.334014][ T3826] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 105.352840][ T3826] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 105.361963][ T3826] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3826 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 105.372191][ T3826] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 105.382995][ T3826] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 105.390708][ T3826] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3827] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3827] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 105.399802][ T3826] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 105.406487][ T3826] gfs2: fsid=syz:syz.0: File system withdrawn [ 105.412628][ T3826] CPU: 0 PID: 3826 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 105.423052][ T3826] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 105.433103][ T3826] Call Trace: [ 105.436388][ T3826] [ 105.439326][ T3826] dump_stack_lvl+0x1b1/0x28e [ 105.444040][ T3826] ? nf_tcp_handle_invalid+0x62e/0x62e [ 105.449489][ T3826] ? panic+0x710/0x710 [ 105.453556][ T3826] ? kobject_uevent_env+0x46b/0x8e0 [ 105.458758][ T3826] ? do_raw_spin_unlock+0x134/0x8a0 [ 105.463949][ T3826] gfs2_withdraw+0xf33/0x1540 [ 105.468639][ T3826] ? gfs2_lm+0x220/0x220 [ 105.472885][ T3826] ? gfs2_dirent_scan+0xb6/0x650 [ 105.477818][ T3826] ? panic+0x710/0x710 [ 105.481880][ T3826] ? gfs2_permission+0x2ff/0x430 [ 105.486818][ T3826] ? gfs2_consist_inode_i+0xf3/0x110 [ 105.492094][ T3826] gfs2_dirent_scan+0x535/0x650 [ 105.496937][ T3826] ? gfs2_dirent_search+0xb10/0xb10 [ 105.502133][ T3826] gfs2_dirent_search+0x2ea/0xb10 [ 105.507238][ T3826] ? gfs2_dirent_search+0xb10/0xb10 [ 105.512438][ T3826] ? gfs2_dir_search+0x2a0/0x2a0 [ 105.517380][ T3826] ? gfs2_permission+0x3bf/0x430 [ 105.522320][ T3826] gfs2_dir_search+0x8c/0x2a0 [ 105.526997][ T3826] ? do_filldir_main+0x530/0x530 [ 105.531936][ T3826] ? inode_go_held+0xe4/0x1f0 [ 105.536610][ T3826] ? gfs2_glock_wait+0x213/0x2a0 [ 105.541541][ T3826] gfs2_lookupi+0x465/0x650 [ 105.546044][ T3826] ? gfs2_lookup_simple+0x170/0x170 [ 105.551246][ T3826] ? __gfs2_lookup+0x8c/0x260 [ 105.555923][ T3826] __gfs2_lookup+0x8c/0x260 [ 105.560418][ T3826] ? gfs2_atomic_open+0x230/0x230 [ 105.565459][ T3826] ? __d_lookup+0x6a4/0x770 [ 105.569985][ T3826] ? d_hash_and_lookup+0x1c0/0x1c0 [ 105.575106][ T3826] gfs2_atomic_open+0xa4/0x230 [ 105.579881][ T3826] path_openat+0xf39/0x2df0 [ 105.584386][ T3826] ? gfs2_rename2+0x3000/0x3000 [ 105.589244][ T3826] ? do_filp_open+0x4f0/0x4f0 [ 105.593926][ T3826] do_filp_open+0x264/0x4f0 [ 105.598428][ T3826] ? vfs_tmpfile+0x490/0x490 [ 105.603017][ T3826] ? do_raw_spin_unlock+0x134/0x8a0 [ 105.608260][ T3826] ? _raw_spin_unlock+0x24/0x40 [ 105.613120][ T3826] ? alloc_fd+0x5a7/0x640 [ 105.617468][ T3826] do_sys_openat2+0x124/0x4e0 [ 105.622146][ T3826] ? print_irqtrace_events+0x220/0x220 [ 105.627597][ T3826] ? ptrace_stop+0x74d/0x970 [ 105.632209][ T3826] ? do_sys_open+0x220/0x220 [ 105.636824][ T3826] ? lockdep_hardirqs_on+0x8d/0x130 [ 105.642030][ T3826] ? _raw_spin_unlock_irq+0x2a/0x40 [ 105.647228][ T3826] ? ptrace_notify+0x245/0x340 [ 105.652003][ T3826] __x64_sys_openat+0x243/0x290 [ 105.656870][ T3826] ? __ia32_sys_open+0x270/0x270 [ 105.661804][ T3826] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 105.667786][ T3826] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 105.673765][ T3826] do_syscall_64+0x3d/0xb0 [ 105.678176][ T3826] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 105.684062][ T3826] RIP: 0033:0x7fc8868064d9 [ 105.688467][ T3826] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 105.708064][ T3826] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 105.716469][ T3826] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 105.724429][ T3826] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 105.732828][ T3826] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 105.740789][ T3826] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3827] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3826] <... openat resumed>) = -1 EIO (Input/output error) [pid 3826] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3826] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3825] exit_group(0 [pid 3826] <... futex resumed>) = ? [pid 3826] +++ exited with 0 +++ [pid 3825] <... exit_group resumed>) = ? [pid 3827] <... futex resumed>) = ? [pid 3827] +++ exited with 0 +++ [pid 3825] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3825, si_uid=0, si_status=0, si_utime=4, si_stime=25} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./62", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./62/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./62/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./62/binderfs") = 0 [ 105.748755][ T3826] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 105.756754][ T3826] umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./62/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./62/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./62") = 0 mkdir("./63", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3828 attached [pid 3828] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3828] chdir("./63") = 0 [pid 3828] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3828] setpgid(0, 0) = 0 [pid 3630] <... clone resumed>, child_tidptr=0x55555635f5d0) = 3828 [pid 3828] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3828] write(3, "1000", 4) = 4 [pid 3828] close(3) = 0 [pid 3828] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3828] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3828] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3828] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3828] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3829], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3829 [pid 3828] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3828] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3829 attached [pid 3829] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3829] memfd_create("syzkaller", 0) = 3 [pid 3829] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3829] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3829] munmap(0x7fc87e392000, 16777216) = 0 [pid 3829] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3829] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3829] close(3) = 0 [pid 3829] mkdir("./file0", 0777) = 0 [ 106.055642][ T3829] loop0: detected capacity change from 0 to 32768 [ 106.068678][ T3829] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 106.077018][ T3829] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 106.086849][ T3829] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 106.095809][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 106.102984][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3829] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3829] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3829] chdir("./file0") = 0 [pid 3829] ioctl(4, LOOP_CLR_FD) = 0 [pid 3829] close(4) = 0 [pid 3829] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3828] <... futex resumed>) = 0 [pid 3828] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3828] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3829] <... futex resumed>) = 1 [pid 3829] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3829] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3828] <... futex resumed>) = 0 [pid 3828] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3828] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3829] <... futex resumed>) = 1 [ 106.140151][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 106.149288][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 106.154994][ T3829] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 106.169089][ T3829] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 106.177911][ T3829] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 106.177911][ T3829] inode = 12 2341 [pid 3829] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3828] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3828] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3828] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3828] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3828] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3830], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3830 ./strace-static-x86_64: Process 3830 attached [pid 3828] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3830] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 106.177911][ T3829] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 106.196645][ T3829] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 106.205726][ T3829] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3829 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 106.215877][ T3829] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 106.224421][ T3829] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 106.231706][ T3829] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3830] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3830] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 106.243465][ T3829] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 106.250650][ T3829] gfs2: fsid=syz:syz.0: File system withdrawn [ 106.257319][ T3829] CPU: 0 PID: 3829 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 106.267761][ T3829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 106.277823][ T3829] Call Trace: [ 106.281091][ T3829] [ 106.284011][ T3829] dump_stack_lvl+0x1b1/0x28e [ 106.288687][ T3829] ? nf_tcp_handle_invalid+0x62e/0x62e [ 106.294147][ T3829] ? panic+0x710/0x710 [ 106.298207][ T3829] ? kobject_uevent_env+0x46b/0x8e0 [ 106.303395][ T3829] ? do_raw_spin_unlock+0x134/0x8a0 [ 106.308605][ T3829] gfs2_withdraw+0xf33/0x1540 [ 106.313329][ T3829] ? gfs2_lm+0x220/0x220 [ 106.317559][ T3829] ? gfs2_dirent_scan+0xb6/0x650 [ 106.322507][ T3829] ? panic+0x710/0x710 [ 106.326563][ T3829] ? gfs2_permission+0x2ff/0x430 [ 106.331493][ T3829] ? gfs2_consist_inode_i+0xf3/0x110 [ 106.336771][ T3829] gfs2_dirent_scan+0x535/0x650 [pid 3830] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3828] exit_group(0 [pid 3830] <... futex resumed>) = ? [pid 3828] <... exit_group resumed>) = ? [pid 3830] +++ exited with 0 +++ [ 106.341618][ T3829] ? gfs2_dirent_search+0xb10/0xb10 [ 106.346809][ T3829] gfs2_dirent_search+0x2ea/0xb10 [ 106.351824][ T3829] ? gfs2_dirent_search+0xb10/0xb10 [ 106.357033][ T3829] ? gfs2_dir_search+0x2a0/0x2a0 [ 106.361981][ T3829] ? gfs2_permission+0x3bf/0x430 [ 106.366937][ T3829] gfs2_dir_search+0x8c/0x2a0 [ 106.371805][ T3829] ? do_filldir_main+0x530/0x530 [ 106.376752][ T3829] ? inode_go_held+0xe4/0x1f0 [ 106.381425][ T3829] ? gfs2_glock_wait+0x213/0x2a0 [ 106.386371][ T3829] gfs2_lookupi+0x465/0x650 [ 106.390865][ T3829] ? gfs2_lookup_simple+0x170/0x170 [ 106.396048][ T3829] ? __gfs2_lookup+0x8c/0x260 [ 106.400733][ T3829] __gfs2_lookup+0x8c/0x260 [ 106.405221][ T3829] ? gfs2_atomic_open+0x230/0x230 [ 106.410243][ T3829] ? __d_lookup+0x6a4/0x770 [ 106.414758][ T3829] ? d_hash_and_lookup+0x1c0/0x1c0 [ 106.419876][ T3829] gfs2_atomic_open+0xa4/0x230 [ 106.424633][ T3829] path_openat+0xf39/0x2df0 [ 106.429131][ T3829] ? gfs2_rename2+0x3000/0x3000 [ 106.434001][ T3829] ? do_filp_open+0x4f0/0x4f0 [ 106.438690][ T3829] do_filp_open+0x264/0x4f0 [ 106.443178][ T3829] ? vfs_tmpfile+0x490/0x490 [ 106.447776][ T3829] ? do_raw_spin_unlock+0x134/0x8a0 [ 106.452991][ T3829] ? _raw_spin_unlock+0x24/0x40 [ 106.457847][ T3829] ? alloc_fd+0x5a7/0x640 [ 106.462173][ T3829] do_sys_openat2+0x124/0x4e0 [ 106.466850][ T3829] ? print_irqtrace_events+0x220/0x220 [ 106.472321][ T3829] ? ptrace_stop+0x74d/0x970 [ 106.476914][ T3829] ? do_sys_open+0x220/0x220 [ 106.481490][ T3829] ? lockdep_hardirqs_on+0x8d/0x130 [ 106.486675][ T3829] ? _raw_spin_unlock_irq+0x2a/0x40 [ 106.491871][ T3829] ? ptrace_notify+0x245/0x340 [ 106.496625][ T3829] __x64_sys_openat+0x243/0x290 [ 106.501474][ T3829] ? __ia32_sys_open+0x270/0x270 [ 106.506414][ T3829] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 106.512399][ T3829] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 106.518394][ T3829] do_syscall_64+0x3d/0xb0 [ 106.522804][ T3829] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 106.528695][ T3829] RIP: 0033:0x7fc8868064d9 [ 106.533119][ T3829] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 106.552719][ T3829] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 106.561122][ T3829] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 106.569079][ T3829] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 106.577055][ T3829] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 106.585027][ T3829] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3829] <... openat resumed>) = ? [pid 3829] +++ exited with 0 +++ [pid 3828] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3828, si_uid=0, si_status=0, si_utime=3, si_stime=28} --- umount2("./63", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./63/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./63/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./63/binderfs") = 0 [ 106.593008][ T3829] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 106.601157][ T3829] umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./63/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./63/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./63") = 0 mkdir("./64", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3831 ./strace-static-x86_64: Process 3831 attached [pid 3831] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3831] chdir("./64") = 0 [pid 3831] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3831] setpgid(0, 0) = 0 [pid 3831] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3831] write(3, "1000", 4) = 4 [pid 3831] close(3) = 0 [pid 3831] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3831] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3831] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3831] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3831] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3832], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3832 [pid 3831] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3831] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3832 attached [pid 3832] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3832] memfd_create("syzkaller", 0) = 3 [pid 3832] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3832] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3832] munmap(0x7fc87e392000, 16777216) = 0 [pid 3832] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3832] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3832] close(3) = 0 [pid 3832] mkdir("./file0", 0777) = 0 [ 106.921280][ T3832] loop0: detected capacity change from 0 to 32768 [ 106.932184][ T3832] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 106.940524][ T3832] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 106.950499][ T3832] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 106.959256][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 106.966484][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3832] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3832] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3832] chdir("./file0") = 0 [pid 3832] ioctl(4, LOOP_CLR_FD) = 0 [pid 3832] close(4) = 0 [pid 3832] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3831] <... futex resumed>) = 0 [pid 3831] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3831] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3832] <... futex resumed>) = 1 [pid 3832] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3832] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3831] <... futex resumed>) = 0 [pid 3831] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3831] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3832] <... futex resumed>) = 1 [ 107.004387][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 107.013191][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 107.018430][ T3832] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 107.034590][ T3832] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 107.043659][ T3832] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 107.043659][ T3832] inode = 12 2341 [pid 3832] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3831] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3831] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3831] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3831] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3831] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3831] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3833], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3833 ./strace-static-x86_64: Process 3833 attached [pid 3833] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3833] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3831] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3833] <... futex resumed>) = 0 [pid 3831] <... futex resumed>) = 1 [pid 3833] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3833] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 107.043659][ T3832] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 107.063412][ T3832] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 107.073208][ T3832] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3832 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 107.084502][ T3832] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 107.095392][ T3832] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 107.103053][ T3832] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 107.112217][ T3832] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 107.118784][ T3832] gfs2: fsid=syz:syz.0: File system withdrawn [ 107.125403][ T3832] CPU: 0 PID: 3832 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 107.135836][ T3832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 107.145906][ T3832] Call Trace: [ 107.149206][ T3832] [ 107.152137][ T3832] dump_stack_lvl+0x1b1/0x28e [ 107.156821][ T3832] ? nf_tcp_handle_invalid+0x62e/0x62e [ 107.162287][ T3832] ? panic+0x710/0x710 [ 107.166351][ T3832] ? kobject_uevent_env+0x46b/0x8e0 [ 107.171537][ T3832] ? do_raw_spin_unlock+0x134/0x8a0 [ 107.176741][ T3832] gfs2_withdraw+0xf33/0x1540 [ 107.181462][ T3832] ? gfs2_lm+0x220/0x220 [ 107.185708][ T3832] ? gfs2_dirent_scan+0xb6/0x650 [ 107.190724][ T3832] ? panic+0x710/0x710 [ 107.194784][ T3832] ? gfs2_permission+0x2ff/0x430 [ 107.199804][ T3832] ? gfs2_consist_inode_i+0xf3/0x110 [ 107.205089][ T3832] gfs2_dirent_scan+0x535/0x650 [ 107.209950][ T3832] ? gfs2_dirent_search+0xb10/0xb10 [ 107.215143][ T3832] gfs2_dirent_search+0x2ea/0xb10 [ 107.220160][ T3832] ? gfs2_dirent_search+0xb10/0xb10 [ 107.225352][ T3832] ? gfs2_dir_search+0x2a0/0x2a0 [ 107.230283][ T3832] ? gfs2_permission+0x3bf/0x430 [ 107.235229][ T3832] gfs2_dir_search+0x8c/0x2a0 [ 107.239905][ T3832] ? do_filldir_main+0x530/0x530 [ 107.244837][ T3832] ? inode_go_held+0xe4/0x1f0 [ 107.249510][ T3832] ? gfs2_glock_wait+0x213/0x2a0 [ 107.254439][ T3832] gfs2_lookupi+0x465/0x650 [ 107.258941][ T3832] ? gfs2_lookup_simple+0x170/0x170 [ 107.264131][ T3832] ? __gfs2_lookup+0x8c/0x260 [ 107.268808][ T3832] __gfs2_lookup+0x8c/0x260 [ 107.273312][ T3832] ? gfs2_atomic_open+0x230/0x230 [ 107.278333][ T3832] ? __d_lookup+0x6a4/0x770 [ 107.282828][ T3832] ? d_hash_and_lookup+0x1c0/0x1c0 [ 107.287934][ T3832] gfs2_atomic_open+0xa4/0x230 [ 107.292695][ T3832] path_openat+0xf39/0x2df0 [ 107.297195][ T3832] ? gfs2_rename2+0x3000/0x3000 [ 107.302050][ T3832] ? do_filp_open+0x4f0/0x4f0 [ 107.306728][ T3832] do_filp_open+0x264/0x4f0 [ 107.311222][ T3832] ? vfs_tmpfile+0x490/0x490 [ 107.315810][ T3832] ? do_raw_spin_unlock+0x134/0x8a0 [ 107.321005][ T3832] ? _raw_spin_unlock+0x24/0x40 [ 107.325848][ T3832] ? alloc_fd+0x5a7/0x640 [ 107.330175][ T3832] do_sys_openat2+0x124/0x4e0 [ 107.334842][ T3832] ? print_irqtrace_events+0x220/0x220 [ 107.340291][ T3832] ? ptrace_stop+0x74d/0x970 [ 107.344872][ T3832] ? do_sys_open+0x220/0x220 [ 107.349451][ T3832] ? lockdep_hardirqs_on+0x8d/0x130 [ 107.354640][ T3832] ? _raw_spin_unlock_irq+0x2a/0x40 [ 107.359830][ T3832] ? ptrace_notify+0x245/0x340 [ 107.364584][ T3832] __x64_sys_openat+0x243/0x290 [ 107.369429][ T3832] ? __ia32_sys_open+0x270/0x270 [ 107.374359][ T3832] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 107.380329][ T3832] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 107.386302][ T3832] do_syscall_64+0x3d/0xb0 [ 107.390706][ T3832] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 107.396585][ T3832] RIP: 0033:0x7fc8868064d9 [ 107.400986][ T3832] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 107.420579][ T3832] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 107.428983][ T3832] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 107.436944][ T3832] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 107.444905][ T3832] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3833] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3832] <... openat resumed>) = -1 EIO (Input/output error) [pid 3832] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3832] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3831] exit_group(0 [pid 3832] <... futex resumed>) = ? [pid 3831] <... exit_group resumed>) = ? [pid 3832] +++ exited with 0 +++ [pid 3833] <... futex resumed>) = ? [pid 3833] +++ exited with 0 +++ [pid 3831] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3831, si_uid=0, si_status=0, si_utime=0, si_stime=28} --- umount2("./64", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./64", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./64/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./64/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./64/binderfs") = 0 [ 107.452863][ T3832] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 107.460820][ T3832] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 107.468796][ T3832] umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./64/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./64/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./64/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./64") = 0 mkdir("./65", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3834 ./strace-static-x86_64: Process 3834 attached [pid 3834] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3834] chdir("./65") = 0 [pid 3834] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3834] setpgid(0, 0) = 0 [pid 3834] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3834] write(3, "1000", 4) = 4 [pid 3834] close(3) = 0 [pid 3834] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3834] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3834] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3834] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3834] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3835 attached , parent_tid=[3835], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3835 [pid 3835] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3835] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3834] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3834] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3835] <... futex resumed>) = 0 [pid 3835] memfd_create("syzkaller", 0) = 3 [pid 3835] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3835] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3835] munmap(0x7fc87e392000, 16777216) = 0 [pid 3835] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3835] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3835] close(3) = 0 [pid 3835] mkdir("./file0", 0777) = 0 [ 107.769467][ T3835] loop0: detected capacity change from 0 to 32768 [ 107.780468][ T3835] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 107.788706][ T3835] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 107.799359][ T3835] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 107.808250][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 107.815219][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3835] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3835] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3835] chdir("./file0") = 0 [pid 3835] ioctl(4, LOOP_CLR_FD) = 0 [pid 3835] close(4) = 0 [pid 3835] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3835] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3834] <... futex resumed>) = 0 [pid 3834] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3834] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3835] <... futex resumed>) = 0 [pid 3835] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3835] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3834] <... futex resumed>) = 0 [pid 3835] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3834] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3835] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3834] <... futex resumed>) = 0 [ 107.854576][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 107.862406][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 107.867697][ T3835] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3835] openat(AT_FDCWD, "./file0", O_RDONLY [ 107.896509][ T3835] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 107.905444][ T3835] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 107.905444][ T3835] inode = 12 2341 [ 107.905444][ T3835] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 107.924549][ T3835] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 107.933770][ T3835] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3835 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3834] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3834] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3834] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3834] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3834] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3836], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3836 [pid 3834] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3836 attached [pid 3836] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3836] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3836] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 107.943917][ T3835] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 107.952481][ T3835] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 107.960346][ T3835] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 107.969483][ T3835] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 107.976080][ T3835] gfs2: fsid=syz:syz.0: File system withdrawn [ 107.982195][ T3835] CPU: 1 PID: 3835 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 107.992619][ T3835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 108.004154][ T3835] Call Trace: [ 108.007434][ T3835] [ 108.010374][ T3835] dump_stack_lvl+0x1b1/0x28e [ 108.015066][ T3835] ? nf_tcp_handle_invalid+0x62e/0x62e [ 108.020524][ T3835] ? panic+0x710/0x710 [ 108.024609][ T3835] ? kobject_uevent_env+0x46b/0x8e0 [ 108.029817][ T3835] ? do_raw_spin_unlock+0x134/0x8a0 [ 108.035015][ T3835] gfs2_withdraw+0xf33/0x1540 [ 108.039714][ T3835] ? gfs2_lm+0x220/0x220 [ 108.044007][ T3835] ? gfs2_dirent_scan+0xb6/0x650 [ 108.048945][ T3835] ? panic+0x710/0x710 [ 108.053031][ T3835] ? gfs2_permission+0x2ff/0x430 [ 108.057983][ T3835] ? gfs2_consist_inode_i+0xf3/0x110 [ 108.063267][ T3835] gfs2_dirent_scan+0x535/0x650 [ 108.068127][ T3835] ? gfs2_dirent_search+0xb10/0xb10 [ 108.073330][ T3835] gfs2_dirent_search+0x2ea/0xb10 [ 108.078354][ T3835] ? gfs2_dirent_search+0xb10/0xb10 [ 108.083551][ T3835] ? gfs2_dir_search+0x2a0/0x2a0 [ 108.088484][ T3835] ? gfs2_permission+0x3bf/0x430 [ 108.093423][ T3835] gfs2_dir_search+0x8c/0x2a0 [ 108.098096][ T3835] ? do_filldir_main+0x530/0x530 [ 108.103026][ T3835] ? inode_go_held+0xe4/0x1f0 [ 108.107701][ T3835] ? gfs2_glock_wait+0x213/0x2a0 [ 108.112631][ T3835] gfs2_lookupi+0x465/0x650 [ 108.117133][ T3835] ? gfs2_lookup_simple+0x170/0x170 [ 108.122335][ T3835] ? __gfs2_lookup+0x8c/0x260 [ 108.127013][ T3835] __gfs2_lookup+0x8c/0x260 [ 108.131510][ T3835] ? gfs2_atomic_open+0x230/0x230 [ 108.136531][ T3835] ? __d_lookup+0x6a4/0x770 [ 108.141026][ T3835] ? d_hash_and_lookup+0x1c0/0x1c0 [ 108.146127][ T3835] gfs2_atomic_open+0xa4/0x230 [ 108.150889][ T3835] path_openat+0xf39/0x2df0 [ 108.155394][ T3835] ? gfs2_rename2+0x3000/0x3000 [ 108.160283][ T3835] ? do_filp_open+0x4f0/0x4f0 [ 108.164973][ T3835] do_filp_open+0x264/0x4f0 [ 108.169474][ T3835] ? vfs_tmpfile+0x490/0x490 [ 108.174070][ T3835] ? do_raw_spin_unlock+0x134/0x8a0 [ 108.179274][ T3835] ? _raw_spin_unlock+0x24/0x40 [ 108.184126][ T3835] ? alloc_fd+0x5a7/0x640 [ 108.188459][ T3835] do_sys_openat2+0x124/0x4e0 [ 108.193128][ T3835] ? print_irqtrace_events+0x220/0x220 [ 108.198574][ T3835] ? ptrace_stop+0x74d/0x970 [ 108.203158][ T3835] ? do_sys_open+0x220/0x220 [ 108.207740][ T3835] ? lockdep_hardirqs_on+0x8d/0x130 [ 108.212930][ T3835] ? _raw_spin_unlock_irq+0x2a/0x40 [ 108.218124][ T3835] ? ptrace_notify+0x245/0x340 [ 108.222878][ T3835] __x64_sys_openat+0x243/0x290 [ 108.227722][ T3835] ? __ia32_sys_open+0x270/0x270 [ 108.232653][ T3835] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 108.238628][ T3835] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 108.244601][ T3835] do_syscall_64+0x3d/0xb0 [ 108.249007][ T3835] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 108.254888][ T3835] RIP: 0033:0x7fc8868064d9 [ 108.259295][ T3835] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 108.278893][ T3835] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 108.287298][ T3835] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3836] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3835] <... openat resumed>) = -1 EIO (Input/output error) [pid 3835] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3835] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3834] exit_group(0 [pid 3836] <... futex resumed>) = ? [pid 3834] <... exit_group resumed>) = ? [pid 3835] <... futex resumed>) = ? [pid 3836] +++ exited with 0 +++ [pid 3835] +++ exited with 0 +++ [pid 3834] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3834, si_uid=0, si_status=0, si_utime=2, si_stime=30} --- umount2("./65", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./65/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./65/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./65/binderfs") = 0 [ 108.295259][ T3835] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 108.303216][ T3835] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 108.311223][ T3835] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 108.319187][ T3835] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 108.327163][ T3835] umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./65/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./65/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./65") = 0 mkdir("./66", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3837 ./strace-static-x86_64: Process 3837 attached [pid 3837] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3837] chdir("./66") = 0 [pid 3837] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3837] setpgid(0, 0) = 0 [pid 3837] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3837] write(3, "1000", 4) = 4 [pid 3837] close(3) = 0 [pid 3837] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3837] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3837] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3837] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3837] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3838 attached [pid 3838] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3837] <... clone resumed>, parent_tid=[3838], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3838 [pid 3837] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3837] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3838] memfd_create("syzkaller", 0) = 3 [pid 3838] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3838] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3838] munmap(0x7fc87e392000, 16777216) = 0 [pid 3838] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3838] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3838] close(3) = 0 [pid 3838] mkdir("./file0", 0777) = 0 [ 108.633151][ T3838] loop0: detected capacity change from 0 to 32768 [ 108.644276][ T3838] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 108.652557][ T3838] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 108.662816][ T3838] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 108.671782][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 108.678553][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3838] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3838] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3838] chdir("./file0") = 0 [pid 3838] ioctl(4, LOOP_CLR_FD) = 0 [pid 3838] close(4) = 0 [pid 3838] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3837] <... futex resumed>) = 0 [pid 3837] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3837] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3838] <... futex resumed>) = 1 [pid 3838] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3838] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3837] <... futex resumed>) = 0 [pid 3837] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3837] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3838] <... futex resumed>) = 1 [ 108.712352][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 108.721298][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 108.726547][ T3838] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 108.745764][ T3838] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 108.754487][ T3838] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3838] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3837] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 108.754487][ T3838] inode = 12 2341 [ 108.754487][ T3838] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 108.773311][ T3838] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 108.782722][ T3838] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3838 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 108.792845][ T3838] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 108.801535][ T3838] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3837] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3837] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3837] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3837] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3839 attached , parent_tid=[3839], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3839 [pid 3839] set_robust_list(0x7fc87f3919e0, 24 [pid 3837] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3839] <... set_robust_list resumed>) = 0 [pid 3839] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3839] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3839] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3837] <... futex resumed>) = 1 [pid 3839] <... futex resumed>) = 0 [ 108.809231][ T3838] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 108.820614][ T3838] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 108.827506][ T3838] gfs2: fsid=syz:syz.0: File system withdrawn [ 108.834008][ T3838] CPU: 0 PID: 3838 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 108.844450][ T3838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 108.854506][ T3838] Call Trace: [ 108.857776][ T3838] [ 108.860713][ T3838] dump_stack_lvl+0x1b1/0x28e [ 108.865396][ T3838] ? nf_tcp_handle_invalid+0x62e/0x62e [ 108.870843][ T3838] ? panic+0x710/0x710 [ 108.874911][ T3838] ? kobject_uevent_env+0x46b/0x8e0 [ 108.880104][ T3838] ? do_raw_spin_unlock+0x134/0x8a0 [ 108.885324][ T3838] gfs2_withdraw+0xf33/0x1540 [ 108.890031][ T3838] ? gfs2_lm+0x220/0x220 [ 108.894271][ T3838] ? gfs2_dirent_scan+0xb6/0x650 [ 108.899248][ T3838] ? panic+0x710/0x710 [ 108.903314][ T3838] ? gfs2_permission+0x2ff/0x430 [ 108.908250][ T3838] ? gfs2_consist_inode_i+0xf3/0x110 [ 108.913528][ T3838] gfs2_dirent_scan+0x535/0x650 [ 108.918384][ T3838] ? gfs2_dirent_search+0xb10/0xb10 [ 108.923576][ T3838] gfs2_dirent_search+0x2ea/0xb10 [ 108.928606][ T3838] ? gfs2_dirent_search+0xb10/0xb10 [ 108.933823][ T3838] ? gfs2_dir_search+0x2a0/0x2a0 [ 108.939210][ T3838] ? gfs2_permission+0x3bf/0x430 [ 108.944157][ T3838] gfs2_dir_search+0x8c/0x2a0 [ 108.948842][ T3838] ? do_filldir_main+0x530/0x530 [ 108.953777][ T3838] ? inode_go_held+0xe4/0x1f0 [ 108.958451][ T3838] ? gfs2_glock_wait+0x213/0x2a0 [ 108.963383][ T3838] gfs2_lookupi+0x465/0x650 [ 108.967886][ T3838] ? gfs2_lookup_simple+0x170/0x170 [ 108.973079][ T3838] ? __gfs2_lookup+0x8c/0x260 [ 108.977758][ T3838] __gfs2_lookup+0x8c/0x260 [ 108.982257][ T3838] ? gfs2_atomic_open+0x230/0x230 [ 108.987277][ T3838] ? __d_lookup+0x6a4/0x770 [ 108.991775][ T3838] ? d_hash_and_lookup+0x1c0/0x1c0 [ 108.996882][ T3838] gfs2_atomic_open+0xa4/0x230 [ 109.001662][ T3838] path_openat+0xf39/0x2df0 [ 109.006172][ T3838] ? gfs2_rename2+0x3000/0x3000 [ 109.011039][ T3838] ? do_filp_open+0x4f0/0x4f0 [ 109.015735][ T3838] do_filp_open+0x264/0x4f0 [ 109.020248][ T3838] ? vfs_tmpfile+0x490/0x490 [ 109.024852][ T3838] ? do_raw_spin_unlock+0x134/0x8a0 [ 109.030069][ T3838] ? _raw_spin_unlock+0x24/0x40 [ 109.034935][ T3838] ? alloc_fd+0x5a7/0x640 [ 109.039271][ T3838] do_sys_openat2+0x124/0x4e0 [ 109.043943][ T3838] ? print_irqtrace_events+0x220/0x220 [ 109.049393][ T3838] ? ptrace_stop+0x74d/0x970 [ 109.053979][ T3838] ? do_sys_open+0x220/0x220 [ 109.058580][ T3838] ? lockdep_hardirqs_on+0x8d/0x130 [ 109.063798][ T3838] ? _raw_spin_unlock_irq+0x2a/0x40 [ 109.069021][ T3838] ? ptrace_notify+0x245/0x340 [ 109.073785][ T3838] __x64_sys_openat+0x243/0x290 [ 109.078647][ T3838] ? __ia32_sys_open+0x270/0x270 [ 109.083595][ T3838] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 109.089577][ T3838] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 109.095551][ T3838] do_syscall_64+0x3d/0xb0 [ 109.099965][ T3838] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 109.105875][ T3838] RIP: 0033:0x7fc8868064d9 [ 109.110280][ T3838] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 109.129880][ T3838] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 109.138287][ T3838] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 109.146253][ T3838] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 109.154220][ T3838] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3839] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3838] <... openat resumed>) = -1 EIO (Input/output error) [pid 3838] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3837] exit_group(0 [pid 3838] <... futex resumed>) = ? [pid 3837] <... exit_group resumed>) = ? [pid 3838] +++ exited with 0 +++ [pid 3839] <... futex resumed>) = ? [pid 3839] +++ exited with 0 +++ [pid 3837] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3837, si_uid=0, si_status=0, si_utime=1, si_stime=30} --- umount2("./66", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./66/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./66/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./66/binderfs") = 0 [ 109.162185][ T3838] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 109.170151][ T3838] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 109.178131][ T3838] umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./66/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./66/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./66") = 0 mkdir("./67", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3840 ./strace-static-x86_64: Process 3840 attached [pid 3840] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3840] chdir("./67") = 0 [pid 3840] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3840] setpgid(0, 0) = 0 [pid 3840] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3840] write(3, "1000", 4) = 4 [pid 3840] close(3) = 0 [pid 3840] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3840] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3840] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3840] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3840] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3841 attached , parent_tid=[3841], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3841 [pid 3840] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3840] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3841] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3841] memfd_create("syzkaller", 0) = 3 [pid 3841] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3841] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3841] munmap(0x7fc87e392000, 16777216) = 0 [pid 3841] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3841] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3841] close(3) = 0 [pid 3841] mkdir("./file0", 0777) = 0 [ 109.492560][ T3841] loop0: detected capacity change from 0 to 32768 [ 109.502448][ T3841] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 109.510682][ T3841] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 109.520655][ T3841] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 109.529193][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 109.536349][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3841] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3841] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3841] chdir("./file0") = 0 [pid 3841] ioctl(4, LOOP_CLR_FD) = 0 [pid 3841] close(4) = 0 [pid 3841] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3840] <... futex resumed>) = 0 [pid 3840] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3840] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3841] <... futex resumed>) = 1 [pid 3841] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3841] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3840] <... futex resumed>) = 0 [pid 3840] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3840] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3841] <... futex resumed>) = 1 [ 109.571988][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 109.579512][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 109.584940][ T3841] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 109.602959][ T3841] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 109.611503][ T3841] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3841] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3840] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3840] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3840] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3840] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3840] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3842], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3842 [pid 3840] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3842 attached [pid 3842] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3842] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3842] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 109.611503][ T3841] inode = 12 2341 [ 109.611503][ T3841] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 109.630426][ T3841] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 109.639588][ T3841] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3841 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 109.649724][ T3841] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 109.658581][ T3841] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 109.665960][ T3841] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 109.674863][ T3841] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 109.681589][ T3841] gfs2: fsid=syz:syz.0: File system withdrawn [ 109.687674][ T3841] CPU: 0 PID: 3841 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 109.698183][ T3841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 109.708257][ T3841] Call Trace: [ 109.711536][ T3841] [ 109.714455][ T3841] dump_stack_lvl+0x1b1/0x28e [ 109.719134][ T3841] ? nf_tcp_handle_invalid+0x62e/0x62e [ 109.724602][ T3841] ? panic+0x710/0x710 [ 109.728674][ T3841] ? kobject_uevent_env+0x46b/0x8e0 [ 109.733875][ T3841] ? do_raw_spin_unlock+0x134/0x8a0 [ 109.739089][ T3841] gfs2_withdraw+0xf33/0x1540 [ 109.743852][ T3841] ? gfs2_lm+0x220/0x220 [ 109.748113][ T3841] ? gfs2_dirent_scan+0xb6/0x650 [ 109.753044][ T3841] ? panic+0x710/0x710 [ 109.757099][ T3841] ? gfs2_permission+0x2ff/0x430 [ 109.762046][ T3841] ? gfs2_consist_inode_i+0xf3/0x110 [ 109.767341][ T3841] gfs2_dirent_scan+0x535/0x650 [pid 3842] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3840] exit_group(0 [pid 3842] <... futex resumed>) = ? [pid 3840] <... exit_group resumed>) = ? [pid 3842] +++ exited with 0 +++ [ 109.772194][ T3841] ? gfs2_dirent_search+0xb10/0xb10 [ 109.777397][ T3841] gfs2_dirent_search+0x2ea/0xb10 [ 109.782433][ T3841] ? gfs2_dirent_search+0xb10/0xb10 [ 109.787623][ T3841] ? gfs2_dir_search+0x2a0/0x2a0 [ 109.792549][ T3841] ? gfs2_permission+0x3bf/0x430 [ 109.797500][ T3841] gfs2_dir_search+0x8c/0x2a0 [ 109.802199][ T3841] ? do_filldir_main+0x530/0x530 [ 109.807134][ T3841] ? inode_go_held+0xe4/0x1f0 [ 109.811806][ T3841] ? gfs2_glock_wait+0x213/0x2a0 [ 109.816735][ T3841] gfs2_lookupi+0x465/0x650 [ 109.821236][ T3841] ? gfs2_lookup_simple+0x170/0x170 [ 109.826426][ T3841] ? __gfs2_lookup+0x8c/0x260 [ 109.831095][ T3841] __gfs2_lookup+0x8c/0x260 [ 109.835607][ T3841] ? gfs2_atomic_open+0x230/0x230 [ 109.840642][ T3841] ? __d_lookup+0x6a4/0x770 [ 109.845143][ T3841] ? d_hash_and_lookup+0x1c0/0x1c0 [ 109.850263][ T3841] gfs2_atomic_open+0xa4/0x230 [ 109.855030][ T3841] path_openat+0xf39/0x2df0 [ 109.859534][ T3841] ? gfs2_rename2+0x3000/0x3000 [ 109.864489][ T3841] ? do_filp_open+0x4f0/0x4f0 [ 109.869179][ T3841] do_filp_open+0x264/0x4f0 [ 109.873698][ T3841] ? vfs_tmpfile+0x490/0x490 [ 109.878307][ T3841] ? do_raw_spin_unlock+0x134/0x8a0 [ 109.883525][ T3841] ? _raw_spin_unlock+0x24/0x40 [ 109.888366][ T3841] ? alloc_fd+0x5a7/0x640 [ 109.892693][ T3841] do_sys_openat2+0x124/0x4e0 [ 109.897358][ T3841] ? print_irqtrace_events+0x220/0x220 [ 109.902805][ T3841] ? ptrace_stop+0x74d/0x970 [ 109.907388][ T3841] ? do_sys_open+0x220/0x220 [ 109.911966][ T3841] ? lockdep_hardirqs_on+0x8d/0x130 [ 109.917176][ T3841] ? _raw_spin_unlock_irq+0x2a/0x40 [ 109.922392][ T3841] ? ptrace_notify+0x245/0x340 [ 109.927147][ T3841] __x64_sys_openat+0x243/0x290 [ 109.931993][ T3841] ? __ia32_sys_open+0x270/0x270 [ 109.936925][ T3841] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 109.942908][ T3841] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 109.948973][ T3841] do_syscall_64+0x3d/0xb0 [ 109.953383][ T3841] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 109.959265][ T3841] RIP: 0033:0x7fc8868064d9 [ 109.963667][ T3841] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 109.983357][ T3841] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 109.991769][ T3841] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 109.999751][ T3841] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 110.007817][ T3841] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 110.015778][ T3841] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3841] <... openat resumed>) = ? [pid 3841] +++ exited with 0 +++ [pid 3840] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3840, si_uid=0, si_status=0, si_utime=0, si_stime=27} --- umount2("./67", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./67/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./67/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./67/binderfs") = 0 [ 110.023739][ T3841] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 110.031713][ T3841] umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./67/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./67/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./67") = 0 mkdir("./68", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3843 ./strace-static-x86_64: Process 3843 attached [pid 3843] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3843] chdir("./68") = 0 [pid 3843] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3843] setpgid(0, 0) = 0 [pid 3843] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3843] write(3, "1000", 4) = 4 [pid 3843] close(3) = 0 [pid 3843] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3843] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3843] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3843] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3843] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3844], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3844 ./strace-static-x86_64: Process 3844 attached [pid 3843] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3843] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3844] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3844] memfd_create("syzkaller", 0) = 3 [pid 3844] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3844] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3844] munmap(0x7fc87e392000, 16777216) = 0 [pid 3844] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3844] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3844] close(3) = 0 [pid 3844] mkdir("./file0", 0777) = 0 [ 110.325020][ T3844] loop0: detected capacity change from 0 to 32768 [ 110.336272][ T3844] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 110.345020][ T3844] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 110.354153][ T3844] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 110.362781][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 110.369548][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3844] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3844] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3844] chdir("./file0") = 0 [pid 3844] ioctl(4, LOOP_CLR_FD) = 0 [pid 3844] close(4) = 0 [pid 3844] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3843] <... futex resumed>) = 0 [pid 3843] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3843] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3844] <... futex resumed>) = 1 [pid 3844] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3844] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3843] <... futex resumed>) = 0 [pid 3843] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3843] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 110.406176][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 110.415184][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 110.420543][ T3844] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 110.452573][ T3844] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 110.461256][ T3844] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 110.461256][ T3844] inode = 12 2341 [ 110.461256][ T3844] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 110.480626][ T3844] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 110.489667][ T3844] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3844 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3844] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3843] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3843] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3843] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3843] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3843] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3845], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3845 [pid 3843] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3845 attached [pid 3845] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3845] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3845] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 110.499962][ T3844] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 110.508505][ T3844] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 110.515816][ T3844] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 110.524665][ T3844] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 110.532741][ T3844] gfs2: fsid=syz:syz.0: File system withdrawn [ 110.538817][ T3844] CPU: 0 PID: 3844 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 110.549224][ T3844] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 110.559289][ T3844] Call Trace: [ 110.562560][ T3844] [ 110.565493][ T3844] dump_stack_lvl+0x1b1/0x28e [ 110.570172][ T3844] ? nf_tcp_handle_invalid+0x62e/0x62e [ 110.575633][ T3844] ? panic+0x710/0x710 [ 110.579691][ T3844] ? kobject_uevent_env+0x46b/0x8e0 [ 110.584877][ T3844] ? do_raw_spin_unlock+0x134/0x8a0 [ 110.590171][ T3844] gfs2_withdraw+0xf33/0x1540 [ 110.594876][ T3844] ? gfs2_lm+0x220/0x220 [pid 3845] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 110.599116][ T3844] ? gfs2_dirent_scan+0xb6/0x650 [ 110.604069][ T3844] ? panic+0x710/0x710 [ 110.608141][ T3844] ? gfs2_permission+0x2ff/0x430 [ 110.613082][ T3844] ? gfs2_consist_inode_i+0xf3/0x110 [ 110.618376][ T3844] gfs2_dirent_scan+0x535/0x650 [ 110.623247][ T3844] ? gfs2_dirent_search+0xb10/0xb10 [ 110.628460][ T3844] gfs2_dirent_search+0x2ea/0xb10 [ 110.633487][ T3844] ? gfs2_dirent_search+0xb10/0xb10 [ 110.638682][ T3844] ? gfs2_dir_search+0x2a0/0x2a0 [ 110.643627][ T3844] ? gfs2_permission+0x3bf/0x430 [ 110.648578][ T3844] gfs2_dir_search+0x8c/0x2a0 [pid 3843] exit_group(0 [pid 3845] <... futex resumed>) = ? [pid 3843] <... exit_group resumed>) = ? [pid 3845] +++ exited with 0 +++ [ 110.653266][ T3844] ? do_filldir_main+0x530/0x530 [ 110.658216][ T3844] ? inode_go_held+0xe4/0x1f0 [ 110.662887][ T3844] ? gfs2_glock_wait+0x213/0x2a0 [ 110.667817][ T3844] gfs2_lookupi+0x465/0x650 [ 110.672322][ T3844] ? gfs2_lookup_simple+0x170/0x170 [ 110.677596][ T3844] ? __gfs2_lookup+0x8c/0x260 [ 110.682274][ T3844] __gfs2_lookup+0x8c/0x260 [ 110.686781][ T3844] ? gfs2_atomic_open+0x230/0x230 [ 110.691820][ T3844] ? __d_lookup+0x6a4/0x770 [ 110.696316][ T3844] ? d_hash_and_lookup+0x1c0/0x1c0 [ 110.701429][ T3844] gfs2_atomic_open+0xa4/0x230 [ 110.706184][ T3844] path_openat+0xf39/0x2df0 [ 110.710680][ T3844] ? gfs2_rename2+0x3000/0x3000 [ 110.715550][ T3844] ? do_filp_open+0x4f0/0x4f0 [ 110.720242][ T3844] do_filp_open+0x264/0x4f0 [ 110.724731][ T3844] ? vfs_tmpfile+0x490/0x490 [ 110.729329][ T3844] ? do_raw_spin_unlock+0x134/0x8a0 [ 110.734538][ T3844] ? _raw_spin_unlock+0x24/0x40 [ 110.739377][ T3844] ? alloc_fd+0x5a7/0x640 [ 110.743702][ T3844] do_sys_openat2+0x124/0x4e0 [ 110.748377][ T3844] ? print_irqtrace_events+0x220/0x220 [ 110.753829][ T3844] ? ptrace_stop+0x74d/0x970 [ 110.758422][ T3844] ? do_sys_open+0x220/0x220 [ 110.763033][ T3844] ? lockdep_hardirqs_on+0x8d/0x130 [ 110.768234][ T3844] ? _raw_spin_unlock_irq+0x2a/0x40 [ 110.773439][ T3844] ? ptrace_notify+0x245/0x340 [ 110.778200][ T3844] __x64_sys_openat+0x243/0x290 [ 110.783046][ T3844] ? __ia32_sys_open+0x270/0x270 [ 110.787985][ T3844] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 110.793961][ T3844] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 110.799946][ T3844] do_syscall_64+0x3d/0xb0 [ 110.804366][ T3844] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 110.810252][ T3844] RIP: 0033:0x7fc8868064d9 [ 110.814658][ T3844] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 110.834258][ T3844] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 110.842663][ T3844] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3844] <... openat resumed>) = ? [pid 3844] +++ exited with 0 +++ [pid 3843] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3843, si_uid=0, si_status=0, si_utime=0, si_stime=31} --- umount2("./68", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./68", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./68/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./68/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./68/binderfs") = 0 [ 110.850628][ T3844] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 110.858591][ T3844] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 110.866562][ T3844] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 110.874542][ T3844] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 110.882543][ T3844] umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./68/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./68/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./68/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./68") = 0 mkdir("./69", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3846 ./strace-static-x86_64: Process 3846 attached [pid 3846] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3846] chdir("./69") = 0 [pid 3846] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3846] setpgid(0, 0) = 0 [pid 3846] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3846] write(3, "1000", 4) = 4 [pid 3846] close(3) = 0 [pid 3846] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3846] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3846] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3846] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3846] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3847 attached , parent_tid=[3847], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3847 [pid 3847] set_robust_list(0x7fc8867b29e0, 24 [pid 3846] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3846] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3847] <... set_robust_list resumed>) = 0 [pid 3847] memfd_create("syzkaller", 0) = 3 [pid 3847] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3847] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3847] munmap(0x7fc87e392000, 16777216) = 0 [pid 3847] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3847] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3847] close(3) = 0 [pid 3847] mkdir("./file0", 0777) = 0 [ 111.177260][ T3847] loop0: detected capacity change from 0 to 32768 [ 111.188171][ T3847] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 111.196437][ T3847] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 111.205911][ T3847] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 111.215034][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 111.221951][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3847] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3847] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3847] chdir("./file0") = 0 [pid 3847] ioctl(4, LOOP_CLR_FD) = 0 [pid 3847] close(4) = 0 [pid 3847] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3847] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3846] <... futex resumed>) = 0 [pid 3846] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3847] <... futex resumed>) = 0 [pid 3846] <... futex resumed>) = 1 [pid 3847] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3846] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3847] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3847] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3846] <... futex resumed>) = 0 [pid 3847] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3846] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 111.256517][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 111.265329][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 111.270704][ T3847] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 111.294326][ T3847] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3846] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3846] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3846] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3846] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3846] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3848], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3848 [pid 3846] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3848 attached [pid 3848] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3848] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3848] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 111.303580][ T3847] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 111.303580][ T3847] inode = 12 2341 [ 111.303580][ T3847] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 111.322781][ T3847] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 111.332662][ T3847] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3847 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 111.342960][ T3847] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 111.351709][ T3847] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 111.359017][ T3847] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 111.367886][ T3847] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 111.375901][ T3847] gfs2: fsid=syz:syz.0: File system withdrawn [ 111.382119][ T3847] CPU: 0 PID: 3847 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 111.392542][ T3847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 111.402765][ T3847] Call Trace: [ 111.406059][ T3847] [ 111.409015][ T3847] dump_stack_lvl+0x1b1/0x28e [ 111.414063][ T3847] ? nf_tcp_handle_invalid+0x62e/0x62e [ 111.419518][ T3847] ? panic+0x710/0x710 [ 111.423580][ T3847] ? kobject_uevent_env+0x46b/0x8e0 [ 111.428780][ T3847] ? do_raw_spin_unlock+0x134/0x8a0 [ 111.433981][ T3847] gfs2_withdraw+0xf33/0x1540 [ 111.438683][ T3847] ? gfs2_lm+0x220/0x220 [ 111.442945][ T3847] ? gfs2_dirent_scan+0xb6/0x650 [ 111.447891][ T3847] ? panic+0x710/0x710 [ 111.451949][ T3847] ? gfs2_permission+0x2ff/0x430 [ 111.456889][ T3847] ? gfs2_consist_inode_i+0xf3/0x110 [ 111.462166][ T3847] gfs2_dirent_scan+0x535/0x650 [ 111.467031][ T3847] ? gfs2_dirent_search+0xb10/0xb10 [ 111.472227][ T3847] gfs2_dirent_search+0x2ea/0xb10 [ 111.477249][ T3847] ? gfs2_dirent_search+0xb10/0xb10 [ 111.482443][ T3847] ? gfs2_dir_search+0x2a0/0x2a0 [ 111.487371][ T3847] ? gfs2_permission+0x3bf/0x430 [ 111.492307][ T3847] gfs2_dir_search+0x8c/0x2a0 [ 111.496983][ T3847] ? do_filldir_main+0x530/0x530 [ 111.501917][ T3847] ? inode_go_held+0xe4/0x1f0 [ 111.506594][ T3847] ? gfs2_glock_wait+0x213/0x2a0 [ 111.511524][ T3847] gfs2_lookupi+0x465/0x650 [ 111.516026][ T3847] ? gfs2_lookup_simple+0x170/0x170 [ 111.521217][ T3847] ? __gfs2_lookup+0x8c/0x260 [ 111.525902][ T3847] __gfs2_lookup+0x8c/0x260 [ 111.530432][ T3847] ? gfs2_atomic_open+0x230/0x230 [ 111.535453][ T3847] ? __d_lookup+0x6a4/0x770 [ 111.539947][ T3847] ? d_hash_and_lookup+0x1c0/0x1c0 [ 111.545051][ T3847] gfs2_atomic_open+0xa4/0x230 [ 111.549814][ T3847] path_openat+0xf39/0x2df0 [ 111.554312][ T3847] ? gfs2_rename2+0x3000/0x3000 [ 111.559173][ T3847] ? do_filp_open+0x4f0/0x4f0 [ 111.563854][ T3847] do_filp_open+0x264/0x4f0 [ 111.568359][ T3847] ? vfs_tmpfile+0x490/0x490 [ 111.572949][ T3847] ? do_raw_spin_unlock+0x134/0x8a0 [ 111.578151][ T3847] ? _raw_spin_unlock+0x24/0x40 [ 111.583002][ T3847] ? alloc_fd+0x5a7/0x640 [ 111.587332][ T3847] do_sys_openat2+0x124/0x4e0 [ 111.592005][ T3847] ? print_irqtrace_events+0x220/0x220 [ 111.597455][ T3847] ? ptrace_stop+0x74d/0x970 [ 111.602056][ T3847] ? do_sys_open+0x220/0x220 [ 111.606642][ T3847] ? lockdep_hardirqs_on+0x8d/0x130 [ 111.611834][ T3847] ? _raw_spin_unlock_irq+0x2a/0x40 [ 111.617025][ T3847] ? ptrace_notify+0x245/0x340 [ 111.621785][ T3847] __x64_sys_openat+0x243/0x290 [ 111.626632][ T3847] ? __ia32_sys_open+0x270/0x270 [ 111.631567][ T3847] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 111.637539][ T3847] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 111.643530][ T3847] do_syscall_64+0x3d/0xb0 [ 111.647956][ T3847] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 111.653854][ T3847] RIP: 0033:0x7fc8868064d9 [ 111.658266][ T3847] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 111.677864][ T3847] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 111.686270][ T3847] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 111.694232][ T3847] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3848] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3847] <... openat resumed>) = -1 EIO (Input/output error) [pid 3847] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3847] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3846] exit_group(0 [pid 3847] <... futex resumed>) = ? [pid 3847] +++ exited with 0 +++ [pid 3846] <... exit_group resumed>) = ? [pid 3848] <... futex resumed>) = ? [pid 3848] +++ exited with 0 +++ [pid 3846] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3846, si_uid=0, si_status=0, si_utime=5, si_stime=29} --- umount2("./69", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./69", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./69/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./69/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./69/binderfs") = 0 [ 111.702195][ T3847] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 111.710155][ T3847] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 111.718204][ T3847] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 111.726200][ T3847] umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./69/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./69/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./69/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./69") = 0 mkdir("./70", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3849 ./strace-static-x86_64: Process 3849 attached [pid 3849] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3849] chdir("./70") = 0 [pid 3849] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3849] setpgid(0, 0) = 0 [pid 3849] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3849] write(3, "1000", 4) = 4 [pid 3849] close(3) = 0 [pid 3849] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3849] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3849] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3849] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3849] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3850], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3850 [pid 3849] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3849] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3850 attached [pid 3850] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3850] memfd_create("syzkaller", 0) = 3 [pid 3850] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3850] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3850] munmap(0x7fc87e392000, 16777216) = 0 [pid 3850] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3850] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3850] close(3) = 0 [pid 3850] mkdir("./file0", 0777) = 0 [ 112.010936][ T3850] loop0: detected capacity change from 0 to 32768 [ 112.021648][ T3850] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 112.029836][ T3850] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 112.039692][ T3850] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 112.048389][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 112.055517][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3850] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3850] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3850] chdir("./file0") = 0 [pid 3850] ioctl(4, LOOP_CLR_FD) = 0 [pid 3850] close(4) = 0 [pid 3850] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3849] <... futex resumed>) = 0 [pid 3850] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3849] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3850] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3849] <... futex resumed>) = 0 [pid 3850] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3849] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3850] <... futex resumed>) = 0 [pid 3849] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3850] openat(AT_FDCWD, "./file0", O_RDONLY [ 112.092428][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 112.101378][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 112.106601][ T3850] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3849] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 112.133032][ T3850] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 112.142106][ T3850] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 112.142106][ T3850] inode = 12 2341 [ 112.142106][ T3850] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 112.161720][ T3850] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 112.171457][ T3850] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3850 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3849] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3849] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3849] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3849] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3849] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3849] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3851], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3851 [pid 3849] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3851 attached [pid 3851] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3851] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3851] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 112.181826][ T3850] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 112.190315][ T3850] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 112.197916][ T3850] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 112.206770][ T3850] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 112.215073][ T3850] gfs2: fsid=syz:syz.0: File system withdrawn [ 112.221219][ T3850] CPU: 0 PID: 3850 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 112.231644][ T3850] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 112.241711][ T3850] Call Trace: [ 112.244982][ T3850] [ 112.247901][ T3850] dump_stack_lvl+0x1b1/0x28e [ 112.252579][ T3850] ? nf_tcp_handle_invalid+0x62e/0x62e [ 112.258030][ T3850] ? panic+0x710/0x710 [ 112.262089][ T3850] ? kobject_uevent_env+0x46b/0x8e0 [ 112.267288][ T3850] ? do_raw_spin_unlock+0x134/0x8a0 [ 112.272519][ T3850] gfs2_withdraw+0xf33/0x1540 [ 112.277212][ T3850] ? gfs2_lm+0x220/0x220 [ 112.281449][ T3850] ? gfs2_dirent_scan+0xb6/0x650 [ 112.286423][ T3850] ? panic+0x710/0x710 [ 112.290501][ T3850] ? gfs2_permission+0x2ff/0x430 [ 112.295464][ T3850] ? gfs2_consist_inode_i+0xf3/0x110 [ 112.300852][ T3850] gfs2_dirent_scan+0x535/0x650 [ 112.305726][ T3850] ? gfs2_dirent_search+0xb10/0xb10 [ 112.310940][ T3850] gfs2_dirent_search+0x2ea/0xb10 [ 112.315969][ T3850] ? gfs2_dirent_search+0xb10/0xb10 [ 112.321177][ T3850] ? gfs2_dir_search+0x2a0/0x2a0 [ 112.326108][ T3850] ? gfs2_permission+0x3bf/0x430 [pid 3851] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3849] exit_group(0 [pid 3851] <... futex resumed>) = ? [pid 3849] <... exit_group resumed>) = ? [pid 3851] +++ exited with 0 +++ [ 112.331046][ T3850] gfs2_dir_search+0x8c/0x2a0 [ 112.335727][ T3850] ? do_filldir_main+0x530/0x530 [ 112.340683][ T3850] ? inode_go_held+0xe4/0x1f0 [ 112.345379][ T3850] ? gfs2_glock_wait+0x213/0x2a0 [ 112.350385][ T3850] gfs2_lookupi+0x465/0x650 [ 112.354904][ T3850] ? gfs2_lookup_simple+0x170/0x170 [ 112.360108][ T3850] ? __gfs2_lookup+0x8c/0x260 [ 112.364807][ T3850] __gfs2_lookup+0x8c/0x260 [ 112.369319][ T3850] ? gfs2_atomic_open+0x230/0x230 [ 112.374378][ T3850] ? __d_lookup+0x6a4/0x770 [ 112.378884][ T3850] ? d_hash_and_lookup+0x1c0/0x1c0 [ 112.383991][ T3850] gfs2_atomic_open+0xa4/0x230 [ 112.388763][ T3850] path_openat+0xf39/0x2df0 [ 112.393261][ T3850] ? gfs2_rename2+0x3000/0x3000 [ 112.398131][ T3850] ? do_filp_open+0x4f0/0x4f0 [ 112.402808][ T3850] do_filp_open+0x264/0x4f0 [ 112.407299][ T3850] ? vfs_tmpfile+0x490/0x490 [ 112.411907][ T3850] ? do_raw_spin_unlock+0x134/0x8a0 [ 112.417119][ T3850] ? _raw_spin_unlock+0x24/0x40 [ 112.421982][ T3850] ? alloc_fd+0x5a7/0x640 [ 112.426312][ T3850] do_sys_openat2+0x124/0x4e0 [ 112.430993][ T3850] ? print_irqtrace_events+0x220/0x220 [ 112.436461][ T3850] ? ptrace_stop+0x74d/0x970 [ 112.441055][ T3850] ? do_sys_open+0x220/0x220 [ 112.445694][ T3850] ? lockdep_hardirqs_on+0x8d/0x130 [ 112.450877][ T3850] ? _raw_spin_unlock_irq+0x2a/0x40 [ 112.456071][ T3850] ? ptrace_notify+0x245/0x340 [ 112.460819][ T3850] __x64_sys_openat+0x243/0x290 [ 112.465661][ T3850] ? __ia32_sys_open+0x270/0x270 [ 112.470586][ T3850] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 112.476556][ T3850] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 112.482530][ T3850] do_syscall_64+0x3d/0xb0 [ 112.486936][ T3850] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 112.492828][ T3850] RIP: 0033:0x7fc8868064d9 [ 112.497241][ T3850] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 112.516835][ T3850] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 112.525237][ T3850] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3850] <... openat resumed>) = ? [pid 3850] +++ exited with 0 +++ [pid 3849] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3849, si_uid=0, si_status=0, si_utime=0, si_stime=31} --- umount2("./70", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./70", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./70/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./70/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./70/binderfs") = 0 [ 112.533198][ T3850] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 112.541170][ T3850] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 112.549146][ T3850] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 112.557119][ T3850] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 112.565181][ T3850] umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./70/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./70/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./70/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./70") = 0 mkdir("./71", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3852 ./strace-static-x86_64: Process 3852 attached [pid 3852] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3852] chdir("./71") = 0 [pid 3852] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3852] setpgid(0, 0) = 0 [pid 3852] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3852] write(3, "1000", 4) = 4 [pid 3852] close(3) = 0 [pid 3852] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3852] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3852] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3852] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3852] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3853], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3853 [pid 3852] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3852] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3853 attached [pid 3853] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3853] memfd_create("syzkaller", 0) = 3 [pid 3853] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3853] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3853] munmap(0x7fc87e392000, 16777216) = 0 [pid 3853] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3853] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3853] close(3) = 0 [pid 3853] mkdir("./file0", 0777) = 0 [ 112.870034][ T3853] loop0: detected capacity change from 0 to 32768 [ 112.879859][ T3853] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 112.888806][ T3853] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 112.898644][ T3853] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 112.907423][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 112.914679][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3853] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3853] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3853] chdir("./file0") = 0 [pid 3853] ioctl(4, LOOP_CLR_FD) = 0 [pid 3853] close(4) = 0 [pid 3853] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3852] <... futex resumed>) = 0 [pid 3853] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3852] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3853] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3852] <... futex resumed>) = 0 [pid 3853] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3852] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3853] <... futex resumed>) = 0 [pid 3852] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3853] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3852] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 112.950517][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 112.958082][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 112.963997][ T3853] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 112.979799][ T3853] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 112.988668][ T3853] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 112.988668][ T3853] inode = 12 2341 [pid 3852] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 112.988668][ T3853] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 113.007592][ T3853] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 113.016876][ T3853] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3853 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 113.026977][ T3853] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 113.035611][ T3853] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3852] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 113.043192][ T3853] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 113.052061][ T3853] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 113.058688][ T3853] gfs2: fsid=syz:syz.0: File system withdrawn [ 113.064923][ T3853] CPU: 0 PID: 3853 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 113.075352][ T3853] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 113.085399][ T3853] Call Trace: [ 113.088671][ T3853] [ 113.091767][ T3853] dump_stack_lvl+0x1b1/0x28e [ 113.096441][ T3853] ? nf_tcp_handle_invalid+0x62e/0x62e [ 113.101890][ T3853] ? panic+0x710/0x710 [ 113.105950][ T3853] ? kobject_uevent_env+0x46b/0x8e0 [ 113.111141][ T3853] ? do_raw_spin_unlock+0x134/0x8a0 [ 113.116338][ T3853] gfs2_withdraw+0xf33/0x1540 [ 113.121019][ T3853] ? gfs2_lm+0x220/0x220 [ 113.125251][ T3853] ? gfs2_dirent_scan+0xb6/0x650 [ 113.130183][ T3853] ? panic+0x710/0x710 [ 113.134243][ T3853] ? gfs2_permission+0x2ff/0x430 [ 113.139178][ T3853] ? gfs2_consist_inode_i+0xf3/0x110 [ 113.144462][ T3853] gfs2_dirent_scan+0x535/0x650 [ 113.149323][ T3853] ? gfs2_dirent_search+0xb10/0xb10 [ 113.154517][ T3853] gfs2_dirent_search+0x2ea/0xb10 [ 113.159552][ T3853] ? gfs2_dirent_search+0xb10/0xb10 [ 113.164749][ T3853] ? gfs2_dir_search+0x2a0/0x2a0 [ 113.169681][ T3853] ? gfs2_permission+0x3bf/0x430 [ 113.174622][ T3853] gfs2_dir_search+0x8c/0x2a0 [ 113.179300][ T3853] ? do_filldir_main+0x530/0x530 [ 113.184233][ T3853] ? inode_go_held+0xe4/0x1f0 [ 113.188915][ T3853] ? gfs2_glock_wait+0x213/0x2a0 [ 113.193847][ T3853] gfs2_lookupi+0x465/0x650 [ 113.198352][ T3853] ? gfs2_lookup_simple+0x170/0x170 [ 113.203547][ T3853] ? __gfs2_lookup+0x8c/0x260 [ 113.208227][ T3853] __gfs2_lookup+0x8c/0x260 [ 113.212733][ T3853] ? gfs2_atomic_open+0x230/0x230 [ 113.217771][ T3853] ? __d_lookup+0x6a4/0x770 [ 113.222265][ T3853] ? d_hash_and_lookup+0x1c0/0x1c0 [ 113.227373][ T3853] gfs2_atomic_open+0xa4/0x230 [ 113.234483][ T3853] path_openat+0xf39/0x2df0 [ 113.238988][ T3853] ? gfs2_rename2+0x3000/0x3000 [ 113.243851][ T3853] ? do_filp_open+0x4f0/0x4f0 [ 113.248533][ T3853] do_filp_open+0x264/0x4f0 [ 113.253035][ T3853] ? vfs_tmpfile+0x490/0x490 [ 113.257660][ T3853] ? do_raw_spin_unlock+0x134/0x8a0 [ 113.262860][ T3853] ? _raw_spin_unlock+0x24/0x40 [ 113.267725][ T3853] ? alloc_fd+0x5a7/0x640 [ 113.272057][ T3853] do_sys_openat2+0x124/0x4e0 [ 113.276724][ T3853] ? print_irqtrace_events+0x220/0x220 [ 113.282539][ T3853] ? ptrace_stop+0x74d/0x970 [ 113.287152][ T3853] ? do_sys_open+0x220/0x220 [ 113.291780][ T3853] ? lockdep_hardirqs_on+0x8d/0x130 [ 113.297005][ T3853] ? _raw_spin_unlock_irq+0x2a/0x40 [ 113.302218][ T3853] ? ptrace_notify+0x245/0x340 [ 113.306990][ T3853] __x64_sys_openat+0x243/0x290 [ 113.311848][ T3853] ? __ia32_sys_open+0x270/0x270 [ 113.316784][ T3853] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 113.322758][ T3853] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 113.328734][ T3853] do_syscall_64+0x3d/0xb0 [ 113.333142][ T3853] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 113.339026][ T3853] RIP: 0033:0x7fc8868064d9 [ 113.343431][ T3853] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 113.363027][ T3853] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 113.371436][ T3853] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 113.379402][ T3853] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 113.387367][ T3853] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3852] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 3853] <... openat resumed>) = -1 EIO (Input/output error) [pid 3852] <... mmap resumed>) = 0x7fc87f371000 [pid 3853] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3852] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE [pid 3853] <... futex resumed>) = 0 [pid 3852] <... mprotect resumed>) = 0 [pid 3853] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3852] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3854], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3854 [pid 3852] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3854 attached [pid 3854] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3854] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3854] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3854] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3852] exit_group(0 [pid 3853] <... futex resumed>) = ? [pid 3852] <... exit_group resumed>) = ? [pid 3853] +++ exited with 0 +++ [pid 3854] <... futex resumed>) = ? [pid 3854] +++ exited with 0 +++ [pid 3852] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3852, si_uid=0, si_status=0, si_utime=1, si_stime=28} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./71", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./71/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./71/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./71/binderfs") = 0 [ 113.395335][ T3853] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 113.403299][ T3853] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 113.411280][ T3853] umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./71/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./71/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./71") = 0 mkdir("./72", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3855 ./strace-static-x86_64: Process 3855 attached [pid 3855] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3855] chdir("./72") = 0 [pid 3855] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3855] setpgid(0, 0) = 0 [pid 3855] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3855] write(3, "1000", 4) = 4 [pid 3855] close(3) = 0 [pid 3855] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3855] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3855] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3855] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3855] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3856 attached , parent_tid=[3856], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3856 [pid 3856] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3856] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3855] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3856] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3855] <... futex resumed>) = 0 [pid 3855] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3856] memfd_create("syzkaller", 0) = 3 [pid 3856] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3856] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3856] munmap(0x7fc87e392000, 16777216) = 0 [pid 3856] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3856] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3856] close(3) = 0 [pid 3856] mkdir("./file0", 0777) = 0 [ 113.719441][ T3856] loop0: detected capacity change from 0 to 32768 [ 113.730017][ T3856] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 113.738534][ T3856] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 113.748424][ T3856] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 113.757486][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 113.764434][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3856] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3856] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3856] chdir("./file0") = 0 [pid 3856] ioctl(4, LOOP_CLR_FD) = 0 [pid 3856] close(4) = 0 [pid 3856] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3855] <... futex resumed>) = 0 [pid 3855] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3855] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3856] <... futex resumed>) = 1 [pid 3856] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3856] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3855] <... futex resumed>) = 0 [pid 3855] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3855] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3856] <... futex resumed>) = 1 [ 113.797462][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 113.805092][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 113.810531][ T3856] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 113.827691][ T3856] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 113.836724][ T3856] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 113.836724][ T3856] inode = 12 2341 [pid 3856] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3855] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3855] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3855] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3855] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3855] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3857], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3857 ./strace-static-x86_64: Process 3857 attached [pid 3855] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3857] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3857] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3857] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 113.836724][ T3856] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 113.855948][ T3856] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 113.865224][ T3856] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3856 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 113.875902][ T3856] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 113.887693][ T3856] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 113.895170][ T3856] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 113.904076][ T3856] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 113.911089][ T3856] gfs2: fsid=syz:syz.0: File system withdrawn [ 113.917647][ T3856] CPU: 0 PID: 3856 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 113.928083][ T3856] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 113.938133][ T3856] Call Trace: [ 113.941402][ T3856] [ 113.944322][ T3856] dump_stack_lvl+0x1b1/0x28e [ 113.948991][ T3856] ? nf_tcp_handle_invalid+0x62e/0x62e [ 113.954442][ T3856] ? panic+0x710/0x710 [ 113.958496][ T3856] ? kobject_uevent_env+0x46b/0x8e0 [ 113.963685][ T3856] ? do_raw_spin_unlock+0x134/0x8a0 [ 113.968875][ T3856] gfs2_withdraw+0xf33/0x1540 [ 113.973582][ T3856] ? gfs2_lm+0x220/0x220 [ 113.977809][ T3856] ? gfs2_dirent_scan+0xb6/0x650 [ 113.982733][ T3856] ? panic+0x710/0x710 [ 113.986787][ T3856] ? gfs2_permission+0x2ff/0x430 [ 113.991719][ T3856] ? gfs2_consist_inode_i+0xf3/0x110 [ 113.996994][ T3856] gfs2_dirent_scan+0x535/0x650 [ 114.001834][ T3856] ? gfs2_dirent_search+0xb10/0xb10 [ 114.007024][ T3856] gfs2_dirent_search+0x2ea/0xb10 [ 114.012045][ T3856] ? gfs2_dirent_search+0xb10/0xb10 [ 114.017271][ T3856] ? gfs2_dir_search+0x2a0/0x2a0 [ 114.022203][ T3856] ? gfs2_permission+0x3bf/0x430 [ 114.027149][ T3856] gfs2_dir_search+0x8c/0x2a0 [ 114.031824][ T3856] ? do_filldir_main+0x530/0x530 [ 114.036764][ T3856] ? inode_go_held+0xe4/0x1f0 [ 114.041442][ T3856] ? gfs2_glock_wait+0x213/0x2a0 [ 114.046377][ T3856] gfs2_lookupi+0x465/0x650 [ 114.050883][ T3856] ? gfs2_lookup_simple+0x170/0x170 [ 114.056076][ T3856] ? __gfs2_lookup+0x8c/0x260 [ 114.060780][ T3856] __gfs2_lookup+0x8c/0x260 [ 114.065288][ T3856] ? gfs2_atomic_open+0x230/0x230 [ 114.070311][ T3856] ? __d_lookup+0x6a4/0x770 [ 114.074809][ T3856] ? d_hash_and_lookup+0x1c0/0x1c0 [ 114.079915][ T3856] gfs2_atomic_open+0xa4/0x230 [ 114.084677][ T3856] path_openat+0xf39/0x2df0 [ 114.089176][ T3856] ? gfs2_rename2+0x3000/0x3000 [ 114.094056][ T3856] ? do_filp_open+0x4f0/0x4f0 [ 114.098741][ T3856] do_filp_open+0x264/0x4f0 [ 114.103236][ T3856] ? vfs_tmpfile+0x490/0x490 [ 114.107832][ T3856] ? do_raw_spin_unlock+0x134/0x8a0 [ 114.113029][ T3856] ? _raw_spin_unlock+0x24/0x40 [ 114.117894][ T3856] ? alloc_fd+0x5a7/0x640 [ 114.122226][ T3856] do_sys_openat2+0x124/0x4e0 [ 114.126896][ T3856] ? print_irqtrace_events+0x220/0x220 [ 114.132348][ T3856] ? ptrace_stop+0x74d/0x970 [ 114.136931][ T3856] ? do_sys_open+0x220/0x220 [ 114.141516][ T3856] ? lockdep_hardirqs_on+0x8d/0x130 [ 114.146716][ T3856] ? _raw_spin_unlock_irq+0x2a/0x40 [ 114.151912][ T3856] ? ptrace_notify+0x245/0x340 [ 114.156670][ T3856] __x64_sys_openat+0x243/0x290 [ 114.161518][ T3856] ? __ia32_sys_open+0x270/0x270 [ 114.166462][ T3856] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 114.172441][ T3856] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 114.178418][ T3856] do_syscall_64+0x3d/0xb0 [ 114.182831][ T3856] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 114.188715][ T3856] RIP: 0033:0x7fc8868064d9 [ 114.193120][ T3856] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 114.213239][ T3856] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 114.221642][ T3856] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 114.229603][ T3856] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 114.237583][ T3856] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3857] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3856] <... openat resumed>) = -1 EIO (Input/output error) [pid 3856] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3855] exit_group(0 [pid 3857] <... futex resumed>) = ? [pid 3855] <... exit_group resumed>) = ? [pid 3857] +++ exited with 0 +++ [pid 3856] <... futex resumed>) = ? [pid 3856] +++ exited with 0 +++ [pid 3855] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3855, si_uid=0, si_status=0, si_utime=3, si_stime=25} --- umount2("./72", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./72/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./72/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./72/binderfs") = 0 [ 114.245566][ T3856] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 114.253526][ T3856] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 114.261500][ T3856] umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./72/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./72/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./72") = 0 mkdir("./73", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3858 attached , child_tidptr=0x55555635f5d0) = 3858 [pid 3858] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3858] chdir("./73") = 0 [pid 3858] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3858] setpgid(0, 0) = 0 [pid 3858] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3858] write(3, "1000", 4) = 4 [pid 3858] close(3) = 0 [pid 3858] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3858] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3858] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3858] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3858] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3859], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3859 ./strace-static-x86_64: Process 3859 attached [pid 3859] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3858] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3858] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3859] memfd_create("syzkaller", 0) = 3 [pid 3859] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3859] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3859] munmap(0x7fc87e392000, 16777216) = 0 [pid 3859] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3859] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3859] close(3) = 0 [pid 3859] mkdir("./file0", 0777) = 0 [ 114.554581][ T3859] loop0: detected capacity change from 0 to 32768 [ 114.567504][ T3859] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 114.576438][ T3859] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 114.586516][ T3859] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 114.595474][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 114.602658][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3859] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3859] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3859] chdir("./file0") = 0 [pid 3859] ioctl(4, LOOP_CLR_FD) = 0 [pid 3859] close(4) = 0 [pid 3859] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3858] <... futex resumed>) = 0 [pid 3858] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3858] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3859] <... futex resumed>) = 1 [pid 3859] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3859] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3858] <... futex resumed>) = 0 [pid 3858] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3858] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3859] <... futex resumed>) = 1 [ 114.641548][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 114.650974][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 114.656235][ T3859] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 114.693282][ T3859] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 114.702644][ T3859] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 114.702644][ T3859] inode = 12 2341 [ 114.702644][ T3859] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 114.721552][ T3859] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 114.730723][ T3859] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3859 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3859] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3858] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3858] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3858] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3858] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3858] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3860], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3860 [pid 3858] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3860 attached [pid 3860] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3860] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3860] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 114.740885][ T3859] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 114.749383][ T3859] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 114.756731][ T3859] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 114.765589][ T3859] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 114.772202][ T3859] gfs2: fsid=syz:syz.0: File system withdrawn [ 114.778391][ T3859] CPU: 0 PID: 3859 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 114.788812][ T3859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 114.798859][ T3859] Call Trace: [ 114.802142][ T3859] [ 114.805082][ T3859] dump_stack_lvl+0x1b1/0x28e [ 114.809773][ T3859] ? nf_tcp_handle_invalid+0x62e/0x62e [ 114.815230][ T3859] ? panic+0x710/0x710 [ 114.819332][ T3859] ? kobject_uevent_env+0x46b/0x8e0 [ 114.824555][ T3859] ? do_raw_spin_unlock+0x134/0x8a0 [ 114.829793][ T3859] gfs2_withdraw+0xf33/0x1540 [ 114.834475][ T3859] ? gfs2_lm+0x220/0x220 [ 114.838719][ T3859] ? gfs2_dirent_scan+0xb6/0x650 [ 114.843647][ T3859] ? panic+0x710/0x710 [ 114.847706][ T3859] ? gfs2_permission+0x2ff/0x430 [ 114.852640][ T3859] ? gfs2_consist_inode_i+0xf3/0x110 [ 114.857922][ T3859] gfs2_dirent_scan+0x535/0x650 [ 114.862780][ T3859] ? gfs2_dirent_search+0xb10/0xb10 [ 114.867992][ T3859] gfs2_dirent_search+0x2ea/0xb10 [ 114.873020][ T3859] ? gfs2_dirent_search+0xb10/0xb10 [ 114.878230][ T3859] ? gfs2_dir_search+0x2a0/0x2a0 [ 114.883191][ T3859] ? gfs2_permission+0x3bf/0x430 [ 114.888136][ T3859] gfs2_dir_search+0x8c/0x2a0 [ 114.892813][ T3859] ? do_filldir_main+0x530/0x530 [ 114.897745][ T3859] ? inode_go_held+0xe4/0x1f0 [ 114.902423][ T3859] ? gfs2_glock_wait+0x213/0x2a0 [ 114.907358][ T3859] gfs2_lookupi+0x465/0x650 [ 114.911879][ T3859] ? gfs2_lookup_simple+0x170/0x170 [ 114.917080][ T3859] ? __gfs2_lookup+0x8c/0x260 [ 114.921763][ T3859] __gfs2_lookup+0x8c/0x260 [ 114.926264][ T3859] ? gfs2_atomic_open+0x230/0x230 [ 114.931288][ T3859] ? __d_lookup+0x6a4/0x770 [ 114.935806][ T3859] ? d_hash_and_lookup+0x1c0/0x1c0 [ 114.940910][ T3859] gfs2_atomic_open+0xa4/0x230 [ 114.945670][ T3859] path_openat+0xf39/0x2df0 [ 114.950172][ T3859] ? gfs2_rename2+0x3000/0x3000 [ 114.955028][ T3859] ? do_filp_open+0x4f0/0x4f0 [ 114.959727][ T3859] do_filp_open+0x264/0x4f0 [ 114.964223][ T3859] ? vfs_tmpfile+0x490/0x490 [ 114.968826][ T3859] ? do_raw_spin_unlock+0x134/0x8a0 [ 114.974027][ T3859] ? _raw_spin_unlock+0x24/0x40 [ 114.978871][ T3859] ? alloc_fd+0x5a7/0x640 [ 114.984503][ T3859] do_sys_openat2+0x124/0x4e0 [ 114.989172][ T3859] ? print_irqtrace_events+0x220/0x220 [ 114.994619][ T3859] ? ptrace_stop+0x74d/0x970 [ 114.999206][ T3859] ? do_sys_open+0x220/0x220 [ 115.003790][ T3859] ? lockdep_hardirqs_on+0x8d/0x130 [ 115.008982][ T3859] ? _raw_spin_unlock_irq+0x2a/0x40 [ 115.014174][ T3859] ? ptrace_notify+0x245/0x340 [ 115.018933][ T3859] __x64_sys_openat+0x243/0x290 [ 115.023784][ T3859] ? __ia32_sys_open+0x270/0x270 [ 115.028717][ T3859] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 115.034695][ T3859] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 115.040672][ T3859] do_syscall_64+0x3d/0xb0 [ 115.045081][ T3859] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 115.051070][ T3859] RIP: 0033:0x7fc8868064d9 [ 115.055477][ T3859] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 115.075163][ T3859] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 115.083570][ T3859] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3860] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3859] <... openat resumed>) = -1 EIO (Input/output error) [pid 3859] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3859] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3858] exit_group(0 [pid 3859] <... futex resumed>) = ? [pid 3859] +++ exited with 0 +++ [pid 3858] <... exit_group resumed>) = ? [pid 3860] <... futex resumed>) = ? [pid 3860] +++ exited with 0 +++ [pid 3858] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3858, si_uid=0, si_status=0, si_utime=4, si_stime=29} --- umount2("./73", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./73", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./73/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./73/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./73/binderfs") = 0 [ 115.091537][ T3859] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 115.099584][ T3859] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 115.107545][ T3859] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 115.115594][ T3859] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 115.123566][ T3859] umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./73/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./73/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./73/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./73") = 0 mkdir("./74", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3861 ./strace-static-x86_64: Process 3861 attached [pid 3861] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3861] chdir("./74") = 0 [pid 3861] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3861] setpgid(0, 0) = 0 [pid 3861] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3861] write(3, "1000", 4) = 4 [pid 3861] close(3) = 0 [pid 3861] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3861] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3861] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3861] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3861] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3862], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3862 [pid 3861] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3861] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3862 attached [pid 3862] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3862] memfd_create("syzkaller", 0) = 3 [pid 3862] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3862] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3862] munmap(0x7fc87e392000, 16777216) = 0 [pid 3862] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3862] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3862] close(3) = 0 [pid 3862] mkdir("./file0", 0777) = 0 [ 115.416496][ T3862] loop0: detected capacity change from 0 to 32768 [ 115.427785][ T3862] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 115.436715][ T3862] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 115.445846][ T3862] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 115.454360][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 115.461465][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3862] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3862] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3862] chdir("./file0") = 0 [pid 3862] ioctl(4, LOOP_CLR_FD) = 0 [pid 3862] close(4) = 0 [pid 3862] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3862] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3861] <... futex resumed>) = 0 [pid 3861] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3862] <... futex resumed>) = 0 [pid 3861] <... futex resumed>) = 1 [pid 3862] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3862] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3862] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3861] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 3861] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3862] <... futex resumed>) = 0 [pid 3861] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 115.496169][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 115.503789][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 115.509606][ T3862] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 115.534687][ T3862] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3862] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3861] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3861] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3861] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3861] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3861] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3863], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3863 [pid 3861] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 115.543808][ T3862] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 115.543808][ T3862] inode = 12 2341 [ 115.543808][ T3862] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 115.562760][ T3862] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 115.571936][ T3862] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3862 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 115.582018][ T3862] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 ./strace-static-x86_64: Process 3863 attached [pid 3863] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3863] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3863] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 115.591055][ T3862] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 115.598291][ T3862] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 115.607195][ T3862] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 115.615812][ T3862] gfs2: fsid=syz:syz.0: File system withdrawn [ 115.622243][ T3862] CPU: 0 PID: 3862 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 115.632674][ T3862] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 115.642726][ T3862] Call Trace: [ 115.645999][ T3862] [ 115.648922][ T3862] dump_stack_lvl+0x1b1/0x28e [ 115.653612][ T3862] ? nf_tcp_handle_invalid+0x62e/0x62e [ 115.659071][ T3862] ? panic+0x710/0x710 [ 115.663136][ T3862] ? kobject_uevent_env+0x46b/0x8e0 [ 115.668340][ T3862] ? do_raw_spin_unlock+0x134/0x8a0 [ 115.673557][ T3862] gfs2_withdraw+0xf33/0x1540 [ 115.678272][ T3862] ? gfs2_lm+0x220/0x220 [ 115.682532][ T3862] ? gfs2_dirent_scan+0xb6/0x650 [ 115.687477][ T3862] ? panic+0x710/0x710 [ 115.691624][ T3862] ? gfs2_permission+0x2ff/0x430 [ 115.696606][ T3862] ? gfs2_consist_inode_i+0xf3/0x110 [ 115.701898][ T3862] gfs2_dirent_scan+0x535/0x650 [ 115.706946][ T3862] ? gfs2_dirent_search+0xb10/0xb10 [ 115.712152][ T3862] gfs2_dirent_search+0x2ea/0xb10 [ 115.717216][ T3862] ? gfs2_dirent_search+0xb10/0xb10 [ 115.722450][ T3862] ? gfs2_dir_search+0x2a0/0x2a0 [ 115.727397][ T3862] ? gfs2_permission+0x3bf/0x430 [ 115.732361][ T3862] gfs2_dir_search+0x8c/0x2a0 [ 115.737061][ T3862] ? do_filldir_main+0x530/0x530 [ 115.741999][ T3862] ? inode_go_held+0xe4/0x1f0 [ 115.746677][ T3862] ? gfs2_glock_wait+0x213/0x2a0 [ 115.751614][ T3862] gfs2_lookupi+0x465/0x650 [ 115.756121][ T3862] ? gfs2_lookup_simple+0x170/0x170 [ 115.761315][ T3862] ? __gfs2_lookup+0x8c/0x260 [ 115.765993][ T3862] __gfs2_lookup+0x8c/0x260 [ 115.770503][ T3862] ? gfs2_atomic_open+0x230/0x230 [ 115.775527][ T3862] ? __d_lookup+0x6a4/0x770 [ 115.780026][ T3862] ? d_hash_and_lookup+0x1c0/0x1c0 [ 115.785130][ T3862] gfs2_atomic_open+0xa4/0x230 [ 115.789891][ T3862] path_openat+0xf39/0x2df0 [ 115.794421][ T3862] ? gfs2_rename2+0x3000/0x3000 [ 115.799280][ T3862] ? do_filp_open+0x4f0/0x4f0 [ 115.803985][ T3862] do_filp_open+0x264/0x4f0 [ 115.808498][ T3862] ? vfs_tmpfile+0x490/0x490 [ 115.813113][ T3862] ? do_raw_spin_unlock+0x134/0x8a0 [ 115.818406][ T3862] ? _raw_spin_unlock+0x24/0x40 [ 115.823257][ T3862] ? alloc_fd+0x5a7/0x640 [ 115.827590][ T3862] do_sys_openat2+0x124/0x4e0 [ 115.832261][ T3862] ? print_irqtrace_events+0x220/0x220 [ 115.837709][ T3862] ? ptrace_stop+0x74d/0x970 [ 115.842295][ T3862] ? do_sys_open+0x220/0x220 [ 115.846882][ T3862] ? lockdep_hardirqs_on+0x8d/0x130 [ 115.852090][ T3862] ? _raw_spin_unlock_irq+0x2a/0x40 [ 115.857282][ T3862] ? ptrace_notify+0x245/0x340 [ 115.862065][ T3862] __x64_sys_openat+0x243/0x290 [ 115.866932][ T3862] ? __ia32_sys_open+0x270/0x270 [ 115.871893][ T3862] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 115.877893][ T3862] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 115.883880][ T3862] do_syscall_64+0x3d/0xb0 [ 115.888293][ T3862] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 115.894177][ T3862] RIP: 0033:0x7fc8868064d9 [ 115.898593][ T3862] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 115.918207][ T3862] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 115.926620][ T3862] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 115.934582][ T3862] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3863] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3862] <... openat resumed>) = -1 EIO (Input/output error) [pid 3862] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3862] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3861] exit_group(0 [pid 3863] <... futex resumed>) = ? [pid 3862] <... futex resumed>) = ? [pid 3861] <... exit_group resumed>) = ? [pid 3863] +++ exited with 0 +++ [pid 3862] +++ exited with 0 +++ [pid 3861] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3861, si_uid=0, si_status=0, si_utime=1, si_stime=31} --- umount2("./74", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./74", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./74/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./74/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./74/binderfs") = 0 [ 115.942541][ T3862] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 115.950502][ T3862] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 115.958476][ T3862] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 115.966454][ T3862] umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./74/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./74/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./74/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./74") = 0 mkdir("./75", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3864 ./strace-static-x86_64: Process 3864 attached [pid 3864] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3864] chdir("./75") = 0 [pid 3864] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3864] setpgid(0, 0) = 0 [pid 3864] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3864] write(3, "1000", 4) = 4 [pid 3864] close(3) = 0 [pid 3864] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3864] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3864] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3864] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3864] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3865], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3865 ./strace-static-x86_64: Process 3865 attached [pid 3864] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3864] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3865] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3865] memfd_create("syzkaller", 0) = 3 [pid 3865] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3865] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3865] munmap(0x7fc87e392000, 16777216) = 0 [pid 3865] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3865] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3865] close(3) = 0 [pid 3865] mkdir("./file0", 0777) = 0 [ 116.269199][ T3865] loop0: detected capacity change from 0 to 32768 [ 116.280561][ T3865] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 116.288762][ T3865] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 116.298566][ T3865] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 116.307543][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 116.314558][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3865] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3865] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3865] chdir("./file0") = 0 [pid 3865] ioctl(4, LOOP_CLR_FD) = 0 [pid 3865] close(4) = 0 [pid 3865] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3864] <... futex resumed>) = 0 [pid 3864] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3864] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3865] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3865] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3864] <... futex resumed>) = 0 [pid 3864] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3864] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 116.347500][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 116.355652][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 116.361177][ T3865] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 116.385781][ T3865] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3865] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3864] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3864] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3864] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3864] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3864] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3866 attached [pid 3866] set_robust_list(0x7fc87f3919e0, 24 [pid 3864] <... clone resumed>, parent_tid=[3866], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3866 [pid 3864] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3866] <... set_robust_list resumed>) = 0 [pid 3866] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [ 116.394290][ T3865] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 116.394290][ T3865] inode = 12 2341 [ 116.394290][ T3865] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 116.413442][ T3865] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 116.423517][ T3865] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3865 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 116.434175][ T3865] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3866] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 116.444975][ T3865] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 116.453120][ T3865] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 116.462071][ T3865] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 116.468631][ T3865] gfs2: fsid=syz:syz.0: File system withdrawn [ 116.474835][ T3865] CPU: 1 PID: 3865 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 116.485284][ T3865] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 116.495356][ T3865] Call Trace: [ 116.498630][ T3865] [ 116.501555][ T3865] dump_stack_lvl+0x1b1/0x28e [ 116.506259][ T3865] ? nf_tcp_handle_invalid+0x62e/0x62e [ 116.511725][ T3865] ? panic+0x710/0x710 [ 116.515791][ T3865] ? kobject_uevent_env+0x46b/0x8e0 [ 116.520995][ T3865] ? do_raw_spin_unlock+0x134/0x8a0 [ 116.526203][ T3865] gfs2_withdraw+0xf33/0x1540 [ 116.530906][ T3865] ? gfs2_lm+0x220/0x220 [ 116.535151][ T3865] ? gfs2_dirent_scan+0xb6/0x650 [ 116.540087][ T3865] ? panic+0x710/0x710 [pid 3866] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3864] exit_group(0 [pid 3866] <... futex resumed>) = ? [pid 3864] <... exit_group resumed>) = ? [pid 3866] +++ exited with 0 +++ [ 116.544158][ T3865] ? gfs2_permission+0x2ff/0x430 [ 116.549088][ T3865] ? gfs2_consist_inode_i+0xf3/0x110 [ 116.554375][ T3865] gfs2_dirent_scan+0x535/0x650 [ 116.559243][ T3865] ? gfs2_dirent_search+0xb10/0xb10 [ 116.564435][ T3865] gfs2_dirent_search+0x2ea/0xb10 [ 116.569464][ T3865] ? gfs2_dirent_search+0xb10/0xb10 [ 116.574668][ T3865] ? gfs2_dir_search+0x2a0/0x2a0 [ 116.579605][ T3865] ? gfs2_permission+0x3bf/0x430 [ 116.584574][ T3865] gfs2_dir_search+0x8c/0x2a0 [ 116.589271][ T3865] ? do_filldir_main+0x530/0x530 [ 116.594210][ T3865] ? inode_go_held+0xe4/0x1f0 [ 116.598901][ T3865] ? gfs2_glock_wait+0x213/0x2a0 [ 116.603840][ T3865] gfs2_lookupi+0x465/0x650 [ 116.608354][ T3865] ? gfs2_lookup_simple+0x170/0x170 [ 116.613553][ T3865] ? __gfs2_lookup+0x8c/0x260 [ 116.618245][ T3865] __gfs2_lookup+0x8c/0x260 [ 116.622739][ T3865] ? gfs2_atomic_open+0x230/0x230 [ 116.627755][ T3865] ? __d_lookup+0x6a4/0x770 [ 116.632245][ T3865] ? d_hash_and_lookup+0x1c0/0x1c0 [ 116.637341][ T3865] gfs2_atomic_open+0xa4/0x230 [ 116.642097][ T3865] path_openat+0xf39/0x2df0 [ 116.646603][ T3865] ? gfs2_rename2+0x3000/0x3000 [ 116.651472][ T3865] ? do_filp_open+0x4f0/0x4f0 [ 116.656271][ T3865] do_filp_open+0x264/0x4f0 [ 116.660789][ T3865] ? vfs_tmpfile+0x490/0x490 [ 116.665400][ T3865] ? do_raw_spin_unlock+0x134/0x8a0 [ 116.670593][ T3865] ? _raw_spin_unlock+0x24/0x40 [ 116.675446][ T3865] ? alloc_fd+0x5a7/0x640 [ 116.679803][ T3865] do_sys_openat2+0x124/0x4e0 [ 116.685526][ T3865] ? print_irqtrace_events+0x220/0x220 [ 116.690974][ T3865] ? ptrace_stop+0x74d/0x970 [ 116.695555][ T3865] ? do_sys_open+0x220/0x220 [ 116.700146][ T3865] ? lockdep_hardirqs_on+0x8d/0x130 [ 116.705364][ T3865] ? _raw_spin_unlock_irq+0x2a/0x40 [ 116.710554][ T3865] ? ptrace_notify+0x245/0x340 [ 116.715306][ T3865] __x64_sys_openat+0x243/0x290 [ 116.720165][ T3865] ? __ia32_sys_open+0x270/0x270 [ 116.725124][ T3865] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 116.731124][ T3865] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 116.737096][ T3865] do_syscall_64+0x3d/0xb0 [ 116.741504][ T3865] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 116.747401][ T3865] RIP: 0033:0x7fc8868064d9 [ 116.753459][ T3865] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 116.773150][ T3865] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 116.782258][ T3865] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 116.790327][ T3865] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3865] <... openat resumed>) = ? [pid 3865] +++ exited with 0 +++ [pid 3864] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3864, si_uid=0, si_status=0, si_utime=0, si_stime=27} --- umount2("./75", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./75/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./75/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./75/binderfs") = 0 [ 116.798312][ T3865] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 116.806286][ T3865] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 116.814250][ T3865] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 116.822235][ T3865] umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./75/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./75/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./75") = 0 mkdir("./76", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3867 ./strace-static-x86_64: Process 3867 attached [pid 3867] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3867] chdir("./76") = 0 [pid 3867] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3867] setpgid(0, 0) = 0 [pid 3867] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3867] write(3, "1000", 4) = 4 [pid 3867] close(3) = 0 [pid 3867] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3867] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3867] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3867] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3867] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3868], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3868 [pid 3867] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3867] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3868 attached [pid 3868] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3868] memfd_create("syzkaller", 0) = 3 [pid 3868] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3868] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3868] munmap(0x7fc87e392000, 16777216) = 0 [pid 3868] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3868] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3868] close(3) = 0 [pid 3868] mkdir("./file0", 0777) = 0 [ 117.107803][ T3868] loop0: detected capacity change from 0 to 32768 [ 117.118262][ T3868] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 117.126553][ T3868] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 117.136362][ T3868] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 117.145337][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 117.152187][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3868] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3868] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3868] chdir("./file0") = 0 [pid 3868] ioctl(4, LOOP_CLR_FD) = 0 [pid 3868] close(4) = 0 [pid 3868] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3868] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3867] <... futex resumed>) = 0 [pid 3867] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3867] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3868] <... futex resumed>) = 0 [pid 3868] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3868] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3867] <... futex resumed>) = 0 [pid 3867] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3867] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3868] <... futex resumed>) = 1 [ 117.189040][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 117.196584][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 117.202130][ T3868] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 117.227734][ T3868] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3868] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3867] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3867] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3867] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3867] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3867] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3869], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3869 [pid 3867] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3869 attached [pid 3869] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 117.236503][ T3868] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 117.236503][ T3868] inode = 12 2341 [ 117.236503][ T3868] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 117.255637][ T3868] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 117.265043][ T3868] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3868 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 117.275487][ T3868] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3869] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3869] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 117.284334][ T3868] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 117.292265][ T3868] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 117.301481][ T3868] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 117.308203][ T3868] gfs2: fsid=syz:syz.0: File system withdrawn [ 117.314480][ T3868] CPU: 1 PID: 3868 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 117.324924][ T3868] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 117.334999][ T3868] Call Trace: [ 117.338287][ T3868] [ 117.341212][ T3868] dump_stack_lvl+0x1b1/0x28e [ 117.345892][ T3868] ? nf_tcp_handle_invalid+0x62e/0x62e [ 117.351347][ T3868] ? panic+0x710/0x710 [ 117.355411][ T3868] ? kobject_uevent_env+0x46b/0x8e0 [ 117.360612][ T3868] ? do_raw_spin_unlock+0x134/0x8a0 [ 117.365829][ T3868] gfs2_withdraw+0xf33/0x1540 [ 117.370529][ T3868] ? gfs2_lm+0x220/0x220 [ 117.374771][ T3868] ? gfs2_dirent_scan+0xb6/0x650 [ 117.379713][ T3868] ? panic+0x710/0x710 [ 117.383790][ T3868] ? gfs2_permission+0x2ff/0x430 [pid 3869] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3867] exit_group(0 [pid 3869] <... futex resumed>) = ? [pid 3867] <... exit_group resumed>) = ? [pid 3869] +++ exited with 0 +++ [ 117.388739][ T3868] ? gfs2_consist_inode_i+0xf3/0x110 [ 117.394063][ T3868] gfs2_dirent_scan+0x535/0x650 [ 117.398916][ T3868] ? gfs2_dirent_search+0xb10/0xb10 [ 117.404127][ T3868] gfs2_dirent_search+0x2ea/0xb10 [ 117.409186][ T3868] ? gfs2_dirent_search+0xb10/0xb10 [ 117.414403][ T3868] ? gfs2_dir_search+0x2a0/0x2a0 [ 117.419337][ T3868] ? gfs2_permission+0x3bf/0x430 [ 117.424292][ T3868] gfs2_dir_search+0x8c/0x2a0 [ 117.428995][ T3868] ? do_filldir_main+0x530/0x530 [ 117.433943][ T3868] ? inode_go_held+0xe4/0x1f0 [ 117.438633][ T3868] ? gfs2_glock_wait+0x213/0x2a0 [ 117.443579][ T3868] gfs2_lookupi+0x465/0x650 [ 117.448096][ T3868] ? gfs2_lookup_simple+0x170/0x170 [ 117.453288][ T3868] ? __gfs2_lookup+0x8c/0x260 [ 117.457967][ T3868] __gfs2_lookup+0x8c/0x260 [ 117.462465][ T3868] ? gfs2_atomic_open+0x230/0x230 [ 117.467485][ T3868] ? __d_lookup+0x6a4/0x770 [ 117.471977][ T3868] ? d_hash_and_lookup+0x1c0/0x1c0 [ 117.477079][ T3868] gfs2_atomic_open+0xa4/0x230 [ 117.481854][ T3868] path_openat+0xf39/0x2df0 [ 117.486370][ T3868] ? gfs2_rename2+0x3000/0x3000 [ 117.491222][ T3868] ? do_filp_open+0x4f0/0x4f0 [ 117.495919][ T3868] do_filp_open+0x264/0x4f0 [ 117.500427][ T3868] ? vfs_tmpfile+0x490/0x490 [ 117.505013][ T3868] ? do_raw_spin_unlock+0x134/0x8a0 [ 117.510204][ T3868] ? _raw_spin_unlock+0x24/0x40 [ 117.515055][ T3868] ? alloc_fd+0x5a7/0x640 [ 117.519394][ T3868] do_sys_openat2+0x124/0x4e0 [ 117.524061][ T3868] ? print_irqtrace_events+0x220/0x220 [ 117.529508][ T3868] ? ptrace_stop+0x74d/0x970 [ 117.534090][ T3868] ? do_sys_open+0x220/0x220 [ 117.538683][ T3868] ? lockdep_hardirqs_on+0x8d/0x130 [ 117.543895][ T3868] ? _raw_spin_unlock_irq+0x2a/0x40 [ 117.549103][ T3868] ? ptrace_notify+0x245/0x340 [ 117.553856][ T3868] __x64_sys_openat+0x243/0x290 [ 117.558698][ T3868] ? __ia32_sys_open+0x270/0x270 [ 117.563626][ T3868] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 117.569595][ T3868] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 117.575585][ T3868] do_syscall_64+0x3d/0xb0 [ 117.580006][ T3868] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 117.585886][ T3868] RIP: 0033:0x7fc8868064d9 [ 117.590289][ T3868] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 117.609894][ T3868] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 117.618305][ T3868] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 117.626272][ T3868] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3868] <... openat resumed>) = ? [pid 3868] +++ exited with 0 +++ [pid 3867] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3867, si_uid=0, si_status=0, si_utime=2, si_stime=27} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./76", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./76", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./76/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./76/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./76/binderfs") = 0 [ 117.634238][ T3868] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 117.642208][ T3868] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 117.650191][ T3868] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 117.658175][ T3868] umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./76/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./76/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./76/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./76") = 0 mkdir("./77", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3870 ./strace-static-x86_64: Process 3870 attached [pid 3870] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3870] chdir("./77") = 0 [pid 3870] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3870] setpgid(0, 0) = 0 [pid 3870] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3870] write(3, "1000", 4) = 4 [pid 3870] close(3) = 0 [pid 3870] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3870] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3870] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3870] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3870] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3871], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3871 [pid 3870] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3870] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3871 attached [pid 3871] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3871] memfd_create("syzkaller", 0) = 3 [pid 3871] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3871] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3871] munmap(0x7fc87e392000, 16777216) = 0 [pid 3871] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3871] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3871] close(3) = 0 [pid 3871] mkdir("./file0", 0777) = 0 [ 117.940589][ T3871] loop0: detected capacity change from 0 to 32768 [ 117.951192][ T3871] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 117.959745][ T3871] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 117.969251][ T3871] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 117.977880][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 117.984753][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3871] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3871] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3871] chdir("./file0") = 0 [pid 3871] ioctl(4, LOOP_CLR_FD) = 0 [pid 3871] close(4) = 0 [pid 3871] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3870] <... futex resumed>) = 0 [pid 3871] <... futex resumed>) = 1 [pid 3870] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3871] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3870] <... futex resumed>) = 0 [pid 3871] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3870] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3871] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3870] <... futex resumed>) = 0 [pid 3871] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3870] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 118.022595][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 118.030228][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 118.035457][ T3871] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 118.048335][ T3871] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 118.057208][ T3871] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 118.057208][ T3871] inode = 12 2341 [pid 3870] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 118.057208][ T3871] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 118.075982][ T3871] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 118.085145][ T3871] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3871 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 118.095268][ T3871] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 118.103942][ T3871] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 118.111290][ T3871] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3870] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 118.120131][ T3871] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 118.126756][ T3871] gfs2: fsid=syz:syz.0: File system withdrawn [ 118.132970][ T3871] CPU: 0 PID: 3871 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 118.143439][ T3871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 118.153489][ T3871] Call Trace: [ 118.156761][ T3871] [ 118.159685][ T3871] dump_stack_lvl+0x1b1/0x28e [ 118.164360][ T3871] ? nf_tcp_handle_invalid+0x62e/0x62e [ 118.169811][ T3871] ? panic+0x710/0x710 [ 118.173873][ T3871] ? kobject_uevent_env+0x46b/0x8e0 [ 118.179062][ T3871] ? do_raw_spin_unlock+0x134/0x8a0 [ 118.184279][ T3871] gfs2_withdraw+0xf33/0x1540 [ 118.188984][ T3871] ? gfs2_lm+0x220/0x220 [ 118.193227][ T3871] ? gfs2_dirent_scan+0xb6/0x650 [ 118.198187][ T3871] ? panic+0x710/0x710 [ 118.202258][ T3871] ? gfs2_permission+0x2ff/0x430 [ 118.207309][ T3871] ? gfs2_consist_inode_i+0xf3/0x110 [ 118.212601][ T3871] gfs2_dirent_scan+0x535/0x650 [ 118.217461][ T3871] ? gfs2_dirent_search+0xb10/0xb10 [ 118.222666][ T3871] gfs2_dirent_search+0x2ea/0xb10 [ 118.227691][ T3871] ? gfs2_dirent_search+0xb10/0xb10 [ 118.232891][ T3871] ? gfs2_dir_search+0x2a0/0x2a0 [ 118.237822][ T3871] ? gfs2_permission+0x3bf/0x430 [ 118.242781][ T3871] gfs2_dir_search+0x8c/0x2a0 [ 118.247493][ T3871] ? do_filldir_main+0x530/0x530 [ 118.252445][ T3871] ? inode_go_held+0xe4/0x1f0 [ 118.257122][ T3871] ? gfs2_glock_wait+0x213/0x2a0 [ 118.262055][ T3871] gfs2_lookupi+0x465/0x650 [ 118.266573][ T3871] ? gfs2_lookup_simple+0x170/0x170 [ 118.271795][ T3871] ? __gfs2_lookup+0x8c/0x260 [ 118.276493][ T3871] __gfs2_lookup+0x8c/0x260 [ 118.281094][ T3871] ? gfs2_atomic_open+0x230/0x230 [ 118.286143][ T3871] ? __d_lookup+0x6a4/0x770 [ 118.292409][ T3871] ? d_hash_and_lookup+0x1c0/0x1c0 [ 118.297522][ T3871] gfs2_atomic_open+0xa4/0x230 [ 118.302287][ T3871] path_openat+0xf39/0x2df0 [ 118.306790][ T3871] ? gfs2_rename2+0x3000/0x3000 [ 118.311651][ T3871] ? do_filp_open+0x4f0/0x4f0 [ 118.316331][ T3871] do_filp_open+0x264/0x4f0 [ 118.320827][ T3871] ? vfs_tmpfile+0x490/0x490 [ 118.325426][ T3871] ? do_raw_spin_unlock+0x134/0x8a0 [ 118.330884][ T3871] ? _raw_spin_unlock+0x24/0x40 [ 118.335729][ T3871] ? alloc_fd+0x5a7/0x640 [ 118.340058][ T3871] do_sys_openat2+0x124/0x4e0 [ 118.344737][ T3871] ? print_irqtrace_events+0x220/0x220 [ 118.350190][ T3871] ? ptrace_stop+0x74d/0x970 [ 118.354794][ T3871] ? do_sys_open+0x220/0x220 [ 118.359377][ T3871] ? lockdep_hardirqs_on+0x8d/0x130 [ 118.364570][ T3871] ? _raw_spin_unlock_irq+0x2a/0x40 [ 118.369762][ T3871] ? ptrace_notify+0x245/0x340 [ 118.374527][ T3871] __x64_sys_openat+0x243/0x290 [ 118.379478][ T3871] ? __ia32_sys_open+0x270/0x270 [ 118.384418][ T3871] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 118.390396][ T3871] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 118.396372][ T3871] do_syscall_64+0x3d/0xb0 [ 118.400785][ T3871] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 118.406674][ T3871] RIP: 0033:0x7fc8868064d9 [ 118.411081][ T3871] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 118.430680][ T3871] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 118.439085][ T3871] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 118.447046][ T3871] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 118.455007][ T3871] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 118.462970][ T3871] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3870] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3870] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3870] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3872], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3872 [pid 3870] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3871] <... openat resumed>) = -1 EIO (Input/output error) [pid 3871] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3871] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 3872 attached [pid 3872] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3872] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3872] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3870] exit_group(0 [pid 3871] <... futex resumed>) = ? [pid 3870] <... exit_group resumed>) = ? [pid 3871] +++ exited with 0 +++ [pid 3872] +++ exited with 0 +++ [pid 3870] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3870, si_uid=0, si_status=0, si_utime=0, si_stime=30} --- umount2("./77", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./77", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./77/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./77/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./77/binderfs") = 0 [ 118.471017][ T3871] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 118.478993][ T3871] umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./77/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./77/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./77/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./77") = 0 mkdir("./78", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3873 ./strace-static-x86_64: Process 3873 attached [pid 3873] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3873] chdir("./78") = 0 [pid 3873] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3873] setpgid(0, 0) = 0 [pid 3873] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3873] write(3, "1000", 4) = 4 [pid 3873] close(3) = 0 [pid 3873] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3873] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3873] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3873] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3873] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3874 attached , parent_tid=[3874], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3874 [pid 3874] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3874] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3873] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3874] <... futex resumed>) = 0 [pid 3873] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3874] memfd_create("syzkaller", 0) = 3 [pid 3874] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3874] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3874] munmap(0x7fc87e392000, 16777216) = 0 [pid 3874] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3874] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3874] close(3) = 0 [pid 3874] mkdir("./file0", 0777) = 0 [ 118.789524][ T3874] loop0: detected capacity change from 0 to 32768 [ 118.802230][ T3874] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 118.810708][ T3874] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 118.820817][ T3874] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 118.829347][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 118.836248][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3874] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3874] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3874] chdir("./file0") = 0 [pid 3874] ioctl(4, LOOP_CLR_FD) = 0 [pid 3874] close(4) = 0 [pid 3874] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3873] <... futex resumed>) = 0 [pid 3873] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3873] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3874] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3874] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3873] <... futex resumed>) = 0 [pid 3873] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3873] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 118.870676][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 118.879408][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 118.884891][ T3874] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 118.919614][ T3874] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 118.929980][ T3874] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 118.929980][ T3874] inode = 12 2341 [ 118.929980][ T3874] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 118.949062][ T3874] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 118.958182][ T3874] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3874 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3874] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3873] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3873] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3873] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3873] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3873] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3875], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3875 [pid 3873] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3875 attached [pid 3875] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 118.968230][ T3874] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 118.971975][ T3875] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 118.977071][ T3874] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 118.986184][ T3875] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 118.992815][ T3874] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 119.002364][ T3875] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3874 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 119.011241][ T3874] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 119.021509][ T3875] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3875 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 119.029537][ T3874] gfs2: fsid=syz:syz.0: File system withdrawn [ 119.044016][ T3874] CPU: 0 PID: 3874 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 119.044101][ T3875] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 119.054424][ T3874] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 119.054436][ T3874] Call Trace: [ 119.054443][ T3874] [ 119.054450][ T3874] dump_stack_lvl+0x1b1/0x28e [ 119.054474][ T3874] ? nf_tcp_handle_invalid+0x62e/0x62e [ 119.054495][ T3874] ? panic+0x710/0x710 [ 119.054515][ T3874] ? kobject_uevent_env+0x46b/0x8e0 [ 119.099794][ T3874] ? do_raw_spin_unlock+0x134/0x8a0 [ 119.104994][ T3874] gfs2_withdraw+0xf33/0x1540 [ 119.109678][ T3874] ? gfs2_lm+0x220/0x220 [ 119.113914][ T3874] ? gfs2_dirent_scan+0xb6/0x650 [ 119.118860][ T3874] ? panic+0x710/0x710 [ 119.122942][ T3874] ? gfs2_permission+0x2ff/0x430 [ 119.127891][ T3874] ? gfs2_consist_inode_i+0xf3/0x110 [ 119.133167][ T3874] gfs2_dirent_scan+0x535/0x650 [ 119.138010][ T3874] ? gfs2_dirent_search+0xb10/0xb10 [ 119.143724][ T3874] gfs2_dirent_search+0x2ea/0xb10 [ 119.148742][ T3874] ? gfs2_dirent_search+0xb10/0xb10 [ 119.153963][ T3874] ? gfs2_dir_search+0x2a0/0x2a0 [ 119.158922][ T3874] ? gfs2_permission+0x3bf/0x430 [ 119.163868][ T3874] gfs2_dir_search+0x8c/0x2a0 [ 119.168539][ T3874] ? do_filldir_main+0x530/0x530 [ 119.173491][ T3874] ? inode_go_held+0xe4/0x1f0 [ 119.178179][ T3874] ? gfs2_glock_wait+0x213/0x2a0 [ 119.183311][ T3874] gfs2_lookupi+0x465/0x650 [ 119.187836][ T3874] ? gfs2_lookup_simple+0x170/0x170 [ 119.193060][ T3874] ? __gfs2_lookup+0x8c/0x260 [ 119.198952][ T3874] __gfs2_lookup+0x8c/0x260 [ 119.203452][ T3874] ? gfs2_atomic_open+0x230/0x230 [ 119.208479][ T3874] ? __d_lookup+0x6a4/0x770 [ 119.212976][ T3874] ? d_hash_and_lookup+0x1c0/0x1c0 [ 119.218077][ T3874] gfs2_atomic_open+0xa4/0x230 [ 119.222836][ T3874] path_openat+0xf39/0x2df0 [ 119.227337][ T3874] ? gfs2_rename2+0x3000/0x3000 [ 119.232192][ T3874] ? do_filp_open+0x4f0/0x4f0 [ 119.236876][ T3874] do_filp_open+0x264/0x4f0 [ 119.241369][ T3874] ? vfs_tmpfile+0x490/0x490 [ 119.245957][ T3874] ? do_raw_spin_unlock+0x134/0x8a0 [ 119.251156][ T3874] ? _raw_spin_unlock+0x24/0x40 [ 119.256000][ T3874] ? alloc_fd+0x5a7/0x640 [ 119.260330][ T3874] do_sys_openat2+0x124/0x4e0 [ 119.265001][ T3874] ? print_irqtrace_events+0x220/0x220 [ 119.270447][ T3874] ? ptrace_stop+0x74d/0x970 [ 119.275037][ T3874] ? do_sys_open+0x220/0x220 [ 119.279621][ T3874] ? lockdep_hardirqs_on+0x8d/0x130 [ 119.284812][ T3874] ? _raw_spin_unlock_irq+0x2a/0x40 [ 119.290005][ T3874] ? ptrace_notify+0x245/0x340 [ 119.295716][ T3874] __x64_sys_openat+0x243/0x290 [ 119.300560][ T3874] ? __ia32_sys_open+0x270/0x270 [ 119.305494][ T3874] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 119.311502][ T3874] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 119.317480][ T3874] do_syscall_64+0x3d/0xb0 [ 119.321887][ T3874] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 119.327771][ T3874] RIP: 0033:0x7fc8868064d9 [ 119.332198][ T3874] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 119.351798][ T3874] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 119.360203][ T3874] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3875] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3873] exit_group(0) = ? [pid 3875] <... openat resumed>) = ? [pid 3874] <... openat resumed>) = ? [pid 3875] +++ exited with 0 +++ [pid 3874] +++ exited with 0 +++ [pid 3873] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3873, si_uid=0, si_status=0, si_utime=2, si_stime=42} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./78", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./78", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./78/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./78/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./78/binderfs") = 0 [ 119.368163][ T3874] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 119.376120][ T3874] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 119.384078][ T3874] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 119.392037][ T3874] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 119.400012][ T3874] umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./78/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./78/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./78/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./78") = 0 mkdir("./79", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3876 ./strace-static-x86_64: Process 3876 attached [pid 3876] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3876] chdir("./79") = 0 [pid 3876] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3876] setpgid(0, 0) = 0 [pid 3876] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3876] write(3, "1000", 4) = 4 [pid 3876] close(3) = 0 [pid 3876] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3876] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3876] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3876] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3876] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3877 attached , parent_tid=[3877], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3877 [pid 3876] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3876] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3877] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3877] memfd_create("syzkaller", 0) = 3 [pid 3877] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3877] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3877] munmap(0x7fc87e392000, 16777216) = 0 [pid 3877] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3877] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3877] close(3) = 0 [pid 3877] mkdir("./file0", 0777) = 0 [ 119.702284][ T3877] loop0: detected capacity change from 0 to 32768 [ 119.714001][ T3877] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 119.722286][ T3877] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 119.732489][ T3877] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 119.741415][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 119.748184][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3877] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3877] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3877] chdir("./file0") = 0 [pid 3877] ioctl(4, LOOP_CLR_FD) = 0 [pid 3877] close(4) = 0 [pid 3877] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3877] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3876] <... futex resumed>) = 0 [pid 3876] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3876] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3877] <... futex resumed>) = 0 [pid 3877] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3877] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3876] <... futex resumed>) = 0 [pid 3876] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3877] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3876] <... futex resumed>) = 0 [ 119.784274][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 119.792060][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 119.797673][ T3877] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 119.823370][ T3877] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3876] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3876] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3876] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3876] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3876] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3876] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3876] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3878], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3878 [pid 3876] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3878 attached [pid 3878] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 119.832111][ T3877] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 119.832111][ T3877] inode = 12 2341 [ 119.832111][ T3877] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 119.851508][ T3877] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 119.861579][ T3877] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3877 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 119.871813][ T3877] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 119.876878][ T3878] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 119.880928][ T3877] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 119.889233][ T3878] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 119.896144][ T3877] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 119.905367][ T3878] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3877 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 119.914011][ T3877] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 119.924215][ T3878] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3878 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 119.930627][ T3877] gfs2: fsid=syz:syz.0: File system withdrawn [ 119.947503][ T3877] CPU: 0 PID: 3877 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 119.950186][ T3878] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 119.957930][ T3877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 119.957944][ T3877] Call Trace: [ 119.957952][ T3877] [ 119.957961][ T3877] dump_stack_lvl+0x1b1/0x28e [ 119.987372][ T3877] ? nf_tcp_handle_invalid+0x62e/0x62e [ 119.992830][ T3877] ? panic+0x710/0x710 [ 119.996920][ T3877] ? kobject_uevent_env+0x46b/0x8e0 [ 120.002126][ T3877] ? do_raw_spin_unlock+0x134/0x8a0 [ 120.007328][ T3877] gfs2_withdraw+0xf33/0x1540 [ 120.012011][ T3877] ? gfs2_lm+0x220/0x220 [ 120.016242][ T3877] ? gfs2_dirent_scan+0xb6/0x650 [ 120.021176][ T3877] ? panic+0x710/0x710 [ 120.025241][ T3877] ? gfs2_permission+0x2ff/0x430 [ 120.030178][ T3877] ? gfs2_consist_inode_i+0xf3/0x110 [ 120.035457][ T3877] gfs2_dirent_scan+0x535/0x650 [ 120.040307][ T3877] ? gfs2_dirent_search+0xb10/0xb10 [ 120.045511][ T3877] gfs2_dirent_search+0x2ea/0xb10 [ 120.050535][ T3877] ? gfs2_dirent_search+0xb10/0xb10 [ 120.055735][ T3877] ? gfs2_dir_search+0x2a0/0x2a0 [ 120.060672][ T3877] ? gfs2_permission+0x3bf/0x430 [ 120.065611][ T3877] gfs2_dir_search+0x8c/0x2a0 [ 120.070320][ T3877] ? do_filldir_main+0x530/0x530 [ 120.075255][ T3877] ? inode_go_held+0xe4/0x1f0 [ 120.079929][ T3877] ? gfs2_glock_wait+0x213/0x2a0 [ 120.084860][ T3877] gfs2_lookupi+0x465/0x650 [ 120.089367][ T3877] ? gfs2_lookup_simple+0x170/0x170 [ 120.094562][ T3877] ? __gfs2_lookup+0x8c/0x260 [ 120.099239][ T3877] __gfs2_lookup+0x8c/0x260 [ 120.103738][ T3877] ? gfs2_atomic_open+0x230/0x230 [ 120.108769][ T3877] ? __d_lookup+0x6a4/0x770 [ 120.113265][ T3877] ? d_hash_and_lookup+0x1c0/0x1c0 [ 120.118446][ T3877] gfs2_atomic_open+0xa4/0x230 [ 120.123230][ T3877] path_openat+0xf39/0x2df0 [ 120.127733][ T3877] ? gfs2_rename2+0x3000/0x3000 [ 120.132588][ T3877] ? do_filp_open+0x4f0/0x4f0 [ 120.137267][ T3877] do_filp_open+0x264/0x4f0 [ 120.141762][ T3877] ? vfs_tmpfile+0x490/0x490 [ 120.146354][ T3877] ? do_raw_spin_unlock+0x134/0x8a0 [ 120.151559][ T3877] ? _raw_spin_unlock+0x24/0x40 [ 120.156411][ T3877] ? alloc_fd+0x5a7/0x640 [ 120.160749][ T3877] do_sys_openat2+0x124/0x4e0 [ 120.165428][ T3877] ? print_irqtrace_events+0x220/0x220 [ 120.170889][ T3877] ? ptrace_stop+0x74d/0x970 [ 120.175499][ T3877] ? do_sys_open+0x220/0x220 [ 120.180188][ T3877] ? lockdep_hardirqs_on+0x8d/0x130 [ 120.185385][ T3877] ? _raw_spin_unlock_irq+0x2a/0x40 [ 120.190589][ T3877] ? ptrace_notify+0x245/0x340 [ 120.195352][ T3877] __x64_sys_openat+0x243/0x290 [ 120.200203][ T3877] ? __ia32_sys_open+0x270/0x270 [ 120.205136][ T3877] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 120.211115][ T3877] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 120.218830][ T3877] do_syscall_64+0x3d/0xb0 [ 120.223242][ T3877] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 120.229124][ T3877] RIP: 0033:0x7fc8868064d9 [ 120.233531][ T3877] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 120.253125][ T3877] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 120.261527][ T3877] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 120.269491][ T3877] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 120.277454][ T3877] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3878] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3877] <... openat resumed>) = -1 EIO (Input/output error) [pid 3878] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3878] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3877] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3876] exit_group(0) = ? [pid 3878] <... futex resumed>) = ? [pid 3878] +++ exited with 0 +++ [pid 3877] +++ exited with 0 +++ [pid 3876] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3876, si_uid=0, si_status=0, si_utime=0, si_stime=43} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./79", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./79", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./79/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./79/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./79/binderfs") = 0 [ 120.285417][ T3877] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 120.293376][ T3877] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 120.301352][ T3877] umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./79/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./79/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./79/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./79") = 0 mkdir("./80", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3879 ./strace-static-x86_64: Process 3879 attached [pid 3879] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3879] chdir("./80") = 0 [pid 3879] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3879] setpgid(0, 0) = 0 [pid 3879] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3879] write(3, "1000", 4) = 4 [pid 3879] close(3) = 0 [pid 3879] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3879] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3879] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3879] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3879] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3880], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3880 [pid 3879] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3879] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3880 attached [pid 3880] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3880] memfd_create("syzkaller", 0) = 3 [pid 3880] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3880] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3880] munmap(0x7fc87e392000, 16777216) = 0 [pid 3880] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3880] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3880] close(3) = 0 [pid 3880] mkdir("./file0", 0777) = 0 [ 120.599475][ T3880] loop0: detected capacity change from 0 to 32768 [ 120.609503][ T3880] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 120.618744][ T3880] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 120.628468][ T3880] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 120.637488][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 120.644935][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3880] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3880] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3880] chdir("./file0") = 0 [pid 3880] ioctl(4, LOOP_CLR_FD) = 0 [pid 3880] close(4) = 0 [pid 3880] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3879] <... futex resumed>) = 0 [pid 3879] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3879] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3880] <... futex resumed>) = 1 [pid 3880] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3880] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3879] <... futex resumed>) = 0 [pid 3879] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3879] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3880] <... futex resumed>) = 1 [ 120.681326][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 120.689084][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 120.694722][ T3880] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 120.713174][ T3880] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 120.722134][ T3880] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3880] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3879] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 120.722134][ T3880] inode = 12 2341 [ 120.722134][ T3880] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 120.740849][ T3880] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 120.749896][ T3880] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3880 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 120.760007][ T3880] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 120.773659][ T3880] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3879] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3879] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3879] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3879] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3881], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3881 [pid 3879] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 120.781036][ T3880] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 120.789936][ T3880] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 120.796637][ T3880] gfs2: fsid=syz:syz.0: File system withdrawn [ 120.802806][ T3880] CPU: 0 PID: 3880 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 120.813334][ T3880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 120.823574][ T3880] Call Trace: [ 120.826849][ T3880] [ 120.829771][ T3880] dump_stack_lvl+0x1b1/0x28e [ 120.834459][ T3880] ? nf_tcp_handle_invalid+0x62e/0x62e [ 120.839937][ T3880] ? panic+0x710/0x710 [ 120.844024][ T3880] ? kobject_uevent_env+0x46b/0x8e0 [ 120.849321][ T3880] ? do_raw_spin_unlock+0x134/0x8a0 [ 120.854533][ T3880] gfs2_withdraw+0xf33/0x1540 [ 120.859228][ T3880] ? gfs2_lm+0x220/0x220 [ 120.863464][ T3880] ? gfs2_dirent_scan+0xb6/0x650 [ 120.868423][ T3880] ? panic+0x710/0x710 [ 120.872496][ T3880] ? gfs2_permission+0x2ff/0x430 [ 120.877434][ T3880] ? gfs2_consist_inode_i+0xf3/0x110 [ 120.882731][ T3880] gfs2_dirent_scan+0x535/0x650 [ 120.887596][ T3880] ? gfs2_dirent_search+0xb10/0xb10 [ 120.892794][ T3880] gfs2_dirent_search+0x2ea/0xb10 [ 120.897830][ T3880] ? gfs2_dirent_search+0xb10/0xb10 [ 120.903018][ T3880] ? gfs2_dir_search+0x2a0/0x2a0 [ 120.907954][ T3880] ? gfs2_permission+0x3bf/0x430 [ 120.912909][ T3880] gfs2_dir_search+0x8c/0x2a0 [ 120.917586][ T3880] ? do_filldir_main+0x530/0x530 [ 120.922520][ T3880] ? inode_go_held+0xe4/0x1f0 [ 120.927193][ T3880] ? gfs2_glock_wait+0x213/0x2a0 [ 120.932125][ T3880] gfs2_lookupi+0x465/0x650 [ 120.936627][ T3880] ? gfs2_lookup_simple+0x170/0x170 [ 120.941819][ T3880] ? __gfs2_lookup+0x8c/0x260 [ 120.946517][ T3880] __gfs2_lookup+0x8c/0x260 [ 120.951037][ T3880] ? gfs2_atomic_open+0x230/0x230 [ 120.956095][ T3880] ? __d_lookup+0x6a4/0x770 [ 120.960605][ T3880] ? d_hash_and_lookup+0x1c0/0x1c0 [ 120.965715][ T3880] gfs2_atomic_open+0xa4/0x230 [ 120.970482][ T3880] path_openat+0xf39/0x2df0 [ 120.974983][ T3880] ? gfs2_rename2+0x3000/0x3000 [ 120.979847][ T3880] ? do_filp_open+0x4f0/0x4f0 [ 120.984529][ T3880] do_filp_open+0x264/0x4f0 [ 120.989024][ T3880] ? vfs_tmpfile+0x490/0x490 [ 120.993614][ T3880] ? do_raw_spin_unlock+0x134/0x8a0 [ 120.998810][ T3880] ? _raw_spin_unlock+0x24/0x40 [ 121.003660][ T3880] ? alloc_fd+0x5a7/0x640 [ 121.007991][ T3880] do_sys_openat2+0x124/0x4e0 [ 121.012662][ T3880] ? print_irqtrace_events+0x220/0x220 [ 121.018113][ T3880] ? ptrace_stop+0x74d/0x970 [ 121.022700][ T3880] ? do_sys_open+0x220/0x220 [ 121.027281][ T3880] ? lockdep_hardirqs_on+0x8d/0x130 [ 121.032472][ T3880] ? _raw_spin_unlock_irq+0x2a/0x40 [ 121.037666][ T3880] ? ptrace_notify+0x245/0x340 [ 121.042436][ T3880] __x64_sys_openat+0x243/0x290 [ 121.047286][ T3880] ? __ia32_sys_open+0x270/0x270 [ 121.052220][ T3880] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 121.058206][ T3880] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 121.064196][ T3880] do_syscall_64+0x3d/0xb0 [ 121.068613][ T3880] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 121.074498][ T3880] RIP: 0033:0x7fc8868064d9 [ 121.078903][ T3880] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 121.098605][ T3880] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 121.107045][ T3880] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 121.115136][ T3880] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 121.123113][ T3880] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 ./strace-static-x86_64: Process 3881 attached [pid 3881] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3881] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3881] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3881] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3880] <... openat resumed>) = -1 EIO (Input/output error) [pid 3880] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3880] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3879] exit_group(0 [pid 3881] <... futex resumed>) = ? [pid 3880] <... futex resumed>) = ? [pid 3879] <... exit_group resumed>) = ? [pid 3881] +++ exited with 0 +++ [pid 3880] +++ exited with 0 +++ [pid 3879] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3879, si_uid=0, si_status=0, si_utime=2, si_stime=29} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./80", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./80", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./80/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./80/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./80/binderfs") = 0 [ 121.132816][ T3880] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 121.140781][ T3880] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 121.149607][ T3880] umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./80/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./80/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./80/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./80") = 0 mkdir("./81", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3882 ./strace-static-x86_64: Process 3882 attached [pid 3882] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3882] chdir("./81") = 0 [pid 3882] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3882] setpgid(0, 0) = 0 [pid 3882] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3882] write(3, "1000", 4) = 4 [pid 3882] close(3) = 0 [pid 3882] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3882] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3882] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3882] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3882] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3883], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3883 [pid 3882] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3882] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3883 attached [pid 3883] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3883] memfd_create("syzkaller", 0) = 3 [pid 3883] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3883] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3883] munmap(0x7fc87e392000, 16777216) = 0 [pid 3883] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3883] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3883] close(3) = 0 [pid 3883] mkdir("./file0", 0777) = 0 [ 121.478798][ T3883] loop0: detected capacity change from 0 to 32768 [ 121.489835][ T3883] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 121.498209][ T3883] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 121.507159][ T3883] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 121.515971][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 121.523019][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3883] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3883] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3883] chdir("./file0") = 0 [pid 3883] ioctl(4, LOOP_CLR_FD) = 0 [pid 3883] close(4) = 0 [pid 3883] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3882] <... futex resumed>) = 0 [pid 3882] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3882] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3883] <... futex resumed>) = 1 [pid 3883] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3883] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3882] <... futex resumed>) = 0 [pid 3882] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3882] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3883] <... futex resumed>) = 1 [ 121.556110][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 121.566011][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 121.571477][ T3883] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 121.598089][ T3883] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 121.606923][ T3883] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 121.606923][ T3883] inode = 12 2341 [ 121.606923][ T3883] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 121.626056][ T3883] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 121.635220][ T3883] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3883 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3883] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3882] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3882] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3882] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3882] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3882] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3884], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3884 [pid 3882] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3884 attached [pid 3884] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3884] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3884] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 121.645549][ T3883] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 121.654117][ T3883] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 121.661412][ T3883] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 121.670277][ T3883] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 121.678054][ T3883] gfs2: fsid=syz:syz.0: File system withdrawn [ 121.684300][ T3883] CPU: 0 PID: 3883 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 121.694745][ T3883] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 121.706631][ T3883] Call Trace: [ 121.709912][ T3883] [ 121.712853][ T3883] dump_stack_lvl+0x1b1/0x28e [ 121.717539][ T3883] ? nf_tcp_handle_invalid+0x62e/0x62e [ 121.723005][ T3883] ? panic+0x710/0x710 [ 121.727092][ T3883] ? kobject_uevent_env+0x46b/0x8e0 [ 121.732313][ T3883] ? do_raw_spin_unlock+0x134/0x8a0 [ 121.737509][ T3883] gfs2_withdraw+0xf33/0x1540 [ 121.742209][ T3883] ? gfs2_lm+0x220/0x220 [pid 3884] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3882] exit_group(0 [pid 3884] <... futex resumed>) = ? [pid 3882] <... exit_group resumed>) = ? [pid 3884] +++ exited with 0 +++ [ 121.746456][ T3883] ? gfs2_dirent_scan+0xb6/0x650 [ 121.751390][ T3883] ? panic+0x710/0x710 [ 121.755483][ T3883] ? gfs2_permission+0x2ff/0x430 [ 121.761056][ T3883] ? gfs2_consist_inode_i+0xf3/0x110 [ 121.766355][ T3883] gfs2_dirent_scan+0x535/0x650 [ 121.771224][ T3883] ? gfs2_dirent_search+0xb10/0xb10 [ 121.776439][ T3883] gfs2_dirent_search+0x2ea/0xb10 [ 121.781478][ T3883] ? gfs2_dirent_search+0xb10/0xb10 [ 121.786681][ T3883] ? gfs2_dir_search+0x2a0/0x2a0 [ 121.792740][ T3883] ? gfs2_permission+0x3bf/0x430 [ 121.797709][ T3883] gfs2_dir_search+0x8c/0x2a0 [ 121.802411][ T3883] ? do_filldir_main+0x530/0x530 [ 121.807347][ T3883] ? inode_go_held+0xe4/0x1f0 [ 121.812017][ T3883] ? gfs2_glock_wait+0x213/0x2a0 [ 121.816947][ T3883] gfs2_lookupi+0x465/0x650 [ 121.821448][ T3883] ? gfs2_lookup_simple+0x170/0x170 [ 121.826640][ T3883] ? __gfs2_lookup+0x8c/0x260 [ 121.831313][ T3883] __gfs2_lookup+0x8c/0x260 [ 121.835818][ T3883] ? gfs2_atomic_open+0x230/0x230 [ 121.840868][ T3883] ? __d_lookup+0x6a4/0x770 [ 121.845377][ T3883] ? d_hash_and_lookup+0x1c0/0x1c0 [ 121.850496][ T3883] gfs2_atomic_open+0xa4/0x230 [ 121.855255][ T3883] path_openat+0xf39/0x2df0 [ 121.859751][ T3883] ? gfs2_rename2+0x3000/0x3000 [ 121.864623][ T3883] ? do_filp_open+0x4f0/0x4f0 [ 121.869314][ T3883] do_filp_open+0x264/0x4f0 [ 121.873838][ T3883] ? vfs_tmpfile+0x490/0x490 [ 121.878446][ T3883] ? do_raw_spin_unlock+0x134/0x8a0 [ 121.883673][ T3883] ? _raw_spin_unlock+0x24/0x40 [ 121.888527][ T3883] ? alloc_fd+0x5a7/0x640 [ 121.892867][ T3883] do_sys_openat2+0x124/0x4e0 [ 121.897543][ T3883] ? print_irqtrace_events+0x220/0x220 [ 121.902996][ T3883] ? ptrace_stop+0x74d/0x970 [ 121.907593][ T3883] ? do_sys_open+0x220/0x220 [ 121.912224][ T3883] ? lockdep_hardirqs_on+0x8d/0x130 [ 121.917414][ T3883] ? _raw_spin_unlock_irq+0x2a/0x40 [ 121.922618][ T3883] ? ptrace_notify+0x245/0x340 [ 121.927386][ T3883] __x64_sys_openat+0x243/0x290 [ 121.932332][ T3883] ? __ia32_sys_open+0x270/0x270 [ 121.937280][ T3883] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 121.943267][ T3883] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 121.949699][ T3883] do_syscall_64+0x3d/0xb0 [ 121.954117][ T3883] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 121.960021][ T3883] RIP: 0033:0x7fc8868064d9 [ 121.964427][ T3883] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 121.984026][ T3883] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 121.992440][ T3883] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3883] <... openat resumed>) = ? [pid 3883] +++ exited with 0 +++ [pid 3882] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3882, si_uid=0, si_status=0, si_utime=2, si_stime=28} --- umount2("./81", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./81", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./81/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./81/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./81/binderfs") = 0 [ 122.000499][ T3883] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 122.008487][ T3883] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 122.016457][ T3883] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 122.024433][ T3883] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 122.032410][ T3883] umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./81/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./81/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./81/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./81") = 0 mkdir("./82", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3885 ./strace-static-x86_64: Process 3885 attached [pid 3885] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3885] chdir("./82") = 0 [pid 3885] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3885] setpgid(0, 0) = 0 [pid 3885] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3885] write(3, "1000", 4) = 4 [pid 3885] close(3) = 0 [pid 3885] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3885] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3885] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3885] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3885] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3886], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3886 [pid 3885] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3885] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3886 attached [pid 3886] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3886] memfd_create("syzkaller", 0) = 3 [pid 3886] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3886] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3886] munmap(0x7fc87e392000, 16777216) = 0 [pid 3886] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3886] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3886] close(3) = 0 [pid 3886] mkdir("./file0", 0777) = 0 [ 122.340023][ T3886] loop0: detected capacity change from 0 to 32768 [ 122.351097][ T3886] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 122.359313][ T3886] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 122.369083][ T3886] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 122.377996][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 122.384920][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3886] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3886] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3886] chdir("./file0") = 0 [pid 3886] ioctl(4, LOOP_CLR_FD) = 0 [pid 3886] close(4) = 0 [pid 3886] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3885] <... futex resumed>) = 0 [pid 3885] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3885] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3886] <... futex resumed>) = 1 [pid 3886] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3886] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3885] <... futex resumed>) = 0 [pid 3885] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3885] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3886] <... futex resumed>) = 1 [ 122.417705][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 122.426532][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 122.431931][ T3886] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 122.453032][ T3886] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3886] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3885] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3885] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3885] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3885] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3885] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3885] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3887], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3887 [pid 3885] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3887 attached [pid 3887] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 122.462019][ T3886] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 122.462019][ T3886] inode = 12 2341 [ 122.462019][ T3886] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 122.480970][ T3886] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 122.490046][ T3886] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3886 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 122.500923][ T3886] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 122.505713][ T3887] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 122.509723][ T3886] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 122.518354][ T3887] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 122.525408][ T3886] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 122.534728][ T3887] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3886 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 122.543358][ T3886] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 122.553623][ T3887] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3887 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 122.561648][ T3886] gfs2: fsid=syz:syz.0: File system withdrawn [ 122.570124][ T3887] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 122.575864][ T3886] CPU: 0 PID: 3886 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 122.594462][ T3886] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 122.604519][ T3886] Call Trace: [ 122.607787][ T3886] [ 122.610796][ T3886] dump_stack_lvl+0x1b1/0x28e [ 122.615475][ T3886] ? nf_tcp_handle_invalid+0x62e/0x62e [ 122.620936][ T3886] ? panic+0x710/0x710 [ 122.624994][ T3886] ? kobject_uevent_env+0x46b/0x8e0 [ 122.630190][ T3886] ? do_raw_spin_unlock+0x134/0x8a0 [ 122.635398][ T3886] gfs2_withdraw+0xf33/0x1540 [ 122.640113][ T3886] ? gfs2_lm+0x220/0x220 [ 122.644346][ T3886] ? gfs2_dirent_scan+0xb6/0x650 [ 122.649311][ T3886] ? panic+0x710/0x710 [ 122.653407][ T3886] ? gfs2_permission+0x2ff/0x430 [ 122.658354][ T3886] ? gfs2_consist_inode_i+0xf3/0x110 [ 122.663641][ T3886] gfs2_dirent_scan+0x535/0x650 [ 122.668497][ T3886] ? gfs2_dirent_search+0xb10/0xb10 [ 122.673693][ T3886] gfs2_dirent_search+0x2ea/0xb10 [ 122.678715][ T3886] ? gfs2_dirent_search+0xb10/0xb10 [ 122.683911][ T3886] ? gfs2_dir_search+0x2a0/0x2a0 [ 122.688851][ T3886] ? gfs2_permission+0x3bf/0x430 [ 122.693788][ T3886] gfs2_dir_search+0x8c/0x2a0 [ 122.698461][ T3886] ? do_filldir_main+0x530/0x530 [ 122.703480][ T3886] ? inode_go_held+0xe4/0x1f0 [ 122.708164][ T3886] ? gfs2_glock_wait+0x213/0x2a0 [ 122.713192][ T3886] gfs2_lookupi+0x465/0x650 [ 122.717697][ T3886] ? gfs2_lookup_simple+0x170/0x170 [ 122.722901][ T3886] ? __gfs2_lookup+0x8c/0x260 [ 122.727596][ T3886] __gfs2_lookup+0x8c/0x260 [ 122.732096][ T3886] ? gfs2_atomic_open+0x230/0x230 [ 122.737116][ T3886] ? __d_lookup+0x6a4/0x770 [ 122.741611][ T3886] ? d_hash_and_lookup+0x1c0/0x1c0 [ 122.746714][ T3886] gfs2_atomic_open+0xa4/0x230 [ 122.751490][ T3886] path_openat+0xf39/0x2df0 [ 122.756078][ T3886] ? gfs2_rename2+0x3000/0x3000 [ 122.760933][ T3886] ? do_filp_open+0x4f0/0x4f0 [ 122.765614][ T3886] do_filp_open+0x264/0x4f0 [ 122.770147][ T3886] ? vfs_tmpfile+0x490/0x490 [ 122.774739][ T3886] ? do_raw_spin_unlock+0x134/0x8a0 [ 122.779955][ T3886] ? _raw_spin_unlock+0x24/0x40 [ 122.784812][ T3886] ? alloc_fd+0x5a7/0x640 [ 122.789146][ T3886] do_sys_openat2+0x124/0x4e0 [ 122.793822][ T3886] ? print_irqtrace_events+0x220/0x220 [ 122.799291][ T3886] ? ptrace_stop+0x74d/0x970 [ 122.803887][ T3886] ? do_sys_open+0x220/0x220 [ 122.808475][ T3886] ? lockdep_hardirqs_on+0x8d/0x130 [ 122.813670][ T3886] ? _raw_spin_unlock_irq+0x2a/0x40 [ 122.818865][ T3886] ? ptrace_notify+0x245/0x340 [ 122.823620][ T3886] __x64_sys_openat+0x243/0x290 [ 122.828466][ T3886] ? __ia32_sys_open+0x270/0x270 [ 122.833397][ T3886] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 122.839371][ T3886] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 122.845345][ T3886] do_syscall_64+0x3d/0xb0 [ 122.849755][ T3886] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 122.855642][ T3886] RIP: 0033:0x7fc8868064d9 [ 122.860052][ T3886] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 122.880549][ T3886] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 122.888953][ T3886] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 122.896915][ T3886] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 122.904888][ T3886] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3887] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3886] <... openat resumed>) = -1 EIO (Input/output error) [pid 3887] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3887] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3886] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3885] exit_group(0 [pid 3887] <... futex resumed>) = ? [pid 3885] <... exit_group resumed>) = ? [pid 3887] +++ exited with 0 +++ [pid 3886] +++ exited with 0 +++ [pid 3885] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3885, si_uid=0, si_status=0, si_utime=3, si_stime=38} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./82", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./82", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./82/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./82/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./82/binderfs") = 0 [ 122.912862][ T3886] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 122.920825][ T3886] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 122.928804][ T3886] umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./82/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./82/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./82/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./82") = 0 mkdir("./83", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3888 ./strace-static-x86_64: Process 3888 attached [pid 3888] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3888] chdir("./83") = 0 [pid 3888] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3888] setpgid(0, 0) = 0 [pid 3888] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3888] write(3, "1000", 4) = 4 [pid 3888] close(3) = 0 [pid 3888] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3888] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3888] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3888] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3888] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3889 attached , parent_tid=[3889], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3889 [pid 3888] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3889] set_robust_list(0x7fc8867b29e0, 24 [pid 3888] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3889] <... set_robust_list resumed>) = 0 [pid 3889] memfd_create("syzkaller", 0) = 3 [pid 3889] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3889] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3889] munmap(0x7fc87e392000, 16777216) = 0 [pid 3889] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3889] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3889] close(3) = 0 [pid 3889] mkdir("./file0", 0777) = 0 [ 123.237096][ T3889] loop0: detected capacity change from 0 to 32768 [ 123.249112][ T3889] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 123.257658][ T3889] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 123.267674][ T3889] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 123.277119][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 123.284339][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3889] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3889] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3889] chdir("./file0") = 0 [pid 3889] ioctl(4, LOOP_CLR_FD) = 0 [pid 3889] close(4) = 0 [pid 3889] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3888] <... futex resumed>) = 0 [pid 3888] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3888] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3889] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3889] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3888] <... futex resumed>) = 0 [pid 3888] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3888] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3889] <... futex resumed>) = 1 [ 123.317300][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 123.325066][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 123.330504][ T3889] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 123.357661][ T3889] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 123.366347][ T3889] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 123.366347][ T3889] inode = 12 2341 [ 123.366347][ T3889] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 123.385466][ T3889] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 123.395058][ T3889] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3889 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3889] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3888] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3888] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3888] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [ 123.405119][ T3889] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 123.413648][ T3889] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 123.420956][ T3889] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 123.429766][ T3889] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 123.437932][ T3889] gfs2: fsid=syz:syz.0: File system withdrawn [ 123.444129][ T3889] CPU: 0 PID: 3889 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 123.454560][ T3889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 123.464616][ T3889] Call Trace: [ 123.467884][ T3889] [ 123.470808][ T3889] dump_stack_lvl+0x1b1/0x28e [ 123.475492][ T3889] ? nf_tcp_handle_invalid+0x62e/0x62e [ 123.480937][ T3889] ? panic+0x710/0x710 [ 123.484996][ T3889] ? kobject_uevent_env+0x46b/0x8e0 [ 123.490194][ T3889] ? do_raw_spin_unlock+0x134/0x8a0 [ 123.495412][ T3889] gfs2_withdraw+0xf33/0x1540 [ 123.500102][ T3889] ? gfs2_lm+0x220/0x220 [ 123.504348][ T3889] ? gfs2_dirent_scan+0xb6/0x650 [ 123.509280][ T3889] ? panic+0x710/0x710 [ 123.513338][ T3889] ? gfs2_permission+0x2ff/0x430 [ 123.518271][ T3889] ? gfs2_consist_inode_i+0xf3/0x110 [ 123.523553][ T3889] gfs2_dirent_scan+0x535/0x650 [ 123.528414][ T3889] ? gfs2_dirent_search+0xb10/0xb10 [ 123.533608][ T3889] gfs2_dirent_search+0x2ea/0xb10 [ 123.538632][ T3889] ? gfs2_dirent_search+0xb10/0xb10 [ 123.544263][ T3889] ? gfs2_dir_search+0x2a0/0x2a0 [ 123.549195][ T3889] ? gfs2_permission+0x3bf/0x430 [ 123.554138][ T3889] gfs2_dir_search+0x8c/0x2a0 [ 123.558813][ T3889] ? do_filldir_main+0x530/0x530 [ 123.563742][ T3889] ? inode_go_held+0xe4/0x1f0 [ 123.568417][ T3889] ? gfs2_glock_wait+0x213/0x2a0 [ 123.573346][ T3889] gfs2_lookupi+0x465/0x650 [ 123.577846][ T3889] ? gfs2_lookup_simple+0x170/0x170 [ 123.583041][ T3889] ? __gfs2_lookup+0x8c/0x260 [ 123.587717][ T3889] __gfs2_lookup+0x8c/0x260 [ 123.592218][ T3889] ? gfs2_atomic_open+0x230/0x230 [ 123.597236][ T3889] ? __d_lookup+0x6a4/0x770 [ 123.601730][ T3889] ? d_hash_and_lookup+0x1c0/0x1c0 [ 123.606831][ T3889] gfs2_atomic_open+0xa4/0x230 [ 123.611603][ T3889] path_openat+0xf39/0x2df0 [ 123.616120][ T3889] ? gfs2_rename2+0x3000/0x3000 [ 123.620987][ T3889] ? do_filp_open+0x4f0/0x4f0 [ 123.626031][ T3889] do_filp_open+0x264/0x4f0 [ 123.630535][ T3889] ? vfs_tmpfile+0x490/0x490 [ 123.635136][ T3889] ? do_raw_spin_unlock+0x134/0x8a0 [ 123.640355][ T3889] ? _raw_spin_unlock+0x24/0x40 [ 123.645375][ T3889] ? alloc_fd+0x5a7/0x640 [ 123.649707][ T3889] do_sys_openat2+0x124/0x4e0 [ 123.654987][ T3889] ? print_irqtrace_events+0x220/0x220 [ 123.660434][ T3889] ? ptrace_stop+0x74d/0x970 [ 123.665020][ T3889] ? do_sys_open+0x220/0x220 [ 123.669604][ T3889] ? lockdep_hardirqs_on+0x8d/0x130 [ 123.674837][ T3889] ? _raw_spin_unlock_irq+0x2a/0x40 [ 123.680035][ T3889] ? ptrace_notify+0x245/0x340 [ 123.684793][ T3889] __x64_sys_openat+0x243/0x290 [ 123.689638][ T3889] ? __ia32_sys_open+0x270/0x270 [ 123.694569][ T3889] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 123.700553][ T3889] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 123.706524][ T3889] do_syscall_64+0x3d/0xb0 [ 123.710943][ T3889] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 123.716826][ T3889] RIP: 0033:0x7fc8868064d9 [ 123.721945][ T3889] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 123.741543][ T3889] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 123.749951][ T3889] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3888] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3888] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 3889] <... openat resumed>) = -1 EIO (Input/output error) ./strace-static-x86_64: Process 3890 attached [pid 3889] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3888] <... clone resumed>, parent_tid=[3890], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3890 [pid 3890] set_robust_list(0x7fc87f3919e0, 24 [pid 3889] <... futex resumed>) = 0 [pid 3890] <... set_robust_list resumed>) = 0 [pid 3889] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3888] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3890] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3890] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3888] exit_group(0) = ? [pid 3889] <... futex resumed>) = ? [pid 3889] +++ exited with 0 +++ [pid 3890] +++ exited with 0 +++ [pid 3888] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3888, si_uid=0, si_status=0, si_utime=0, si_stime=31} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./83", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./83", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./83/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./83/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./83/binderfs") = 0 [ 123.757913][ T3889] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 123.765876][ T3889] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 123.773839][ T3889] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 123.781810][ T3889] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 123.789783][ T3889] umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./83/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./83/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./83/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./83") = 0 mkdir("./84", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3891 attached , child_tidptr=0x55555635f5d0) = 3891 [pid 3891] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3891] chdir("./84") = 0 [pid 3891] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3891] setpgid(0, 0) = 0 [pid 3891] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3891] write(3, "1000", 4) = 4 [pid 3891] close(3) = 0 [pid 3891] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3891] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3891] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3891] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3891] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3892], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3892 [pid 3891] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3891] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3892 attached [pid 3892] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3892] memfd_create("syzkaller", 0) = 3 [pid 3892] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3892] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3892] munmap(0x7fc87e392000, 16777216) = 0 [pid 3892] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3892] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3892] close(3) = 0 [pid 3892] mkdir("./file0", 0777) = 0 [ 124.095443][ T3892] loop0: detected capacity change from 0 to 32768 [ 124.106294][ T3892] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 124.114816][ T3892] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 124.124647][ T3892] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 124.133337][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 124.140230][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3892] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3892] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3892] chdir("./file0") = 0 [pid 3892] ioctl(4, LOOP_CLR_FD) = 0 [pid 3892] close(4) = 0 [pid 3892] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3891] <... futex resumed>) = 0 [pid 3891] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3891] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3892] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3892] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3891] <... futex resumed>) = 0 [pid 3892] <... futex resumed>) = 1 [pid 3891] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3892] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3891] <... futex resumed>) = 0 [ 124.174952][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 124.182476][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 124.187718][ T3892] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 124.222311][ T3892] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 124.230916][ T3892] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 124.230916][ T3892] inode = 12 2341 [ 124.230916][ T3892] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 124.250821][ T3892] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 124.259867][ T3892] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3892 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3891] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3891] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3891] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3891] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3891] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3893], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3893 [pid 3891] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3893 attached [pid 3893] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3893] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3893] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 124.269918][ T3892] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 124.278969][ T3892] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 124.286410][ T3892] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 124.295461][ T3892] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 124.302112][ T3892] gfs2: fsid=syz:syz.0: File system withdrawn [ 124.308187][ T3892] CPU: 0 PID: 3892 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 124.318591][ T3892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 124.328649][ T3892] Call Trace: [ 124.331937][ T3892] [ 124.334884][ T3892] dump_stack_lvl+0x1b1/0x28e [ 124.339575][ T3892] ? nf_tcp_handle_invalid+0x62e/0x62e [ 124.345036][ T3892] ? panic+0x710/0x710 [ 124.349130][ T3892] ? kobject_uevent_env+0x46b/0x8e0 [ 124.354342][ T3892] ? do_raw_spin_unlock+0x134/0x8a0 [ 124.359540][ T3892] gfs2_withdraw+0xf33/0x1540 [ 124.364405][ T3892] ? gfs2_lm+0x220/0x220 [ 124.368644][ T3892] ? gfs2_dirent_scan+0xb6/0x650 [ 124.373576][ T3892] ? panic+0x710/0x710 [ 124.377637][ T3892] ? gfs2_permission+0x2ff/0x430 [ 124.382576][ T3892] ? gfs2_consist_inode_i+0xf3/0x110 [ 124.387858][ T3892] gfs2_dirent_scan+0x535/0x650 [ 124.392709][ T3892] ? gfs2_dirent_search+0xb10/0xb10 [ 124.397908][ T3892] gfs2_dirent_search+0x2ea/0xb10 [ 124.402931][ T3892] ? gfs2_dirent_search+0xb10/0xb10 [ 124.408130][ T3892] ? gfs2_dir_search+0x2a0/0x2a0 [ 124.413064][ T3892] ? gfs2_permission+0x3bf/0x430 [ 124.418004][ T3892] gfs2_dir_search+0x8c/0x2a0 [ 124.422681][ T3892] ? do_filldir_main+0x530/0x530 [ 124.427701][ T3892] ? inode_go_held+0xe4/0x1f0 [ 124.432375][ T3892] ? gfs2_glock_wait+0x213/0x2a0 [ 124.437311][ T3892] gfs2_lookupi+0x465/0x650 [ 124.442002][ T3892] ? gfs2_lookup_simple+0x170/0x170 [ 124.447199][ T3892] ? __gfs2_lookup+0x8c/0x260 [ 124.451883][ T3892] __gfs2_lookup+0x8c/0x260 [ 124.456383][ T3892] ? gfs2_atomic_open+0x230/0x230 [ 124.461405][ T3892] ? __d_lookup+0x6a4/0x770 [ 124.465900][ T3892] ? d_hash_and_lookup+0x1c0/0x1c0 [ 124.471007][ T3892] gfs2_atomic_open+0xa4/0x230 [ 124.475770][ T3892] path_openat+0xf39/0x2df0 [ 124.480274][ T3892] ? gfs2_rename2+0x3000/0x3000 [ 124.485131][ T3892] ? do_filp_open+0x4f0/0x4f0 [ 124.489810][ T3892] do_filp_open+0x264/0x4f0 [ 124.494304][ T3892] ? vfs_tmpfile+0x490/0x490 [ 124.498895][ T3892] ? do_raw_spin_unlock+0x134/0x8a0 [ 124.504093][ T3892] ? _raw_spin_unlock+0x24/0x40 [ 124.508938][ T3892] ? alloc_fd+0x5a7/0x640 [ 124.513272][ T3892] do_sys_openat2+0x124/0x4e0 [ 124.517944][ T3892] ? print_irqtrace_events+0x220/0x220 [ 124.523390][ T3892] ? ptrace_stop+0x74d/0x970 [ 124.527973][ T3892] ? do_sys_open+0x220/0x220 [ 124.532557][ T3892] ? lockdep_hardirqs_on+0x8d/0x130 [ 124.537751][ T3892] ? _raw_spin_unlock_irq+0x2a/0x40 [ 124.542942][ T3892] ? ptrace_notify+0x245/0x340 [ 124.547696][ T3892] __x64_sys_openat+0x243/0x290 [ 124.552543][ T3892] ? __ia32_sys_open+0x270/0x270 [ 124.557475][ T3892] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 124.563447][ T3892] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 124.569421][ T3892] do_syscall_64+0x3d/0xb0 [ 124.573831][ T3892] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 124.579715][ T3892] RIP: 0033:0x7fc8868064d9 [ 124.584123][ T3892] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 124.603720][ T3892] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 124.612124][ T3892] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3893] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3892] <... openat resumed>) = -1 EIO (Input/output error) [pid 3892] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3891] exit_group(0 [pid 3892] <... futex resumed>) = ? [pid 3891] <... exit_group resumed>) = ? [pid 3892] +++ exited with 0 +++ [pid 3893] <... futex resumed>) = ? [pid 3893] +++ exited with 0 +++ [pid 3891] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3891, si_uid=0, si_status=0, si_utime=4, si_stime=27} --- umount2("./84", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./84", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./84/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./84/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./84/binderfs") = 0 [ 124.620090][ T3892] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 124.628049][ T3892] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 124.636006][ T3892] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 124.643967][ T3892] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 124.651941][ T3892] umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./84/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./84/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./84/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./84") = 0 mkdir("./85", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3894 ./strace-static-x86_64: Process 3894 attached [pid 3894] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3894] chdir("./85") = 0 [pid 3894] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3894] setpgid(0, 0) = 0 [pid 3894] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3894] write(3, "1000", 4) = 4 [pid 3894] close(3) = 0 [pid 3894] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3894] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3894] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3894] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3894] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3895 attached [pid 3895] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3895] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3894] <... clone resumed>, parent_tid=[3895], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3895 [pid 3894] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3894] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3895] <... futex resumed>) = 0 [pid 3895] memfd_create("syzkaller", 0) = 3 [pid 3895] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3895] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3895] munmap(0x7fc87e392000, 16777216) = 0 [pid 3895] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3895] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3895] close(3) = 0 [pid 3895] mkdir("./file0", 0777) = 0 [ 124.944344][ T3895] loop0: detected capacity change from 0 to 32768 [ 124.955484][ T3895] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 124.964195][ T3895] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 124.973429][ T3895] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 124.982207][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 124.989250][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3895] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3895] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3895] chdir("./file0") = 0 [pid 3895] ioctl(4, LOOP_CLR_FD) = 0 [pid 3895] close(4) = 0 [pid 3895] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3894] <... futex resumed>) = 0 [pid 3894] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3894] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3895] <... futex resumed>) = 1 [pid 3895] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3895] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3894] <... futex resumed>) = 0 [pid 3894] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3894] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3895] <... futex resumed>) = 1 [ 125.024898][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 125.032715][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 125.038017][ T3895] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 125.053046][ T3895] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 125.061719][ T3895] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 125.061719][ T3895] inode = 12 2341 [pid 3895] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3894] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3894] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 125.061719][ T3895] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 125.080738][ T3895] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 125.089813][ T3895] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3895 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 125.100055][ T3895] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 125.108651][ T3895] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 125.116007][ T3895] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3894] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [ 125.125025][ T3895] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 125.132135][ T3895] gfs2: fsid=syz:syz.0: File system withdrawn [ 125.138504][ T3895] CPU: 0 PID: 3895 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 125.148937][ T3895] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 125.158989][ T3895] Call Trace: [ 125.162259][ T3895] [ 125.165184][ T3895] dump_stack_lvl+0x1b1/0x28e [ 125.169861][ T3895] ? nf_tcp_handle_invalid+0x62e/0x62e [ 125.176184][ T3895] ? panic+0x710/0x710 [ 125.180253][ T3895] ? kobject_uevent_env+0x46b/0x8e0 [ 125.185447][ T3895] ? do_raw_spin_unlock+0x134/0x8a0 [ 125.190645][ T3895] gfs2_withdraw+0xf33/0x1540 [ 125.195327][ T3895] ? gfs2_lm+0x220/0x220 [ 125.199567][ T3895] ? gfs2_dirent_scan+0xb6/0x650 [ 125.204500][ T3895] ? panic+0x710/0x710 [ 125.208565][ T3895] ? gfs2_permission+0x2ff/0x430 [ 125.213500][ T3895] ? gfs2_consist_inode_i+0xf3/0x110 [ 125.218781][ T3895] gfs2_dirent_scan+0x535/0x650 [ 125.223630][ T3895] ? gfs2_dirent_search+0xb10/0xb10 [ 125.229002][ T3895] gfs2_dirent_search+0x2ea/0xb10 [ 125.234024][ T3895] ? gfs2_dirent_search+0xb10/0xb10 [ 125.239569][ T3895] ? gfs2_dir_search+0x2a0/0x2a0 [ 125.244499][ T3895] ? gfs2_permission+0x3bf/0x430 [ 125.249437][ T3895] gfs2_dir_search+0x8c/0x2a0 [ 125.254111][ T3895] ? do_filldir_main+0x530/0x530 [ 125.259042][ T3895] ? inode_go_held+0xe4/0x1f0 [ 125.263717][ T3895] ? gfs2_glock_wait+0x213/0x2a0 [ 125.268649][ T3895] gfs2_lookupi+0x465/0x650 [ 125.273156][ T3895] ? gfs2_lookup_simple+0x170/0x170 [ 125.278353][ T3895] ? __gfs2_lookup+0x8c/0x260 [ 125.283034][ T3895] __gfs2_lookup+0x8c/0x260 [ 125.287535][ T3895] ? gfs2_atomic_open+0x230/0x230 [ 125.292559][ T3895] ? __d_lookup+0x6a4/0x770 [ 125.297054][ T3895] ? d_hash_and_lookup+0x1c0/0x1c0 [ 125.302163][ T3895] gfs2_atomic_open+0xa4/0x230 [ 125.306925][ T3895] path_openat+0xf39/0x2df0 [ 125.311432][ T3895] ? gfs2_rename2+0x3000/0x3000 [ 125.316295][ T3895] ? do_filp_open+0x4f0/0x4f0 [ 125.320976][ T3895] do_filp_open+0x264/0x4f0 [ 125.325469][ T3895] ? vfs_tmpfile+0x490/0x490 [ 125.330057][ T3895] ? do_raw_spin_unlock+0x134/0x8a0 [ 125.335263][ T3895] ? _raw_spin_unlock+0x24/0x40 [ 125.340110][ T3895] ? alloc_fd+0x5a7/0x640 [ 125.344444][ T3895] do_sys_openat2+0x124/0x4e0 [ 125.349116][ T3895] ? print_irqtrace_events+0x220/0x220 [ 125.354561][ T3895] ? ptrace_stop+0x74d/0x970 [ 125.359144][ T3895] ? do_sys_open+0x220/0x220 [ 125.363733][ T3895] ? lockdep_hardirqs_on+0x8d/0x130 [ 125.368925][ T3895] ? _raw_spin_unlock_irq+0x2a/0x40 [ 125.374119][ T3895] ? ptrace_notify+0x245/0x340 [ 125.378878][ T3895] __x64_sys_openat+0x243/0x290 [ 125.383722][ T3895] ? __ia32_sys_open+0x270/0x270 [ 125.388661][ T3895] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 125.394640][ T3895] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 125.400617][ T3895] do_syscall_64+0x3d/0xb0 [ 125.405027][ T3895] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 125.410909][ T3895] RIP: 0033:0x7fc8868064d9 [ 125.415317][ T3895] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 125.434913][ T3895] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 125.443315][ T3895] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 125.451276][ T3895] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 125.459251][ T3895] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 125.467210][ T3895] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3894] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3894] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3896], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3896 [pid 3894] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3895] <... openat resumed>) = -1 EIO (Input/output error) [pid 3895] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3895] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 3896 attached [pid 3896] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3896] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3896] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3896] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3894] exit_group(0 [pid 3896] <... futex resumed>) = ? [pid 3895] <... futex resumed>) = ? [pid 3894] <... exit_group resumed>) = ? [pid 3895] +++ exited with 0 +++ [pid 3896] +++ exited with 0 +++ [pid 3894] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3894, si_uid=0, si_status=0, si_utime=1, si_stime=30} --- umount2("./85", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./85", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./85/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./85/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./85/binderfs") = 0 [ 125.475173][ T3895] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 125.483148][ T3895] umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./85/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./85/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./85/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./85") = 0 mkdir("./86", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3897 ./strace-static-x86_64: Process 3897 attached [pid 3897] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3897] chdir("./86") = 0 [pid 3897] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3897] setpgid(0, 0) = 0 [pid 3897] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3897] write(3, "1000", 4) = 4 [pid 3897] close(3) = 0 [pid 3897] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3897] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3897] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3897] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3897] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3898], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3898 ./strace-static-x86_64: Process 3898 attached [pid 3898] set_robust_list(0x7fc8867b29e0, 24 [pid 3897] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3898] <... set_robust_list resumed>) = 0 [pid 3897] <... futex resumed>) = 0 [pid 3897] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3898] memfd_create("syzkaller", 0) = 3 [pid 3898] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3898] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3898] munmap(0x7fc87e392000, 16777216) = 0 [pid 3898] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3898] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3898] close(3) = 0 [pid 3898] mkdir("./file0", 0777) = 0 [ 125.778810][ T3898] loop0: detected capacity change from 0 to 32768 [ 125.789884][ T3898] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 125.798651][ T3898] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 125.808561][ T3898] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 125.817121][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 125.824017][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3898] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3898] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3898] chdir("./file0") = 0 [pid 3898] ioctl(4, LOOP_CLR_FD) = 0 [pid 3898] close(4) = 0 [pid 3898] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3897] <... futex resumed>) = 0 [pid 3897] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3897] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3898] <... futex resumed>) = 1 [pid 3898] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3898] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3897] <... futex resumed>) = 0 [pid 3897] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3897] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3898] <... futex resumed>) = 1 [ 125.863549][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 125.872271][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 125.877541][ T3898] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 125.894269][ T3898] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 125.903309][ T3898] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3898] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3897] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3897] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3897] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3897] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3897] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3899], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3899 [pid 3897] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3899 attached [pid 3899] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 125.903309][ T3898] inode = 12 2341 [ 125.903309][ T3898] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 125.922437][ T3898] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 125.931916][ T3898] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3898 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 125.942389][ T3898] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 125.947072][ T3899] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 125.959778][ T3899] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 125.959778][ T3899] inode = 12 2341 [ 125.959778][ T3899] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 125.960056][ T3898] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 125.978954][ T3899] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 125.985863][ T3898] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 125.995307][ T3899] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3898 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 126.003779][ T3898] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 126.014058][ T3899] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3899 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 126.021911][ T3898] gfs2: fsid=syz:syz.0: File system withdrawn [ 126.030598][ T3899] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 126.036583][ T3898] CPU: 1 PID: 3898 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 126.054918][ T3898] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 126.066289][ T3898] Call Trace: [ 126.069567][ T3898] [ 126.072502][ T3898] dump_stack_lvl+0x1b1/0x28e [ 126.077173][ T3898] ? nf_tcp_handle_invalid+0x62e/0x62e [ 126.082643][ T3898] ? panic+0x710/0x710 [ 126.086708][ T3898] ? kobject_uevent_env+0x46b/0x8e0 [ 126.091943][ T3898] ? do_raw_spin_unlock+0x134/0x8a0 [ 126.097192][ T3898] gfs2_withdraw+0xf33/0x1540 [ 126.101982][ T3898] ? gfs2_lm+0x220/0x220 [ 126.106230][ T3898] ? gfs2_dirent_scan+0xb6/0x650 [pid 3899] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3897] exit_group(0) = ? [ 126.111183][ T3898] ? panic+0x710/0x710 [ 126.115258][ T3898] ? gfs2_permission+0x2ff/0x430 [ 126.120206][ T3898] ? gfs2_consist_inode_i+0xf3/0x110 [ 126.125502][ T3898] gfs2_dirent_scan+0x535/0x650 [ 126.130350][ T3898] ? gfs2_dirent_search+0xb10/0xb10 [ 126.135559][ T3898] gfs2_dirent_search+0x2ea/0xb10 [ 126.140610][ T3898] ? gfs2_dirent_search+0xb10/0xb10 [ 126.145816][ T3898] ? gfs2_dir_search+0x2a0/0x2a0 [ 126.150746][ T3898] ? gfs2_permission+0x3bf/0x430 [ 126.155692][ T3898] gfs2_dir_search+0x8c/0x2a0 [ 126.160380][ T3898] ? do_filldir_main+0x530/0x530 [ 126.166717][ T3898] ? inode_go_held+0xe4/0x1f0 [ 126.171412][ T3898] ? gfs2_glock_wait+0x213/0x2a0 [ 126.176361][ T3898] gfs2_lookupi+0x465/0x650 [ 126.180881][ T3898] ? gfs2_lookup_simple+0x170/0x170 [ 126.186090][ T3898] ? __gfs2_lookup+0x8c/0x260 [ 126.190784][ T3898] __gfs2_lookup+0x8c/0x260 [ 126.195282][ T3898] ? gfs2_atomic_open+0x230/0x230 [ 126.200299][ T3898] ? __d_lookup+0x6a4/0x770 [ 126.204829][ T3898] ? d_hash_and_lookup+0x1c0/0x1c0 [ 126.209935][ T3898] gfs2_atomic_open+0xa4/0x230 [ 126.214727][ T3898] path_openat+0xf39/0x2df0 [ 126.219241][ T3898] ? gfs2_rename2+0x3000/0x3000 [ 126.224114][ T3898] ? do_filp_open+0x4f0/0x4f0 [ 126.228810][ T3898] do_filp_open+0x264/0x4f0 [ 126.233322][ T3898] ? vfs_tmpfile+0x490/0x490 [ 126.237907][ T3898] ? do_raw_spin_unlock+0x134/0x8a0 [ 126.243106][ T3898] ? _raw_spin_unlock+0x24/0x40 [ 126.248047][ T3898] ? alloc_fd+0x5a7/0x640 [ 126.252395][ T3898] do_sys_openat2+0x124/0x4e0 [ 126.257061][ T3898] ? print_irqtrace_events+0x220/0x220 [ 126.262507][ T3898] ? ptrace_stop+0x74d/0x970 [ 126.267097][ T3898] ? do_sys_open+0x220/0x220 [ 126.271689][ T3898] ? lockdep_hardirqs_on+0x8d/0x130 [ 126.276899][ T3898] ? _raw_spin_unlock_irq+0x2a/0x40 [ 126.282120][ T3898] ? ptrace_notify+0x245/0x340 [ 126.286893][ T3898] __x64_sys_openat+0x243/0x290 [ 126.291760][ T3898] ? __ia32_sys_open+0x270/0x270 [ 126.296698][ T3898] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 126.302688][ T3898] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 126.308679][ T3898] do_syscall_64+0x3d/0xb0 [ 126.313104][ T3898] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 126.319007][ T3898] RIP: 0033:0x7fc8868064d9 [ 126.323415][ T3898] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 126.343039][ T3898] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 126.351716][ T3898] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3898] <... openat resumed>) = ? [pid 3898] +++ exited with 0 +++ [pid 3899] <... openat resumed>) = ? [pid 3899] +++ exited with 0 +++ [pid 3897] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3897, si_uid=0, si_status=0, si_utime=1, si_stime=41} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./86", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./86", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./86/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./86/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./86/binderfs") = 0 [ 126.359696][ T3898] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 126.367670][ T3898] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 126.375639][ T3898] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 126.383625][ T3898] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 126.391624][ T3898] umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./86/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./86/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./86/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./86") = 0 mkdir("./87", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3900 ./strace-static-x86_64: Process 3900 attached [pid 3900] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3900] chdir("./87") = 0 [pid 3900] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3900] setpgid(0, 0) = 0 [pid 3900] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3900] write(3, "1000", 4) = 4 [pid 3900] close(3) = 0 [pid 3900] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3900] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3900] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3900] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3900] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3901], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3901 [pid 3900] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3900] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3901 attached [pid 3901] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3901] memfd_create("syzkaller", 0) = 3 [pid 3901] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3901] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3901] munmap(0x7fc87e392000, 16777216) = 0 [pid 3901] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3901] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3901] close(3) = 0 [pid 3901] mkdir("./file0", 0777) = 0 [ 126.714354][ T3901] loop0: detected capacity change from 0 to 32768 [ 126.724025][ T3901] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 126.732303][ T3901] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 126.742319][ T3901] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 126.751774][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 126.758641][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3901] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3901] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3901] chdir("./file0") = 0 [pid 3901] ioctl(4, LOOP_CLR_FD) = 0 [pid 3901] close(4) = 0 [pid 3901] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3901] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3900] <... futex resumed>) = 0 [pid 3900] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3900] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3901] <... futex resumed>) = 0 [pid 3901] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3901] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3900] <... futex resumed>) = 0 [pid 3901] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3900] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3901] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3900] <... futex resumed>) = 0 [pid 3901] openat(AT_FDCWD, "./file0", O_RDONLY [ 126.792555][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 126.800274][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 126.805515][ T3901] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3900] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 126.839550][ T3901] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 126.850992][ T3901] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 126.850992][ T3901] inode = 12 2341 [ 126.850992][ T3901] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 126.870047][ T3901] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 126.879508][ T3901] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3901 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3900] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3900] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3900] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3900] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3902], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3902 [pid 3900] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3902 attached [pid 3902] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3902] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3902] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 126.889841][ T3901] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 126.898546][ T3901] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 126.905940][ T3901] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 126.914870][ T3901] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 126.922174][ T3901] gfs2: fsid=syz:syz.0: File system withdrawn [ 126.928605][ T3901] CPU: 0 PID: 3901 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 126.939020][ T3901] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 126.949071][ T3901] Call Trace: [ 126.952352][ T3901] [ 126.955299][ T3901] dump_stack_lvl+0x1b1/0x28e [ 126.959985][ T3901] ? nf_tcp_handle_invalid+0x62e/0x62e [ 126.965444][ T3901] ? panic+0x710/0x710 [ 126.969530][ T3901] ? kobject_uevent_env+0x46b/0x8e0 [ 126.974736][ T3901] ? do_raw_spin_unlock+0x134/0x8a0 [ 126.979930][ T3901] gfs2_withdraw+0xf33/0x1540 [ 126.984609][ T3901] ? gfs2_lm+0x220/0x220 [pid 3902] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3900] exit_group(0 [pid 3902] <... futex resumed>) = ? [pid 3900] <... exit_group resumed>) = ? [pid 3902] +++ exited with 0 +++ [ 126.988858][ T3901] ? gfs2_dirent_scan+0xb6/0x650 [ 126.993883][ T3901] ? panic+0x710/0x710 [ 126.997962][ T3901] ? gfs2_permission+0x2ff/0x430 [ 127.002912][ T3901] ? gfs2_consist_inode_i+0xf3/0x110 [ 127.008199][ T3901] gfs2_dirent_scan+0x535/0x650 [ 127.013064][ T3901] ? gfs2_dirent_search+0xb10/0xb10 [ 127.018257][ T3901] gfs2_dirent_search+0x2ea/0xb10 [ 127.023285][ T3901] ? gfs2_dirent_search+0xb10/0xb10 [ 127.028515][ T3901] ? gfs2_dir_search+0x2a0/0x2a0 [ 127.033468][ T3901] ? gfs2_permission+0x3bf/0x430 [ 127.038405][ T3901] gfs2_dir_search+0x8c/0x2a0 [ 127.043086][ T3901] ? do_filldir_main+0x530/0x530 [ 127.048038][ T3901] ? inode_go_held+0xe4/0x1f0 [ 127.052722][ T3901] ? gfs2_glock_wait+0x213/0x2a0 [ 127.057665][ T3901] gfs2_lookupi+0x465/0x650 [ 127.062202][ T3901] ? gfs2_lookup_simple+0x170/0x170 [ 127.067401][ T3901] ? __gfs2_lookup+0x8c/0x260 [ 127.072083][ T3901] __gfs2_lookup+0x8c/0x260 [ 127.076584][ T3901] ? gfs2_atomic_open+0x230/0x230 [ 127.081608][ T3901] ? __d_lookup+0x6a4/0x770 [ 127.086103][ T3901] ? d_hash_and_lookup+0x1c0/0x1c0 [ 127.091555][ T3901] gfs2_atomic_open+0xa4/0x230 [ 127.096319][ T3901] path_openat+0xf39/0x2df0 [ 127.100831][ T3901] ? gfs2_rename2+0x3000/0x3000 [ 127.105688][ T3901] ? do_filp_open+0x4f0/0x4f0 [ 127.110372][ T3901] do_filp_open+0x264/0x4f0 [ 127.114870][ T3901] ? vfs_tmpfile+0x490/0x490 [ 127.119466][ T3901] ? do_raw_spin_unlock+0x134/0x8a0 [ 127.124663][ T3901] ? _raw_spin_unlock+0x24/0x40 [ 127.129523][ T3901] ? alloc_fd+0x5a7/0x640 [ 127.133856][ T3901] do_sys_openat2+0x124/0x4e0 [ 127.138616][ T3901] ? print_irqtrace_events+0x220/0x220 [ 127.144066][ T3901] ? ptrace_stop+0x74d/0x970 [ 127.149001][ T3901] ? do_sys_open+0x220/0x220 [ 127.153588][ T3901] ? lockdep_hardirqs_on+0x8d/0x130 [ 127.158779][ T3901] ? _raw_spin_unlock_irq+0x2a/0x40 [ 127.163973][ T3901] ? ptrace_notify+0x245/0x340 [ 127.168729][ T3901] __x64_sys_openat+0x243/0x290 [ 127.173575][ T3901] ? __ia32_sys_open+0x270/0x270 [ 127.178509][ T3901] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 127.184482][ T3901] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 127.190457][ T3901] do_syscall_64+0x3d/0xb0 [ 127.194867][ T3901] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 127.200756][ T3901] RIP: 0033:0x7fc8868064d9 [ 127.205163][ T3901] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 127.224762][ T3901] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 127.233171][ T3901] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3901] <... openat resumed>) = ? [pid 3901] +++ exited with 0 +++ [pid 3900] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3900, si_uid=0, si_status=0, si_utime=2, si_stime=31} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./87", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./87", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./87/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./87/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./87/binderfs") = 0 [ 127.241134][ T3901] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 127.249105][ T3901] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 127.257066][ T3901] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 127.265036][ T3901] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 127.273011][ T3901] umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./87/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./87/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./87/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./87") = 0 mkdir("./88", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3903 ./strace-static-x86_64: Process 3903 attached [pid 3903] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3903] chdir("./88") = 0 [pid 3903] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3903] setpgid(0, 0) = 0 [pid 3903] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3903] write(3, "1000", 4) = 4 [pid 3903] close(3) = 0 [pid 3903] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3903] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3903] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3903] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3903] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3904 attached , parent_tid=[3904], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3904 [pid 3903] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3903] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3904] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3904] memfd_create("syzkaller", 0) = 3 [pid 3904] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3904] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3904] munmap(0x7fc87e392000, 16777216) = 0 [pid 3904] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3904] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3904] close(3) = 0 [pid 3904] mkdir("./file0", 0777) = 0 [ 127.589739][ T3904] loop0: detected capacity change from 0 to 32768 [ 127.601055][ T3904] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 127.609307][ T3904] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 127.618605][ T3904] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 127.627327][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 127.634220][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3904] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3904] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3904] chdir("./file0") = 0 [pid 3904] ioctl(4, LOOP_CLR_FD) = 0 [pid 3904] close(4) = 0 [pid 3904] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3904] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3903] <... futex resumed>) = 0 [pid 3903] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3904] <... futex resumed>) = 0 [pid 3903] <... futex resumed>) = 1 [pid 3904] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3903] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3904] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3904] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3903] <... futex resumed>) = 0 [pid 3904] <... futex resumed>) = 1 [pid 3903] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [ 127.669803][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 127.677425][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 127.682806][ T3904] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3904] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3903] <... futex resumed>) = 0 [ 127.711295][ T3904] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 127.720113][ T3904] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 127.720113][ T3904] inode = 12 2341 [ 127.720113][ T3904] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 127.739237][ T3904] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 127.748577][ T3904] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3904 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3903] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3903] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3903] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3903] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3903] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3905], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3905 [pid 3903] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3905 attached [pid 3905] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3905] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3905] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 127.759085][ T3904] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 127.768388][ T3904] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 127.776244][ T3904] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 127.785436][ T3904] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 127.792099][ T3904] gfs2: fsid=syz:syz.0: File system withdrawn [ 127.798179][ T3904] CPU: 1 PID: 3904 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 127.808596][ T3904] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 127.818656][ T3904] Call Trace: [ 127.821932][ T3904] [ 127.824864][ T3904] dump_stack_lvl+0x1b1/0x28e [ 127.829544][ T3904] ? nf_tcp_handle_invalid+0x62e/0x62e [ 127.834993][ T3904] ? panic+0x710/0x710 [ 127.839064][ T3904] ? kobject_uevent_env+0x46b/0x8e0 [ 127.844253][ T3904] ? do_raw_spin_unlock+0x134/0x8a0 [ 127.849460][ T3904] gfs2_withdraw+0xf33/0x1540 [ 127.854143][ T3904] ? gfs2_lm+0x220/0x220 [ 127.858373][ T3904] ? gfs2_dirent_scan+0xb6/0x650 [ 127.863313][ T3904] ? panic+0x710/0x710 [ 127.867378][ T3904] ? gfs2_permission+0x2ff/0x430 [ 127.872314][ T3904] ? gfs2_consist_inode_i+0xf3/0x110 [ 127.877601][ T3904] gfs2_dirent_scan+0x535/0x650 [ 127.882452][ T3904] ? gfs2_dirent_search+0xb10/0xb10 [ 127.887648][ T3904] gfs2_dirent_search+0x2ea/0xb10 [ 127.892670][ T3904] ? gfs2_dirent_search+0xb10/0xb10 [ 127.897906][ T3904] ? gfs2_dir_search+0x2a0/0x2a0 [ 127.902855][ T3904] ? gfs2_permission+0x3bf/0x430 [ 127.907819][ T3904] gfs2_dir_search+0x8c/0x2a0 [ 127.912509][ T3904] ? do_filldir_main+0x530/0x530 [ 127.917442][ T3904] ? inode_go_held+0xe4/0x1f0 [ 127.922111][ T3904] ? gfs2_glock_wait+0x213/0x2a0 [ 127.927040][ T3904] gfs2_lookupi+0x465/0x650 [ 127.931545][ T3904] ? gfs2_lookup_simple+0x170/0x170 [ 127.936739][ T3904] ? __gfs2_lookup+0x8c/0x260 [ 127.941415][ T3904] __gfs2_lookup+0x8c/0x260 [ 127.945924][ T3904] ? gfs2_atomic_open+0x230/0x230 [ 127.950947][ T3904] ? __d_lookup+0x6a4/0x770 [ 127.955443][ T3904] ? d_hash_and_lookup+0x1c0/0x1c0 [ 127.960547][ T3904] gfs2_atomic_open+0xa4/0x230 [ 127.965307][ T3904] path_openat+0xf39/0x2df0 [ 127.969813][ T3904] ? gfs2_rename2+0x3000/0x3000 [ 127.974669][ T3904] ? do_filp_open+0x4f0/0x4f0 [ 127.979353][ T3904] do_filp_open+0x264/0x4f0 [ 127.983852][ T3904] ? vfs_tmpfile+0x490/0x490 [ 127.988449][ T3904] ? do_raw_spin_unlock+0x134/0x8a0 [ 127.993644][ T3904] ? _raw_spin_unlock+0x24/0x40 [ 127.998491][ T3904] ? alloc_fd+0x5a7/0x640 [ 128.002848][ T3904] do_sys_openat2+0x124/0x4e0 [ 128.007533][ T3904] ? print_irqtrace_events+0x220/0x220 [ 128.012994][ T3904] ? ptrace_stop+0x74d/0x970 [ 128.017593][ T3904] ? do_sys_open+0x220/0x220 [ 128.022182][ T3904] ? lockdep_hardirqs_on+0x8d/0x130 [ 128.027374][ T3904] ? _raw_spin_unlock_irq+0x2a/0x40 [ 128.032566][ T3904] ? ptrace_notify+0x245/0x340 [ 128.037321][ T3904] __x64_sys_openat+0x243/0x290 [ 128.042167][ T3904] ? __ia32_sys_open+0x270/0x270 [ 128.047098][ T3904] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 128.053072][ T3904] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 128.059044][ T3904] do_syscall_64+0x3d/0xb0 [ 128.063454][ T3904] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 128.069337][ T3904] RIP: 0033:0x7fc8868064d9 [ 128.073745][ T3904] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 128.093343][ T3904] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 128.101754][ T3904] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3905] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3904] <... openat resumed>) = -1 EIO (Input/output error) [pid 3904] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3903] exit_group(0 [pid 3904] <... futex resumed>) = ? [pid 3903] <... exit_group resumed>) = ? [pid 3905] <... futex resumed>) = ? [pid 3904] +++ exited with 0 +++ [pid 3905] +++ exited with 0 +++ [pid 3903] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3903, si_uid=0, si_status=0, si_utime=2, si_stime=28} --- umount2("./88", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./88", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./88/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./88/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./88/binderfs") = 0 [ 128.109727][ T3904] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 128.117692][ T3904] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 128.125696][ T3904] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 128.133832][ T3904] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 128.141811][ T3904] umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./88/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./88/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./88/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./88") = 0 mkdir("./89", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3906 ./strace-static-x86_64: Process 3906 attached [pid 3906] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3906] chdir("./89") = 0 [pid 3906] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3906] setpgid(0, 0) = 0 [pid 3906] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3906] write(3, "1000", 4) = 4 [pid 3906] close(3) = 0 [pid 3906] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3906] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3906] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3906] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3906] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3907], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3907 [pid 3906] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3906] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3907 attached [pid 3907] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3907] memfd_create("syzkaller", 0) = 3 [pid 3907] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3907] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3907] munmap(0x7fc87e392000, 16777216) = 0 [pid 3907] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3907] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3907] close(3) = 0 [pid 3907] mkdir("./file0", 0777) = 0 [ 128.440805][ T3907] loop0: detected capacity change from 0 to 32768 [ 128.450891][ T3907] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 128.459090][ T3907] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 128.468322][ T3907] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 128.477086][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 128.484299][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3907] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3907] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3907] chdir("./file0") = 0 [pid 3907] ioctl(4, LOOP_CLR_FD) = 0 [pid 3907] close(4) = 0 [pid 3907] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3907] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3906] <... futex resumed>) = 0 [pid 3906] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3906] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3907] <... futex resumed>) = 0 [pid 3907] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3907] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3906] <... futex resumed>) = 0 [pid 3907] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3906] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3907] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3906] <... futex resumed>) = 0 [pid 3907] openat(AT_FDCWD, "./file0", O_RDONLY [ 128.520033][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 128.528813][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 128.534282][ T3907] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 128.569556][ T3907] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 128.578360][ T3907] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 128.578360][ T3907] inode = 12 2341 [ 128.578360][ T3907] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 128.597337][ T3907] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 128.606633][ T3907] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3907 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3906] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3906] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3906] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3906] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3906] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3908], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3908 [pid 3906] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3908 attached [pid 3908] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3908] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3908] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 128.616716][ T3907] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 128.625199][ T3907] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 128.633160][ T3907] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 128.642268][ T3907] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 128.649854][ T3907] gfs2: fsid=syz:syz.0: File system withdrawn [ 128.656123][ T3907] CPU: 0 PID: 3907 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 128.666565][ T3907] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 128.676619][ T3907] Call Trace: [ 128.679898][ T3907] [ 128.682820][ T3907] dump_stack_lvl+0x1b1/0x28e [ 128.687488][ T3907] ? nf_tcp_handle_invalid+0x62e/0x62e [ 128.692929][ T3907] ? panic+0x710/0x710 [ 128.697247][ T3907] ? kobject_uevent_env+0x46b/0x8e0 [ 128.702440][ T3907] ? do_raw_spin_unlock+0x134/0x8a0 [ 128.708758][ T3907] gfs2_withdraw+0xf33/0x1540 [ 128.713432][ T3907] ? gfs2_lm+0x220/0x220 [ 128.717656][ T3907] ? gfs2_dirent_scan+0xb6/0x650 [ 128.722583][ T3907] ? panic+0x710/0x710 [ 128.726635][ T3907] ? gfs2_permission+0x2ff/0x430 [ 128.731734][ T3907] ? gfs2_consist_inode_i+0xf3/0x110 [ 128.737177][ T3907] gfs2_dirent_scan+0x535/0x650 [ 128.742017][ T3907] ? gfs2_dirent_search+0xb10/0xb10 [ 128.747206][ T3907] gfs2_dirent_search+0x2ea/0xb10 [ 128.752219][ T3907] ? gfs2_dirent_search+0xb10/0xb10 [ 128.757408][ T3907] ? gfs2_dir_search+0x2a0/0x2a0 [ 128.762330][ T3907] ? gfs2_permission+0x3bf/0x430 [ 128.767256][ T3907] gfs2_dir_search+0x8c/0x2a0 [ 128.771923][ T3907] ? do_filldir_main+0x530/0x530 [ 128.776847][ T3907] ? inode_go_held+0xe4/0x1f0 [ 128.781516][ T3907] ? gfs2_glock_wait+0x213/0x2a0 [ 128.786448][ T3907] gfs2_lookupi+0x465/0x650 [ 128.790942][ T3907] ? gfs2_lookup_simple+0x170/0x170 [ 128.796131][ T3907] ? __gfs2_lookup+0x8c/0x260 [ 128.800803][ T3907] __gfs2_lookup+0x8c/0x260 [ 128.805328][ T3907] ? gfs2_atomic_open+0x230/0x230 [ 128.810342][ T3907] ? __d_lookup+0x6a4/0x770 [ 128.814830][ T3907] ? d_hash_and_lookup+0x1c0/0x1c0 [ 128.819928][ T3907] gfs2_atomic_open+0xa4/0x230 [ 128.824696][ T3907] path_openat+0xf39/0x2df0 [ 128.829194][ T3907] ? gfs2_rename2+0x3000/0x3000 [ 128.834039][ T3907] ? do_filp_open+0x4f0/0x4f0 [ 128.838711][ T3907] do_filp_open+0x264/0x4f0 [ 128.843203][ T3907] ? vfs_tmpfile+0x490/0x490 [ 128.847784][ T3907] ? do_raw_spin_unlock+0x134/0x8a0 [ 128.852972][ T3907] ? _raw_spin_unlock+0x24/0x40 [ 128.857849][ T3907] ? alloc_fd+0x5a7/0x640 [ 128.862192][ T3907] do_sys_openat2+0x124/0x4e0 [ 128.866875][ T3907] ? print_irqtrace_events+0x220/0x220 [ 128.872321][ T3907] ? ptrace_stop+0x74d/0x970 [ 128.876902][ T3907] ? do_sys_open+0x220/0x220 [ 128.881481][ T3907] ? lockdep_hardirqs_on+0x8d/0x130 [ 128.886665][ T3907] ? _raw_spin_unlock_irq+0x2a/0x40 [ 128.892030][ T3907] ? ptrace_notify+0x245/0x340 [ 128.896781][ T3907] __x64_sys_openat+0x243/0x290 [ 128.901628][ T3907] ? __ia32_sys_open+0x270/0x270 [ 128.906565][ T3907] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 128.912603][ T3907] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 128.918588][ T3907] do_syscall_64+0x3d/0xb0 [ 128.922996][ T3907] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 128.928879][ T3907] RIP: 0033:0x7fc8868064d9 [ 128.933278][ T3907] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 128.952869][ T3907] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 128.961280][ T3907] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3908] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3907] <... openat resumed>) = -1 EIO (Input/output error) [pid 3907] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3906] exit_group(0 [pid 3908] <... futex resumed>) = ? [pid 3906] <... exit_group resumed>) = ? [pid 3908] +++ exited with 0 +++ [pid 3907] <... futex resumed>) = ? [pid 3907] +++ exited with 0 +++ [pid 3906] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3906, si_uid=0, si_status=0, si_utime=0, si_stime=28} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./89", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./89", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./89/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./89/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./89/binderfs") = 0 [ 128.969252][ T3907] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 128.977238][ T3907] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 128.985204][ T3907] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 128.993160][ T3907] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 129.001160][ T3907] umount2("./89/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./89/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./89/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./89/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./89/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./89/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./89") = 0 mkdir("./90", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3909 ./strace-static-x86_64: Process 3909 attached [pid 3909] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3909] chdir("./90") = 0 [pid 3909] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3909] setpgid(0, 0) = 0 [pid 3909] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3909] write(3, "1000", 4) = 4 [pid 3909] close(3) = 0 [pid 3909] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3909] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3909] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3909] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3909] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3910 attached , parent_tid=[3910], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3910 [pid 3910] set_robust_list(0x7fc8867b29e0, 24 [pid 3909] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3910] <... set_robust_list resumed>) = 0 [pid 3909] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3910] memfd_create("syzkaller", 0) = 3 [pid 3910] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3910] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3910] munmap(0x7fc87e392000, 16777216) = 0 [pid 3910] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3910] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3910] close(3) = 0 [pid 3910] mkdir("./file0", 0777) = 0 [ 129.320304][ T3910] loop0: detected capacity change from 0 to 32768 [ 129.331215][ T3910] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 129.339386][ T3910] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 129.349335][ T3910] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 129.359905][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 129.366837][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3910] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3910] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3910] chdir("./file0") = 0 [pid 3910] ioctl(4, LOOP_CLR_FD) = 0 [pid 3910] close(4) = 0 [pid 3910] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3909] <... futex resumed>) = 0 [pid 3909] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3909] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3910] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3910] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3909] <... futex resumed>) = 0 [pid 3909] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3909] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3910] <... futex resumed>) = 1 [ 129.403945][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 129.412853][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 129.418160][ T3910] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 129.442386][ T3910] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3910] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3909] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 129.451928][ T3910] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 129.451928][ T3910] inode = 12 2341 [ 129.451928][ T3910] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 129.471069][ T3910] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 129.480175][ T3910] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3910 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 129.490253][ T3910] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3909] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3909] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [ 129.498751][ T3910] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 129.506075][ T3910] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 129.514966][ T3910] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 129.521626][ T3910] gfs2: fsid=syz:syz.0: File system withdrawn [ 129.527898][ T3910] CPU: 0 PID: 3910 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 129.538326][ T3910] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 129.548375][ T3910] Call Trace: [ 129.551657][ T3910] [pid 3909] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3909] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3911], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3911 [pid 3909] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3911 attached [pid 3911] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3911] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3911] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 129.554578][ T3910] dump_stack_lvl+0x1b1/0x28e [ 129.559251][ T3910] ? nf_tcp_handle_invalid+0x62e/0x62e [ 129.564707][ T3910] ? panic+0x710/0x710 [ 129.569552][ T3910] ? kobject_uevent_env+0x46b/0x8e0 [ 129.574764][ T3910] ? do_raw_spin_unlock+0x134/0x8a0 [ 129.579995][ T3910] gfs2_withdraw+0xf33/0x1540 [ 129.584684][ T3910] ? gfs2_lm+0x220/0x220 [ 129.588924][ T3910] ? gfs2_dirent_scan+0xb6/0x650 [ 129.593950][ T3910] ? panic+0x710/0x710 [ 129.598105][ T3910] ? gfs2_permission+0x2ff/0x430 [ 129.603502][ T3910] ? gfs2_consist_inode_i+0xf3/0x110 [ 129.608821][ T3910] gfs2_dirent_scan+0x535/0x650 [ 129.613702][ T3910] ? gfs2_dirent_search+0xb10/0xb10 [ 129.618932][ T3910] gfs2_dirent_search+0x2ea/0xb10 [ 129.624003][ T3910] ? gfs2_dirent_search+0xb10/0xb10 [ 129.629245][ T3910] ? gfs2_dir_search+0x2a0/0x2a0 [ 129.634206][ T3910] ? gfs2_permission+0x3bf/0x430 [ 129.639158][ T3910] gfs2_dir_search+0x8c/0x2a0 [ 129.643840][ T3910] ? do_filldir_main+0x530/0x530 [ 129.648776][ T3910] ? inode_go_held+0xe4/0x1f0 [ 129.653453][ T3910] ? gfs2_glock_wait+0x213/0x2a0 [ 129.658386][ T3910] gfs2_lookupi+0x465/0x650 [ 129.662890][ T3910] ? gfs2_lookup_simple+0x170/0x170 [ 129.668082][ T3910] ? __gfs2_lookup+0x8c/0x260 [ 129.672758][ T3910] __gfs2_lookup+0x8c/0x260 [ 129.677258][ T3910] ? gfs2_atomic_open+0x230/0x230 [ 129.682283][ T3910] ? __d_lookup+0x6a4/0x770 [ 129.686777][ T3910] ? d_hash_and_lookup+0x1c0/0x1c0 [ 129.691882][ T3910] gfs2_atomic_open+0xa4/0x230 [ 129.696648][ T3910] path_openat+0xf39/0x2df0 [ 129.701151][ T3910] ? gfs2_rename2+0x3000/0x3000 [ 129.706007][ T3910] ? do_filp_open+0x4f0/0x4f0 [ 129.710691][ T3910] do_filp_open+0x264/0x4f0 [ 129.715191][ T3910] ? vfs_tmpfile+0x490/0x490 [ 129.719779][ T3910] ? do_raw_spin_unlock+0x134/0x8a0 [ 129.724975][ T3910] ? _raw_spin_unlock+0x24/0x40 [ 129.729821][ T3910] ? alloc_fd+0x5a7/0x640 [ 129.734151][ T3910] do_sys_openat2+0x124/0x4e0 [ 129.738822][ T3910] ? print_irqtrace_events+0x220/0x220 [ 129.744268][ T3910] ? ptrace_stop+0x74d/0x970 [ 129.748852][ T3910] ? do_sys_open+0x220/0x220 [ 129.753524][ T3910] ? lockdep_hardirqs_on+0x8d/0x130 [ 129.758722][ T3910] ? _raw_spin_unlock_irq+0x2a/0x40 [ 129.763916][ T3910] ? ptrace_notify+0x245/0x340 [ 129.768671][ T3910] __x64_sys_openat+0x243/0x290 [ 129.773517][ T3910] ? __ia32_sys_open+0x270/0x270 [ 129.778449][ T3910] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 129.784434][ T3910] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 129.790412][ T3910] do_syscall_64+0x3d/0xb0 [ 129.794822][ T3910] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 129.800737][ T3910] RIP: 0033:0x7fc8868064d9 [ 129.805149][ T3910] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 129.824768][ T3910] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 129.833183][ T3910] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 129.841163][ T3910] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3911] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3910] <... openat resumed>) = -1 EIO (Input/output error) [pid 3910] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3910] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3909] exit_group(0 [pid 3910] <... futex resumed>) = ? [pid 3910] +++ exited with 0 +++ [pid 3909] <... exit_group resumed>) = ? [pid 3911] <... futex resumed>) = ? [pid 3911] +++ exited with 0 +++ [pid 3909] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3909, si_uid=0, si_status=0, si_utime=1, si_stime=29} --- umount2("./90", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./90", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./90/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./90/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./90/binderfs") = 0 [ 129.849125][ T3910] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 129.857085][ T3910] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 129.865045][ T3910] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 129.873020][ T3910] umount2("./90/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./90/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./90/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./90/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./90/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./90/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./90") = 0 mkdir("./91", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3912 ./strace-static-x86_64: Process 3912 attached [pid 3912] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3912] chdir("./91") = 0 [pid 3912] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3912] setpgid(0, 0) = 0 [pid 3912] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3912] write(3, "1000", 4) = 4 [pid 3912] close(3) = 0 [pid 3912] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3912] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3912] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3912] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3912] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3913 attached [pid 3913] set_robust_list(0x7fc8867b29e0, 24 [pid 3912] <... clone resumed>, parent_tid=[3913], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3913 [pid 3913] <... set_robust_list resumed>) = 0 [pid 3912] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3912] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3913] memfd_create("syzkaller", 0) = 3 [pid 3913] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3913] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3913] munmap(0x7fc87e392000, 16777216) = 0 [pid 3913] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3913] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3913] close(3) = 0 [pid 3913] mkdir("./file0", 0777) = 0 [ 130.166197][ T3913] loop0: detected capacity change from 0 to 32768 [ 130.176045][ T3913] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 130.184565][ T3913] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 130.194573][ T3913] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 130.203418][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 130.210591][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3913] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3913] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3913] chdir("./file0") = 0 [pid 3913] ioctl(4, LOOP_CLR_FD) = 0 [pid 3913] close(4) = 0 [pid 3913] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3912] <... futex resumed>) = 0 [pid 3912] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3912] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3913] <... futex resumed>) = 1 [pid 3913] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3913] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3912] <... futex resumed>) = 0 [pid 3912] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3912] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3913] <... futex resumed>) = 1 [ 130.242761][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 130.250430][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 130.255684][ T3913] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 130.271342][ T3913] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 130.280390][ T3913] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 130.280390][ T3913] inode = 12 2341 [pid 3913] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3912] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3912] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3912] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3912] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3912] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3914], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3914 [pid 3912] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3914 attached [pid 3914] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3914] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3914] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 130.280390][ T3913] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 130.300361][ T3913] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 130.309684][ T3913] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3913 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 130.320157][ T3913] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 130.328649][ T3913] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 130.336281][ T3913] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 130.345638][ T3913] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 130.352412][ T3913] gfs2: fsid=syz:syz.0: File system withdrawn [ 130.358511][ T3913] CPU: 0 PID: 3913 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 130.368926][ T3913] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 130.378969][ T3913] Call Trace: [ 130.382249][ T3913] [ 130.385189][ T3913] dump_stack_lvl+0x1b1/0x28e [ 130.389962][ T3913] ? nf_tcp_handle_invalid+0x62e/0x62e [ 130.395411][ T3913] ? panic+0x710/0x710 [ 130.399561][ T3913] ? kobject_uevent_env+0x46b/0x8e0 [ 130.404762][ T3913] ? do_raw_spin_unlock+0x134/0x8a0 [ 130.409976][ T3913] gfs2_withdraw+0xf33/0x1540 [ 130.414672][ T3913] ? gfs2_lm+0x220/0x220 [ 130.418928][ T3913] ? gfs2_dirent_scan+0xb6/0x650 [ 130.423859][ T3913] ? panic+0x710/0x710 [ 130.427915][ T3913] ? gfs2_permission+0x2ff/0x430 [ 130.432856][ T3913] ? gfs2_consist_inode_i+0xf3/0x110 [ 130.438155][ T3913] gfs2_dirent_scan+0x535/0x650 [pid 3914] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3912] exit_group(0 [pid 3914] <... futex resumed>) = ? [pid 3912] <... exit_group resumed>) = ? [pid 3914] +++ exited with 0 +++ [ 130.443003][ T3913] ? gfs2_dirent_search+0xb10/0xb10 [ 130.448205][ T3913] gfs2_dirent_search+0x2ea/0xb10 [ 130.453247][ T3913] ? gfs2_dirent_search+0xb10/0xb10 [ 130.458451][ T3913] ? gfs2_dir_search+0x2a0/0x2a0 [ 130.463399][ T3913] ? gfs2_permission+0x3bf/0x430 [ 130.468333][ T3913] gfs2_dir_search+0x8c/0x2a0 [ 130.473019][ T3913] ? do_filldir_main+0x530/0x530 [ 130.477969][ T3913] ? inode_go_held+0xe4/0x1f0 [ 130.482640][ T3913] ? gfs2_glock_wait+0x213/0x2a0 [ 130.487659][ T3913] gfs2_lookupi+0x465/0x650 [ 130.492167][ T3913] ? gfs2_lookup_simple+0x170/0x170 [ 130.497357][ T3913] ? __gfs2_lookup+0x8c/0x260 [ 130.502052][ T3913] __gfs2_lookup+0x8c/0x260 [ 130.506569][ T3913] ? gfs2_atomic_open+0x230/0x230 [ 130.511640][ T3913] ? __d_lookup+0x6a4/0x770 [ 130.516154][ T3913] ? d_hash_and_lookup+0x1c0/0x1c0 [ 130.521264][ T3913] gfs2_atomic_open+0xa4/0x230 [ 130.526072][ T3913] path_openat+0xf39/0x2df0 [ 130.530567][ T3913] ? gfs2_rename2+0x3000/0x3000 [ 130.535417][ T3913] ? do_filp_open+0x4f0/0x4f0 [ 130.540107][ T3913] do_filp_open+0x264/0x4f0 [ 130.544614][ T3913] ? vfs_tmpfile+0x490/0x490 [ 130.549213][ T3913] ? do_raw_spin_unlock+0x134/0x8a0 [ 130.554416][ T3913] ? _raw_spin_unlock+0x24/0x40 [ 130.559265][ T3913] ? alloc_fd+0x5a7/0x640 [ 130.563586][ T3913] do_sys_openat2+0x124/0x4e0 [ 130.568280][ T3913] ? print_irqtrace_events+0x220/0x220 [ 130.573727][ T3913] ? ptrace_stop+0x74d/0x970 [ 130.578304][ T3913] ? do_sys_open+0x220/0x220 [ 130.582884][ T3913] ? lockdep_hardirqs_on+0x8d/0x130 [ 130.588087][ T3913] ? _raw_spin_unlock_irq+0x2a/0x40 [ 130.593317][ T3913] ? ptrace_notify+0x245/0x340 [ 130.598084][ T3913] __x64_sys_openat+0x243/0x290 [ 130.602946][ T3913] ? __ia32_sys_open+0x270/0x270 [ 130.607888][ T3913] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 130.613877][ T3913] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 130.619845][ T3913] do_syscall_64+0x3d/0xb0 [ 130.624278][ T3913] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 130.630176][ T3913] RIP: 0033:0x7fc8868064d9 [ 130.634575][ T3913] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 130.654184][ T3913] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 130.662608][ T3913] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 130.670758][ T3913] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 130.678734][ T3913] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 130.686703][ T3913] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3913] <... openat resumed>) = ? [pid 3913] +++ exited with 0 +++ [pid 3912] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3912, si_uid=0, si_status=0, si_utime=0, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./91", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./91", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./91/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./91/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./91/binderfs") = 0 [ 130.694683][ T3913] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 130.702681][ T3913] umount2("./91/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./91/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./91/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./91/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./91/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./91/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./91") = 0 mkdir("./92", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3915 ./strace-static-x86_64: Process 3915 attached [pid 3915] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3915] chdir("./92") = 0 [pid 3915] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3915] setpgid(0, 0) = 0 [pid 3915] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3915] write(3, "1000", 4) = 4 [pid 3915] close(3) = 0 [pid 3915] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3915] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3915] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3915] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3915] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3916 attached , parent_tid=[3916], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3916 [pid 3915] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3915] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3916] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3916] memfd_create("syzkaller", 0) = 3 [pid 3916] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3916] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3916] munmap(0x7fc87e392000, 16777216) = 0 [pid 3916] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3916] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3916] close(3) = 0 [pid 3916] mkdir("./file0", 0777) = 0 [ 130.990028][ T3916] loop0: detected capacity change from 0 to 32768 [ 131.000620][ T3916] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 131.009109][ T3916] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 131.019819][ T3916] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 131.028840][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 131.035954][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3916] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3916] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3916] chdir("./file0") = 0 [pid 3916] ioctl(4, LOOP_CLR_FD) = 0 [pid 3916] close(4) = 0 [pid 3916] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3916] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3915] <... futex resumed>) = 0 [pid 3915] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3915] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3916] <... futex resumed>) = 0 [pid 3916] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3916] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3915] <... futex resumed>) = 0 [pid 3916] <... futex resumed>) = 1 [pid 3915] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3916] openat(AT_FDCWD, "./file0", O_RDONLY [ 131.077617][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 131.086355][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 131.091739][ T3916] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3915] <... futex resumed>) = 0 [ 131.118994][ T3916] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 131.127651][ T3916] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 131.127651][ T3916] inode = 12 2341 [ 131.127651][ T3916] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 131.146651][ T3916] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 131.155836][ T3916] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3916 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3915] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3915] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3915] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3915] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3915] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3917], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3917 [pid 3915] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3917 attached [pid 3917] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3917] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3917] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 131.165939][ T3916] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 131.174541][ T3916] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 131.181788][ T3916] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 131.191302][ T3916] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 131.198080][ T3916] gfs2: fsid=syz:syz.0: File system withdrawn [ 131.204471][ T3916] CPU: 1 PID: 3916 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 131.214910][ T3916] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 131.224986][ T3916] Call Trace: [ 131.228279][ T3916] [ 131.231220][ T3916] dump_stack_lvl+0x1b1/0x28e [ 131.235895][ T3916] ? nf_tcp_handle_invalid+0x62e/0x62e [ 131.241350][ T3916] ? panic+0x710/0x710 [ 131.245429][ T3916] ? kobject_uevent_env+0x46b/0x8e0 [ 131.250649][ T3916] ? do_raw_spin_unlock+0x134/0x8a0 [ 131.255861][ T3916] gfs2_withdraw+0xf33/0x1540 [ 131.260541][ T3916] ? gfs2_lm+0x220/0x220 [ 131.264771][ T3916] ? gfs2_dirent_scan+0xb6/0x650 [ 131.269726][ T3916] ? panic+0x710/0x710 [ 131.273809][ T3916] ? gfs2_permission+0x2ff/0x430 [ 131.278761][ T3916] ? gfs2_consist_inode_i+0xf3/0x110 [ 131.284038][ T3916] gfs2_dirent_scan+0x535/0x650 [ 131.288896][ T3916] ? gfs2_dirent_search+0xb10/0xb10 [ 131.294092][ T3916] gfs2_dirent_search+0x2ea/0xb10 [ 131.299137][ T3916] ? gfs2_dirent_search+0xb10/0xb10 [ 131.304354][ T3916] ? gfs2_dir_search+0x2a0/0x2a0 [ 131.309372][ T3916] ? gfs2_permission+0x3bf/0x430 [ 131.314317][ T3916] gfs2_dir_search+0x8c/0x2a0 [ 131.318996][ T3916] ? do_filldir_main+0x530/0x530 [ 131.323930][ T3916] ? inode_go_held+0xe4/0x1f0 [ 131.328606][ T3916] ? gfs2_glock_wait+0x213/0x2a0 [ 131.333560][ T3916] gfs2_lookupi+0x465/0x650 [ 131.338067][ T3916] ? gfs2_lookup_simple+0x170/0x170 [ 131.343283][ T3916] ? __gfs2_lookup+0x8c/0x260 [ 131.347970][ T3916] __gfs2_lookup+0x8c/0x260 [ 131.352476][ T3916] ? gfs2_atomic_open+0x230/0x230 [ 131.357519][ T3916] ? __d_lookup+0x6a4/0x770 [ 131.362014][ T3916] ? d_hash_and_lookup+0x1c0/0x1c0 [ 131.367379][ T3916] gfs2_atomic_open+0xa4/0x230 [ 131.372144][ T3916] path_openat+0xf39/0x2df0 [ 131.376646][ T3916] ? gfs2_rename2+0x3000/0x3000 [ 131.381521][ T3916] ? do_filp_open+0x4f0/0x4f0 [ 131.386206][ T3916] do_filp_open+0x264/0x4f0 [ 131.390702][ T3916] ? vfs_tmpfile+0x490/0x490 [ 131.395296][ T3916] ? do_raw_spin_unlock+0x134/0x8a0 [ 131.400493][ T3916] ? _raw_spin_unlock+0x24/0x40 [ 131.405350][ T3916] ? alloc_fd+0x5a7/0x640 [ 131.409682][ T3916] do_sys_openat2+0x124/0x4e0 [ 131.414441][ T3916] ? print_irqtrace_events+0x220/0x220 [ 131.420065][ T3916] ? ptrace_stop+0x74d/0x970 [ 131.424671][ T3916] ? do_sys_open+0x220/0x220 [ 131.429259][ T3916] ? lockdep_hardirqs_on+0x8d/0x130 [ 131.434455][ T3916] ? _raw_spin_unlock_irq+0x2a/0x40 [ 131.439652][ T3916] ? ptrace_notify+0x245/0x340 [ 131.444886][ T3916] __x64_sys_openat+0x243/0x290 [ 131.449736][ T3916] ? __ia32_sys_open+0x270/0x270 [ 131.454673][ T3916] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 131.460655][ T3916] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 131.466639][ T3916] do_syscall_64+0x3d/0xb0 [ 131.471050][ T3916] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 131.476941][ T3916] RIP: 0033:0x7fc8868064d9 [ 131.481352][ T3916] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 131.500957][ T3916] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 131.509364][ T3916] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3917] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3916] <... openat resumed>) = -1 EIO (Input/output error) [pid 3916] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3916] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3915] exit_group(0 [pid 3917] <... futex resumed>) = ? [pid 3915] <... exit_group resumed>) = ? [pid 3916] <... futex resumed>) = ? [pid 3916] +++ exited with 0 +++ [pid 3917] +++ exited with 0 +++ [pid 3915] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3915, si_uid=0, si_status=0, si_utime=1, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./92", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./92", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./92/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./92/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./92/binderfs") = 0 [ 131.517331][ T3916] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 131.525294][ T3916] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 131.533255][ T3916] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 131.541221][ T3916] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 131.549221][ T3916] umount2("./92/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./92/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./92/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./92/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./92/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./92/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./92") = 0 mkdir("./93", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3918 ./strace-static-x86_64: Process 3918 attached [pid 3918] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3918] chdir("./93") = 0 [pid 3918] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3918] setpgid(0, 0) = 0 [pid 3918] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3918] write(3, "1000", 4) = 4 [pid 3918] close(3) = 0 [pid 3918] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3918] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3918] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3918] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3918] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3919], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3919 [pid 3918] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3918] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3919 attached [pid 3919] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3919] memfd_create("syzkaller", 0) = 3 [pid 3919] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3919] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3919] munmap(0x7fc87e392000, 16777216) = 0 [pid 3919] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3919] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3919] close(3) = 0 [pid 3919] mkdir("./file0", 0777) = 0 [ 131.855918][ T3919] loop0: detected capacity change from 0 to 32768 [ 131.867495][ T3919] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 131.876875][ T3919] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 131.886787][ T3919] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 131.895672][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 131.902612][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3919] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3919] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3919] chdir("./file0") = 0 [pid 3919] ioctl(4, LOOP_CLR_FD) = 0 [pid 3919] close(4) = 0 [pid 3919] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3919] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3918] <... futex resumed>) = 0 [pid 3918] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3918] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3919] <... futex resumed>) = 0 [pid 3919] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3919] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3918] <... futex resumed>) = 0 [pid 3919] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3918] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 131.938051][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 131.945615][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 131.951408][ T3919] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 131.977138][ T3919] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 131.985808][ T3919] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 131.985808][ T3919] inode = 12 2341 [ 131.985808][ T3919] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 132.005042][ T3919] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 132.015193][ T3919] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3919 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 132.025728][ T3919] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3918] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3918] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3918] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3918] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3918] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3920], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3920 [pid 3918] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3920 attached [pid 3920] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3920] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3920] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 132.034624][ T3919] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 132.042787][ T3919] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 132.052282][ T3919] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 132.058845][ T3919] gfs2: fsid=syz:syz.0: File system withdrawn [ 132.065067][ T3919] CPU: 1 PID: 3919 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 132.075502][ T3919] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 132.085576][ T3919] Call Trace: [ 132.088863][ T3919] [ 132.091800][ T3919] dump_stack_lvl+0x1b1/0x28e [ 132.096588][ T3919] ? nf_tcp_handle_invalid+0x62e/0x62e [ 132.102068][ T3919] ? panic+0x710/0x710 [ 132.106146][ T3919] ? kobject_uevent_env+0x46b/0x8e0 [ 132.111420][ T3919] ? do_raw_spin_unlock+0x134/0x8a0 [ 132.116645][ T3919] gfs2_withdraw+0xf33/0x1540 [ 132.121383][ T3919] ? gfs2_lm+0x220/0x220 [ 132.125637][ T3919] ? gfs2_dirent_scan+0xb6/0x650 [ 132.130591][ T3919] ? panic+0x710/0x710 [ 132.134666][ T3919] ? gfs2_permission+0x2ff/0x430 [pid 3920] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3918] exit_group(0 [pid 3920] <... futex resumed>) = ? [pid 3918] <... exit_group resumed>) = ? [pid 3920] +++ exited with 0 +++ [ 132.139604][ T3919] ? gfs2_consist_inode_i+0xf3/0x110 [ 132.144897][ T3919] gfs2_dirent_scan+0x535/0x650 [ 132.149766][ T3919] ? gfs2_dirent_search+0xb10/0xb10 [ 132.154974][ T3919] gfs2_dirent_search+0x2ea/0xb10 [ 132.160032][ T3919] ? gfs2_dirent_search+0xb10/0xb10 [ 132.165228][ T3919] ? gfs2_dir_search+0x2a0/0x2a0 [ 132.170167][ T3919] ? gfs2_permission+0x3bf/0x430 [ 132.175147][ T3919] gfs2_dir_search+0x8c/0x2a0 [ 132.179847][ T3919] ? do_filldir_main+0x530/0x530 [ 132.184790][ T3919] ? inode_go_held+0xe4/0x1f0 [ 132.189477][ T3919] ? gfs2_glock_wait+0x213/0x2a0 [ 132.194418][ T3919] gfs2_lookupi+0x465/0x650 [ 132.198932][ T3919] ? gfs2_lookup_simple+0x170/0x170 [ 132.204134][ T3919] ? __gfs2_lookup+0x8c/0x260 [ 132.208822][ T3919] __gfs2_lookup+0x8c/0x260 [ 132.213318][ T3919] ? gfs2_atomic_open+0x230/0x230 [ 132.218338][ T3919] ? __d_lookup+0x6a4/0x770 [ 132.222832][ T3919] ? d_hash_and_lookup+0x1c0/0x1c0 [ 132.227933][ T3919] gfs2_atomic_open+0xa4/0x230 [ 132.232693][ T3919] path_openat+0xf39/0x2df0 [ 132.237220][ T3919] ? gfs2_rename2+0x3000/0x3000 [ 132.242466][ T3919] ? do_filp_open+0x4f0/0x4f0 [ 132.247176][ T3919] do_filp_open+0x264/0x4f0 [ 132.251698][ T3919] ? vfs_tmpfile+0x490/0x490 [ 132.256294][ T3919] ? do_raw_spin_unlock+0x134/0x8a0 [ 132.261517][ T3919] ? _raw_spin_unlock+0x24/0x40 [ 132.266414][ T3919] ? alloc_fd+0x5a7/0x640 [ 132.270750][ T3919] do_sys_openat2+0x124/0x4e0 [ 132.275430][ T3919] ? print_irqtrace_events+0x220/0x220 [ 132.282642][ T3919] ? ptrace_stop+0x74d/0x970 [ 132.287243][ T3919] ? do_sys_open+0x220/0x220 [ 132.291826][ T3919] ? lockdep_hardirqs_on+0x8d/0x130 [ 132.297016][ T3919] ? _raw_spin_unlock_irq+0x2a/0x40 [ 132.302209][ T3919] ? ptrace_notify+0x245/0x340 [ 132.306961][ T3919] __x64_sys_openat+0x243/0x290 [ 132.311813][ T3919] ? __ia32_sys_open+0x270/0x270 [ 132.316758][ T3919] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 132.322732][ T3919] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 132.328713][ T3919] do_syscall_64+0x3d/0xb0 [ 132.333143][ T3919] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 132.339032][ T3919] RIP: 0033:0x7fc8868064d9 [ 132.343440][ T3919] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 132.363045][ T3919] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 132.371450][ T3919] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 132.379419][ T3919] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3919] <... openat resumed>) = ? [pid 3919] +++ exited with 0 +++ [pid 3918] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3918, si_uid=0, si_status=0, si_utime=2, si_stime=31} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./93", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./93", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./93/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./93/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./93/binderfs") = 0 [ 132.387382][ T3919] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 132.395356][ T3919] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 132.403340][ T3919] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 132.411347][ T3919] umount2("./93/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./93/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./93/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./93/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./93/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./93/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./93") = 0 mkdir("./94", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3921 ./strace-static-x86_64: Process 3921 attached [pid 3921] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3921] chdir("./94") = 0 [pid 3921] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3921] setpgid(0, 0) = 0 [pid 3921] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3921] write(3, "1000", 4) = 4 [pid 3921] close(3) = 0 [pid 3921] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3921] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3921] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3921] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3921] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3922], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3922 [pid 3921] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3921] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3922 attached [pid 3922] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3922] memfd_create("syzkaller", 0) = 3 [pid 3922] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3922] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3922] munmap(0x7fc87e392000, 16777216) = 0 [pid 3922] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3922] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3922] close(3) = 0 [pid 3922] mkdir("./file0", 0777) = 0 [ 132.786645][ T3922] loop0: detected capacity change from 0 to 32768 [ 132.800359][ T3922] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 132.808632][ T3922] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 132.819443][ T3922] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 132.828788][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 132.835921][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3922] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3922] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3922] chdir("./file0") = 0 [pid 3922] ioctl(4, LOOP_CLR_FD) = 0 [pid 3922] close(4) = 0 [pid 3922] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3921] <... futex resumed>) = 0 [pid 3922] <... futex resumed>) = 1 [pid 3921] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3921] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3922] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3922] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3921] <... futex resumed>) = 0 [pid 3921] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3921] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 132.891385][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 55ms [ 132.899331][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 132.904626][ T3922] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 132.934154][ T3922] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 132.942684][ T3922] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 132.942684][ T3922] inode = 12 2341 [ 132.942684][ T3922] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 132.961732][ T3922] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 132.971279][ T3922] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3922 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3922] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3921] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3921] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3921] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3921] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3921] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3923], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3923 [pid 3921] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3923 attached [pid 3923] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3923] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3923] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 132.981612][ T3922] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 132.990170][ T3922] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 132.998771][ T3922] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 133.008362][ T3922] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 133.015157][ T3922] gfs2: fsid=syz:syz.0: File system withdrawn [ 133.021356][ T3922] CPU: 1 PID: 3922 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 133.031789][ T3922] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 133.041856][ T3922] Call Trace: [ 133.045145][ T3922] [ 133.048083][ T3922] dump_stack_lvl+0x1b1/0x28e [ 133.052783][ T3922] ? nf_tcp_handle_invalid+0x62e/0x62e [ 133.058256][ T3922] ? panic+0x710/0x710 [ 133.062336][ T3922] ? kobject_uevent_env+0x46b/0x8e0 [ 133.067546][ T3922] ? do_raw_spin_unlock+0x134/0x8a0 [ 133.072766][ T3922] gfs2_withdraw+0xf33/0x1540 [ 133.077475][ T3922] ? gfs2_lm+0x220/0x220 [ 133.081727][ T3922] ? gfs2_dirent_scan+0xb6/0x650 [ 133.086682][ T3922] ? panic+0x710/0x710 [ 133.090761][ T3922] ? gfs2_permission+0x2ff/0x430 [ 133.095716][ T3922] ? gfs2_consist_inode_i+0xf3/0x110 [ 133.101027][ T3922] gfs2_dirent_scan+0x535/0x650 [ 133.105898][ T3922] ? gfs2_dirent_search+0xb10/0xb10 [ 133.111126][ T3922] gfs2_dirent_search+0x2ea/0xb10 [ 133.116849][ T3922] ? gfs2_dirent_search+0xb10/0xb10 [ 133.122046][ T3922] ? gfs2_dir_search+0x2a0/0x2a0 [ 133.126981][ T3922] ? gfs2_permission+0x3bf/0x430 [ 133.131919][ T3922] gfs2_dir_search+0x8c/0x2a0 [ 133.136597][ T3922] ? do_filldir_main+0x530/0x530 [ 133.141530][ T3922] ? inode_go_held+0xe4/0x1f0 [ 133.146214][ T3922] ? gfs2_glock_wait+0x213/0x2a0 [ 133.151234][ T3922] gfs2_lookupi+0x465/0x650 [ 133.155740][ T3922] ? gfs2_lookup_simple+0x170/0x170 [ 133.160934][ T3922] ? __gfs2_lookup+0x8c/0x260 [ 133.165616][ T3922] __gfs2_lookup+0x8c/0x260 [ 133.170125][ T3922] ? gfs2_atomic_open+0x230/0x230 [ 133.175151][ T3922] ? __d_lookup+0x6a4/0x770 [ 133.179648][ T3922] ? d_hash_and_lookup+0x1c0/0x1c0 [ 133.186143][ T3922] gfs2_atomic_open+0xa4/0x230 [ 133.190905][ T3922] path_openat+0xf39/0x2df0 [ 133.195408][ T3922] ? gfs2_rename2+0x3000/0x3000 [ 133.200283][ T3922] ? do_filp_open+0x4f0/0x4f0 [ 133.204971][ T3922] do_filp_open+0x264/0x4f0 [ 133.209468][ T3922] ? vfs_tmpfile+0x490/0x490 [ 133.214059][ T3922] ? do_raw_spin_unlock+0x134/0x8a0 [ 133.219256][ T3922] ? _raw_spin_unlock+0x24/0x40 [ 133.224106][ T3922] ? alloc_fd+0x5a7/0x640 [ 133.228437][ T3922] do_sys_openat2+0x124/0x4e0 [ 133.233110][ T3922] ? print_irqtrace_events+0x220/0x220 [ 133.238557][ T3922] ? ptrace_stop+0x74d/0x970 [ 133.243143][ T3922] ? do_sys_open+0x220/0x220 [ 133.247730][ T3922] ? lockdep_hardirqs_on+0x8d/0x130 [ 133.252958][ T3922] ? _raw_spin_unlock_irq+0x2a/0x40 [ 133.258151][ T3922] ? ptrace_notify+0x245/0x340 [ 133.262908][ T3922] __x64_sys_openat+0x243/0x290 [ 133.267848][ T3922] ? __ia32_sys_open+0x270/0x270 [ 133.273477][ T3922] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 133.279453][ T3922] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 133.285430][ T3922] do_syscall_64+0x3d/0xb0 [ 133.289839][ T3922] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 133.295722][ T3922] RIP: 0033:0x7fc8868064d9 [ 133.300128][ T3922] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 133.319727][ T3922] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 133.328138][ T3922] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3923] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3922] <... openat resumed>) = -1 EIO (Input/output error) [pid 3922] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3922] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3921] exit_group(0 [pid 3923] <... futex resumed>) = ? [pid 3922] <... futex resumed>) = ? [pid 3921] <... exit_group resumed>) = ? [pid 3923] +++ exited with 0 +++ [pid 3922] +++ exited with 0 +++ [pid 3921] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3921, si_uid=0, si_status=0, si_utime=1, si_stime=34} --- umount2("./94", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./94", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./94/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./94/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./94/binderfs") = 0 [ 133.336101][ T3922] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 133.344061][ T3922] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 133.352023][ T3922] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 133.359985][ T3922] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 133.367959][ T3922] umount2("./94/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./94/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./94/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./94/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./94/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./94/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./94") = 0 mkdir("./95", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3924 ./strace-static-x86_64: Process 3924 attached [pid 3924] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3924] chdir("./95") = 0 [pid 3924] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3924] setpgid(0, 0) = 0 [pid 3924] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3924] write(3, "1000", 4) = 4 [pid 3924] close(3) = 0 [pid 3924] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3924] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3924] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3924] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3924] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3925], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3925 ./strace-static-x86_64: Process 3925 attached [pid 3924] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3924] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3925] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3925] memfd_create("syzkaller", 0) = 3 [pid 3925] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3925] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3925] munmap(0x7fc87e392000, 16777216) = 0 [pid 3925] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3925] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3925] close(3) = 0 [pid 3925] mkdir("./file0", 0777) = 0 [ 133.744864][ T3925] loop0: detected capacity change from 0 to 32768 [ 133.754923][ T3925] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 133.763175][ T3925] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 133.773186][ T3925] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 133.781805][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 133.788608][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3925] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3925] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3925] chdir("./file0") = 0 [pid 3925] ioctl(4, LOOP_CLR_FD) = 0 [pid 3925] close(4) = 0 [pid 3925] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3925] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3924] <... futex resumed>) = 0 [pid 3924] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3924] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3925] <... futex resumed>) = 0 [pid 3925] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3925] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3924] <... futex resumed>) = 0 [pid 3925] openat(AT_FDCWD, "./file0", O_RDONLY [ 133.825823][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 133.833387][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 133.838653][ T3925] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3924] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 133.872299][ T3925] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 133.881353][ T3925] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 133.881353][ T3925] inode = 12 2341 [ 133.881353][ T3925] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 133.900152][ T3925] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 133.909227][ T3925] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3925 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3924] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3924] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3924] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3924] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3924] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3926], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3926 [pid 3924] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3926 attached [pid 3926] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3926] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3926] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 133.921314][ T3925] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 133.929840][ T3925] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 133.937150][ T3925] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 133.946429][ T3925] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 133.954755][ T3925] gfs2: fsid=syz:syz.0: File system withdrawn [ 133.960975][ T3925] CPU: 1 PID: 3925 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 133.971407][ T3925] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 133.981483][ T3925] Call Trace: [ 133.984768][ T3925] [ 133.987686][ T3925] dump_stack_lvl+0x1b1/0x28e [ 133.992369][ T3925] ? nf_tcp_handle_invalid+0x62e/0x62e [ 133.997846][ T3925] ? panic+0x710/0x710 [ 134.001934][ T3925] ? kobject_uevent_env+0x46b/0x8e0 [ 134.007142][ T3925] ? do_raw_spin_unlock+0x134/0x8a0 [ 134.012339][ T3925] gfs2_withdraw+0xf33/0x1540 [ 134.017018][ T3925] ? gfs2_lm+0x220/0x220 [ 134.021252][ T3925] ? gfs2_dirent_scan+0xb6/0x650 [ 134.026190][ T3925] ? panic+0x710/0x710 [ 134.030275][ T3925] ? gfs2_permission+0x2ff/0x430 [ 134.035222][ T3925] ? gfs2_consist_inode_i+0xf3/0x110 [ 134.040502][ T3925] gfs2_dirent_scan+0x535/0x650 [ 134.045362][ T3925] ? gfs2_dirent_search+0xb10/0xb10 [ 134.050576][ T3925] gfs2_dirent_search+0x2ea/0xb10 [ 134.055598][ T3925] ? gfs2_dirent_search+0xb10/0xb10 [ 134.060795][ T3925] ? gfs2_dir_search+0x2a0/0x2a0 [ 134.065723][ T3925] ? gfs2_permission+0x3bf/0x430 [ 134.070662][ T3925] gfs2_dir_search+0x8c/0x2a0 [ 134.075334][ T3925] ? do_filldir_main+0x530/0x530 [ 134.080271][ T3925] ? inode_go_held+0xe4/0x1f0 [ 134.084955][ T3925] ? gfs2_glock_wait+0x213/0x2a0 [ 134.089895][ T3925] gfs2_lookupi+0x465/0x650 [ 134.094400][ T3925] ? gfs2_lookup_simple+0x170/0x170 [ 134.099594][ T3925] ? __gfs2_lookup+0x8c/0x260 [ 134.104272][ T3925] __gfs2_lookup+0x8c/0x260 [ 134.108768][ T3925] ? gfs2_atomic_open+0x230/0x230 [ 134.113811][ T3925] ? __d_lookup+0x6a4/0x770 [ 134.118316][ T3925] ? d_hash_and_lookup+0x1c0/0x1c0 [ 134.123419][ T3925] gfs2_atomic_open+0xa4/0x230 [ 134.128184][ T3925] path_openat+0xf39/0x2df0 [ 134.132685][ T3925] ? gfs2_rename2+0x3000/0x3000 [ 134.137543][ T3925] ? do_filp_open+0x4f0/0x4f0 [ 134.142224][ T3925] do_filp_open+0x264/0x4f0 [ 134.146719][ T3925] ? vfs_tmpfile+0x490/0x490 [ 134.151311][ T3925] ? do_raw_spin_unlock+0x134/0x8a0 [ 134.156507][ T3925] ? _raw_spin_unlock+0x24/0x40 [ 134.161354][ T3925] ? alloc_fd+0x5a7/0x640 [ 134.165688][ T3925] do_sys_openat2+0x124/0x4e0 [ 134.170361][ T3925] ? print_irqtrace_events+0x220/0x220 [ 134.175810][ T3925] ? ptrace_stop+0x74d/0x970 [ 134.180397][ T3925] ? do_sys_open+0x220/0x220 [ 134.184984][ T3925] ? lockdep_hardirqs_on+0x8d/0x130 [ 134.190178][ T3925] ? _raw_spin_unlock_irq+0x2a/0x40 [ 134.195389][ T3925] ? ptrace_notify+0x245/0x340 [ 134.200235][ T3925] __x64_sys_openat+0x243/0x290 [ 134.205080][ T3925] ? __ia32_sys_open+0x270/0x270 [ 134.210012][ T3925] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 134.215986][ T3925] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 134.221958][ T3925] do_syscall_64+0x3d/0xb0 [ 134.226369][ T3925] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 134.232254][ T3925] RIP: 0033:0x7fc8868064d9 [ 134.236657][ T3925] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 134.256252][ T3925] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 134.264657][ T3925] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3926] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3925] <... openat resumed>) = -1 EIO (Input/output error) [pid 3925] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3925] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3924] exit_group(0 [pid 3926] <... futex resumed>) = ? [pid 3925] <... futex resumed>) = ? [pid 3926] +++ exited with 0 +++ [pid 3925] +++ exited with 0 +++ [pid 3924] <... exit_group resumed>) = ? [pid 3924] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3924, si_uid=0, si_status=0, si_utime=5, si_stime=28} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./95", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./95", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./95/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./95/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./95/binderfs") = 0 [ 134.272618][ T3925] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 134.280577][ T3925] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 134.288539][ T3925] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 134.296501][ T3925] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 134.304494][ T3925] umount2("./95/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./95/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./95/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./95/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./95/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./95/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./95") = 0 mkdir("./96", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3927 ./strace-static-x86_64: Process 3927 attached [pid 3927] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3927] chdir("./96") = 0 [pid 3927] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3927] setpgid(0, 0) = 0 [pid 3927] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3927] write(3, "1000", 4) = 4 [pid 3927] close(3) = 0 [pid 3927] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3927] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3927] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3927] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3927] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3928 attached , parent_tid=[3928], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3928 [pid 3928] set_robust_list(0x7fc8867b29e0, 24 [pid 3927] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3928] <... set_robust_list resumed>) = 0 [pid 3927] <... futex resumed>) = 0 [pid 3928] memfd_create("syzkaller", 0 [pid 3927] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3928] <... memfd_create resumed>) = 3 [pid 3928] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3928] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3928] munmap(0x7fc87e392000, 16777216) = 0 [pid 3928] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3928] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3928] close(3) = 0 [pid 3928] mkdir("./file0", 0777) = 0 [ 134.630796][ T3928] loop0: detected capacity change from 0 to 32768 [ 134.640598][ T3928] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 134.648850][ T3928] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 134.659288][ T3928] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 134.668261][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 134.675371][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3928] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3928] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3928] chdir("./file0") = 0 [pid 3928] ioctl(4, LOOP_CLR_FD) = 0 [pid 3928] close(4) = 0 [pid 3928] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3927] <... futex resumed>) = 0 [pid 3928] <... futex resumed>) = 1 [pid 3927] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3928] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3927] <... futex resumed>) = 0 [pid 3927] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3928] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3928] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3927] <... futex resumed>) = 0 [pid 3928] <... futex resumed>) = 1 [pid 3927] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3927] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 134.710586][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 134.718094][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 134.723628][ T3928] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 134.746501][ T3928] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3928] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3927] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3927] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3927] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3927] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3927] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3929], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3929 [pid 3927] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3929 attached [pid 3929] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 134.754945][ T3928] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 134.754945][ T3928] inode = 12 2341 [ 134.754945][ T3928] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 134.774345][ T3928] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 134.784590][ T3928] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3928 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 134.795117][ T3928] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 134.801545][ T3929] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 134.805267][ T3928] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 134.813029][ T3929] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 134.820853][ T3928] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 134.829368][ T3929] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3928 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 134.838469][ T3928] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 134.848182][ T3929] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3929 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 134.855065][ T3928] gfs2: fsid=syz:syz.0: File system withdrawn [ 134.865419][ T3929] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 134.871544][ T3928] CPU: 1 PID: 3928 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 134.889625][ T3928] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 134.899675][ T3928] Call Trace: [ 134.902947][ T3928] [ 134.905875][ T3928] dump_stack_lvl+0x1b1/0x28e [ 134.910552][ T3928] ? nf_tcp_handle_invalid+0x62e/0x62e [ 134.916006][ T3928] ? panic+0x710/0x710 [ 134.920072][ T3928] ? kobject_uevent_env+0x46b/0x8e0 [ 134.925269][ T3928] ? do_raw_spin_unlock+0x134/0x8a0 [ 134.930469][ T3928] gfs2_withdraw+0xf33/0x1540 [ 134.935152][ T3928] ? gfs2_lm+0x220/0x220 [ 134.939386][ T3928] ? gfs2_dirent_scan+0xb6/0x650 [ 134.944318][ T3928] ? panic+0x710/0x710 [ 134.948380][ T3928] ? gfs2_permission+0x2ff/0x430 [ 134.953322][ T3928] ? gfs2_consist_inode_i+0xf3/0x110 [ 134.958606][ T3928] gfs2_dirent_scan+0x535/0x650 [ 134.963457][ T3928] ? gfs2_dirent_search+0xb10/0xb10 [ 134.968658][ T3928] gfs2_dirent_search+0x2ea/0xb10 [ 134.973683][ T3928] ? gfs2_dirent_search+0xb10/0xb10 [ 134.978881][ T3928] ? gfs2_dir_search+0x2a0/0x2a0 [ 134.983814][ T3928] ? gfs2_permission+0x3bf/0x430 [ 134.988751][ T3928] gfs2_dir_search+0x8c/0x2a0 [ 134.993427][ T3928] ? do_filldir_main+0x530/0x530 [ 134.998361][ T3928] ? inode_go_held+0xe4/0x1f0 [ 135.003035][ T3928] ? gfs2_glock_wait+0x213/0x2a0 [ 135.007968][ T3928] gfs2_lookupi+0x465/0x650 [ 135.012475][ T3928] ? gfs2_lookup_simple+0x170/0x170 [ 135.017787][ T3928] ? __gfs2_lookup+0x8c/0x260 [ 135.022467][ T3928] __gfs2_lookup+0x8c/0x260 [ 135.026964][ T3928] ? gfs2_atomic_open+0x230/0x230 [ 135.031985][ T3928] ? __d_lookup+0x6a4/0x770 [ 135.036483][ T3928] ? d_hash_and_lookup+0x1c0/0x1c0 [ 135.041587][ T3928] gfs2_atomic_open+0xa4/0x230 [ 135.046352][ T3928] path_openat+0xf39/0x2df0 [ 135.050878][ T3928] ? gfs2_rename2+0x3000/0x3000 [ 135.055741][ T3928] ? do_filp_open+0x4f0/0x4f0 [ 135.060423][ T3928] do_filp_open+0x264/0x4f0 [ 135.064916][ T3928] ? vfs_tmpfile+0x490/0x490 [ 135.069508][ T3928] ? do_raw_spin_unlock+0x134/0x8a0 [ 135.074792][ T3928] ? _raw_spin_unlock+0x24/0x40 [ 135.079640][ T3928] ? alloc_fd+0x5a7/0x640 [ 135.083973][ T3928] do_sys_openat2+0x124/0x4e0 [ 135.088645][ T3928] ? print_irqtrace_events+0x220/0x220 [ 135.094097][ T3928] ? ptrace_stop+0x74d/0x970 [ 135.098684][ T3928] ? do_sys_open+0x220/0x220 [ 135.103287][ T3928] ? lockdep_hardirqs_on+0x8d/0x130 [ 135.108486][ T3928] ? _raw_spin_unlock_irq+0x2a/0x40 [ 135.113686][ T3928] ? ptrace_notify+0x245/0x340 [ 135.118452][ T3928] __x64_sys_openat+0x243/0x290 [ 135.123298][ T3928] ? __ia32_sys_open+0x270/0x270 [ 135.128236][ T3928] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 135.134211][ T3928] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 135.140186][ T3928] do_syscall_64+0x3d/0xb0 [ 135.144602][ T3928] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 135.150486][ T3928] RIP: 0033:0x7fc8868064d9 [ 135.154897][ T3928] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 135.174501][ T3928] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 135.182910][ T3928] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 135.190872][ T3928] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 135.198837][ T3928] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3929] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3928] <... openat resumed>) = -1 EIO (Input/output error) [pid 3928] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3928] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3929] <... openat resumed>) = -1 EIO (Input/output error) [pid 3929] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3929] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3927] exit_group(0 [pid 3928] <... futex resumed>) = ? [pid 3927] <... exit_group resumed>) = ? [pid 3929] <... futex resumed>) = ? [pid 3928] +++ exited with 0 +++ [pid 3929] +++ exited with 0 +++ [pid 3927] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3927, si_uid=0, si_status=0, si_utime=0, si_stime=40} --- umount2("./96", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./96", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./96/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./96/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./96/binderfs") = 0 [ 135.206802][ T3928] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 135.214769][ T3928] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 135.222748][ T3928] umount2("./96/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./96/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./96/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./96/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./96/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./96/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./96") = 0 mkdir("./97", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3930 ./strace-static-x86_64: Process 3930 attached [pid 3930] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3930] chdir("./97") = 0 [pid 3930] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3930] setpgid(0, 0) = 0 [pid 3930] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3930] write(3, "1000", 4) = 4 [pid 3930] close(3) = 0 [pid 3930] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3930] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3930] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3930] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3930] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3931], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3931 [pid 3930] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3930] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3931 attached [pid 3931] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3931] memfd_create("syzkaller", 0) = 3 [pid 3931] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3931] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3931] munmap(0x7fc87e392000, 16777216) = 0 [pid 3931] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3931] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3931] close(3) = 0 [pid 3931] mkdir("./file0", 0777) = 0 [ 135.522571][ T3931] loop0: detected capacity change from 0 to 32768 [ 135.533201][ T3931] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 135.541641][ T3931] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 135.551942][ T3931] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 135.560827][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 135.567843][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3931] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3931] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3931] chdir("./file0") = 0 [pid 3931] ioctl(4, LOOP_CLR_FD) = 0 [pid 3931] close(4) = 0 [pid 3931] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3930] <... futex resumed>) = 0 [pid 3930] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3930] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3931] <... futex resumed>) = 1 [pid 3931] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3931] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3930] <... futex resumed>) = 0 [pid 3930] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3930] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3931] <... futex resumed>) = 1 [ 135.603128][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 135.610907][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 135.616420][ T3931] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 135.642460][ T3931] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3931] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3930] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3930] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3930] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3930] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3930] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3932], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3932 [ 135.650999][ T3931] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 135.650999][ T3931] inode = 12 2341 [ 135.650999][ T3931] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 135.670514][ T3931] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 135.679572][ T3931] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3931 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 135.690121][ T3931] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3930] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3932 attached [pid 3932] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3932] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3932] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 135.698639][ T3931] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 135.705933][ T3931] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 135.714784][ T3931] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 135.721454][ T3931] gfs2: fsid=syz:syz.0: File system withdrawn [ 135.727627][ T3931] CPU: 0 PID: 3931 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 135.738037][ T3931] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 135.748098][ T3931] Call Trace: [ 135.751384][ T3931] [ 135.754328][ T3931] dump_stack_lvl+0x1b1/0x28e [ 135.759000][ T3931] ? nf_tcp_handle_invalid+0x62e/0x62e [ 135.764461][ T3931] ? panic+0x710/0x710 [ 135.768537][ T3931] ? kobject_uevent_env+0x46b/0x8e0 [ 135.773756][ T3931] ? do_raw_spin_unlock+0x134/0x8a0 [ 135.778973][ T3931] gfs2_withdraw+0xf33/0x1540 [ 135.783673][ T3931] ? gfs2_lm+0x220/0x220 [ 135.787933][ T3931] ? gfs2_dirent_scan+0xb6/0x650 [ 135.792882][ T3931] ? panic+0x710/0x710 [ 135.796954][ T3931] ? gfs2_permission+0x2ff/0x430 [ 135.801920][ T3931] ? gfs2_consist_inode_i+0xf3/0x110 [ 135.807215][ T3931] gfs2_dirent_scan+0x535/0x650 [ 135.812061][ T3931] ? gfs2_dirent_search+0xb10/0xb10 [ 135.817253][ T3931] gfs2_dirent_search+0x2ea/0xb10 [ 135.822271][ T3931] ? gfs2_dirent_search+0xb10/0xb10 [ 135.827491][ T3931] ? gfs2_dir_search+0x2a0/0x2a0 [ 135.832443][ T3931] ? gfs2_permission+0x3bf/0x430 [ 135.837389][ T3931] gfs2_dir_search+0x8c/0x2a0 [ 135.842077][ T3931] ? do_filldir_main+0x530/0x530 [ 135.847011][ T3931] ? inode_go_held+0xe4/0x1f0 [ 135.851702][ T3931] ? gfs2_glock_wait+0x213/0x2a0 [ 135.856636][ T3931] gfs2_lookupi+0x465/0x650 [ 135.861142][ T3931] ? gfs2_lookup_simple+0x170/0x170 [ 135.866338][ T3931] ? __gfs2_lookup+0x8c/0x260 [ 135.871017][ T3931] __gfs2_lookup+0x8c/0x260 [ 135.875517][ T3931] ? gfs2_atomic_open+0x230/0x230 [ 135.880546][ T3931] ? __d_lookup+0x6a4/0x770 [ 135.885055][ T3931] ? d_hash_and_lookup+0x1c0/0x1c0 [ 135.890158][ T3931] gfs2_atomic_open+0xa4/0x230 [ 135.894920][ T3931] path_openat+0xf39/0x2df0 [ 135.899444][ T3931] ? gfs2_rename2+0x3000/0x3000 [ 135.904326][ T3931] ? do_filp_open+0x4f0/0x4f0 [ 135.909025][ T3931] do_filp_open+0x264/0x4f0 [ 135.913529][ T3931] ? vfs_tmpfile+0x490/0x490 [ 135.918120][ T3931] ? do_raw_spin_unlock+0x134/0x8a0 [ 135.923319][ T3931] ? _raw_spin_unlock+0x24/0x40 [ 135.928164][ T3931] ? alloc_fd+0x5a7/0x640 [ 135.932502][ T3931] do_sys_openat2+0x124/0x4e0 [ 135.937171][ T3931] ? print_irqtrace_events+0x220/0x220 [ 135.942618][ T3931] ? ptrace_stop+0x74d/0x970 [ 135.947204][ T3931] ? do_sys_open+0x220/0x220 [ 135.952138][ T3931] ? lockdep_hardirqs_on+0x8d/0x130 [ 135.957417][ T3931] ? _raw_spin_unlock_irq+0x2a/0x40 [ 135.962701][ T3931] ? ptrace_notify+0x245/0x340 [ 135.967459][ T3931] __x64_sys_openat+0x243/0x290 [ 135.972306][ T3931] ? __ia32_sys_open+0x270/0x270 [ 135.977325][ T3931] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 135.983299][ T3931] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 135.989275][ T3931] do_syscall_64+0x3d/0xb0 [ 135.993683][ T3931] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 135.999567][ T3931] RIP: 0033:0x7fc8868064d9 [ 136.003974][ T3931] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 136.023583][ T3931] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 136.031993][ T3931] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 136.039955][ T3931] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3932] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3931] <... openat resumed>) = -1 EIO (Input/output error) [pid 3931] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3931] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3930] exit_group(0 [pid 3932] <... futex resumed>) = ? [pid 3931] <... futex resumed>) = ? [pid 3930] <... exit_group resumed>) = ? [pid 3931] +++ exited with 0 +++ [pid 3932] +++ exited with 0 +++ [pid 3930] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3930, si_uid=0, si_status=0, si_utime=1, si_stime=28} --- umount2("./97", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./97", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./97/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./97/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./97/binderfs") = 0 [ 136.047917][ T3931] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 136.055879][ T3931] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 136.063841][ T3931] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 136.072770][ T3931] umount2("./97/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./97/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./97/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./97/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./97/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./97/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./97") = 0 mkdir("./98", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3933 ./strace-static-x86_64: Process 3933 attached [pid 3933] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3933] chdir("./98") = 0 [pid 3933] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3933] setpgid(0, 0) = 0 [pid 3933] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3933] write(3, "1000", 4) = 4 [pid 3933] close(3) = 0 [pid 3933] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3933] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3933] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3933] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3933] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3934], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3934 [pid 3933] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3933] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3934 attached [pid 3934] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3934] memfd_create("syzkaller", 0) = 3 [pid 3934] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3934] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3934] munmap(0x7fc87e392000, 16777216) = 0 [pid 3934] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3934] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3934] close(3) = 0 [pid 3934] mkdir("./file0", 0777) = 0 [ 136.393985][ T3934] loop0: detected capacity change from 0 to 32768 [ 136.403728][ T3934] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 136.412749][ T3934] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 136.422594][ T3934] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 136.431586][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 136.438358][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3934] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3934] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3934] chdir("./file0") = 0 [pid 3934] ioctl(4, LOOP_CLR_FD) = 0 [pid 3934] close(4) = 0 [pid 3934] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3933] <... futex resumed>) = 0 [pid 3933] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3933] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3934] <... futex resumed>) = 1 [pid 3934] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3934] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3933] <... futex resumed>) = 0 [pid 3933] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3933] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3934] <... futex resumed>) = 1 [ 136.472940][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 136.480522][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 136.485773][ T3934] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 136.500490][ T3934] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 136.509318][ T3934] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 136.509318][ T3934] inode = 12 2341 [pid 3934] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3933] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3933] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3933] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3933] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3933] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3933] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3935], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3935 [pid 3933] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3935 attached [pid 3935] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 136.509318][ T3934] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 136.528586][ T3934] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 136.539114][ T3934] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3934 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 136.549531][ T3934] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 136.556736][ T3935] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 136.559358][ T3934] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 136.566704][ T3935] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 136.573798][ T3934] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 136.583131][ T3935] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3934 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 136.591628][ T3934] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 136.602036][ T3935] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3935 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 136.609816][ T3934] gfs2: fsid=syz:syz.0: File system withdrawn [ 136.618366][ T3935] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 136.624172][ T3934] CPU: 1 PID: 3934 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 136.643043][ T3934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 136.653102][ T3934] Call Trace: [ 136.656384][ T3934] [ 136.659316][ T3934] dump_stack_lvl+0x1b1/0x28e [ 136.663994][ T3934] ? nf_tcp_handle_invalid+0x62e/0x62e [ 136.669442][ T3934] ? panic+0x710/0x710 [ 136.673503][ T3934] ? kobject_uevent_env+0x46b/0x8e0 [ 136.678714][ T3934] ? do_raw_spin_unlock+0x134/0x8a0 [ 136.683938][ T3934] gfs2_withdraw+0xf33/0x1540 [ 136.688663][ T3934] ? gfs2_lm+0x220/0x220 [ 136.692918][ T3934] ? gfs2_dirent_scan+0xb6/0x650 [ 136.697873][ T3934] ? panic+0x710/0x710 [ 136.701944][ T3934] ? gfs2_permission+0x2ff/0x430 [ 136.706885][ T3934] ? gfs2_consist_inode_i+0xf3/0x110 [ 136.712180][ T3934] gfs2_dirent_scan+0x535/0x650 [ 136.717023][ T3934] ? gfs2_dirent_search+0xb10/0xb10 [pid 3935] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3933] exit_group(0) = ? [ 136.722229][ T3934] gfs2_dirent_search+0x2ea/0xb10 [ 136.727267][ T3934] ? gfs2_dirent_search+0xb10/0xb10 [ 136.732462][ T3934] ? gfs2_dir_search+0x2a0/0x2a0 [ 136.737388][ T3934] ? gfs2_permission+0x3bf/0x430 [ 136.742335][ T3934] gfs2_dir_search+0x8c/0x2a0 [ 136.747006][ T3934] ? do_filldir_main+0x530/0x530 [ 136.751943][ T3934] ? inode_go_held+0xe4/0x1f0 [ 136.756648][ T3934] ? gfs2_glock_wait+0x213/0x2a0 [ 136.762114][ T3934] gfs2_lookupi+0x465/0x650 [ 136.766618][ T3934] ? gfs2_lookup_simple+0x170/0x170 [ 136.771811][ T3934] ? __gfs2_lookup+0x8c/0x260 [ 136.776483][ T3934] __gfs2_lookup+0x8c/0x260 [ 136.780995][ T3934] ? gfs2_atomic_open+0x230/0x230 [ 136.786027][ T3934] ? __d_lookup+0x6a4/0x770 [ 136.790615][ T3934] ? d_hash_and_lookup+0x1c0/0x1c0 [ 136.795744][ T3934] gfs2_atomic_open+0xa4/0x230 [ 136.800519][ T3934] path_openat+0xf39/0x2df0 [ 136.805034][ T3934] ? gfs2_rename2+0x3000/0x3000 [ 136.809890][ T3934] ? do_filp_open+0x4f0/0x4f0 [ 136.814589][ T3934] do_filp_open+0x264/0x4f0 [ 136.819101][ T3934] ? vfs_tmpfile+0x490/0x490 [ 136.823689][ T3934] ? do_raw_spin_unlock+0x134/0x8a0 [ 136.828898][ T3934] ? _raw_spin_unlock+0x24/0x40 [ 136.833746][ T3934] ? alloc_fd+0x5a7/0x640 [ 136.838087][ T3934] do_sys_openat2+0x124/0x4e0 [ 136.842780][ T3934] ? print_irqtrace_events+0x220/0x220 [ 136.848230][ T3934] ? ptrace_stop+0x74d/0x970 [ 136.852817][ T3934] ? do_sys_open+0x220/0x220 [ 136.857428][ T3934] ? lockdep_hardirqs_on+0x8d/0x130 [ 136.862642][ T3934] ? _raw_spin_unlock_irq+0x2a/0x40 [ 136.867837][ T3934] ? ptrace_notify+0x245/0x340 [ 136.872595][ T3934] __x64_sys_openat+0x243/0x290 [ 136.877445][ T3934] ? __ia32_sys_open+0x270/0x270 [ 136.882390][ T3934] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 136.888388][ T3934] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 136.894364][ T3934] do_syscall_64+0x3d/0xb0 [ 136.898769][ T3934] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 136.904659][ T3934] RIP: 0033:0x7fc8868064d9 [ 136.909075][ T3934] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 136.928673][ T3934] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 136.937080][ T3934] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 136.945045][ T3934] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 136.953036][ T3934] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 136.961010][ T3934] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3935] <... openat resumed>) = ? [pid 3934] <... openat resumed>) = ? [pid 3935] +++ exited with 0 +++ [pid 3934] +++ exited with 0 +++ [pid 3933] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3933, si_uid=0, si_status=0, si_utime=0, si_stime=41} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./98", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./98", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./98/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./98/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./98/binderfs") = 0 [ 136.968987][ T3934] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 136.976962][ T3934] umount2("./98/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./98/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./98/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./98/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./98/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./98/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./98") = 0 mkdir("./99", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3936 ./strace-static-x86_64: Process 3936 attached [pid 3936] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3936] chdir("./99") = 0 [pid 3936] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3936] setpgid(0, 0) = 0 [pid 3936] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3936] write(3, "1000", 4) = 4 [pid 3936] close(3) = 0 [pid 3936] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3936] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3936] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3936] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3936] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3937 attached , parent_tid=[3937], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3937 [pid 3936] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3936] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3937] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3937] memfd_create("syzkaller", 0) = 3 [pid 3937] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3937] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3937] munmap(0x7fc87e392000, 16777216) = 0 [pid 3937] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3937] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3937] close(3) = 0 [pid 3937] mkdir("./file0", 0777) = 0 [ 137.273717][ T3937] loop0: detected capacity change from 0 to 32768 [ 137.284483][ T3937] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 137.292924][ T3937] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 137.303447][ T3937] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 137.312063][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 137.318839][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3937] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3937] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3937] chdir("./file0") = 0 [pid 3937] ioctl(4, LOOP_CLR_FD) = 0 [pid 3937] close(4) = 0 [pid 3937] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3936] <... futex resumed>) = 0 [pid 3936] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3936] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3937] <... futex resumed>) = 1 [pid 3937] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3937] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3936] <... futex resumed>) = 0 [pid 3937] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3936] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 137.358736][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 137.366351][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 137.371921][ T3937] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 137.387437][ T3937] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 137.396556][ T3937] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 137.396556][ T3937] inode = 12 2341 [pid 3936] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3936] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3936] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3936] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3936] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3938], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3938 [pid 3936] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3938 attached [pid 3938] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3938] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3938] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 137.396556][ T3937] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 137.415380][ T3937] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 137.424819][ T3937] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3937 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 137.435100][ T3937] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 137.443779][ T3937] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 137.452272][ T3937] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 137.461189][ T3937] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 137.467820][ T3937] gfs2: fsid=syz:syz.0: File system withdrawn [ 137.473956][ T3937] CPU: 1 PID: 3937 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 137.484375][ T3937] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 137.494437][ T3937] Call Trace: [ 137.497724][ T3937] [ 137.500662][ T3937] dump_stack_lvl+0x1b1/0x28e [ 137.505342][ T3937] ? nf_tcp_handle_invalid+0x62e/0x62e [ 137.510797][ T3937] ? panic+0x710/0x710 [ 137.514876][ T3937] ? kobject_uevent_env+0x46b/0x8e0 [ 137.520076][ T3937] ? do_raw_spin_unlock+0x134/0x8a0 [ 137.525986][ T3937] gfs2_withdraw+0xf33/0x1540 [ 137.530684][ T3937] ? gfs2_lm+0x220/0x220 [ 137.534918][ T3937] ? gfs2_dirent_scan+0xb6/0x650 [ 137.539856][ T3937] ? panic+0x710/0x710 [ 137.543928][ T3937] ? gfs2_permission+0x2ff/0x430 [ 137.548886][ T3937] ? gfs2_consist_inode_i+0xf3/0x110 [ 137.554169][ T3937] gfs2_dirent_scan+0x535/0x650 [pid 3938] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3936] exit_group(0 [pid 3938] <... futex resumed>) = ? [pid 3936] <... exit_group resumed>) = ? [pid 3938] +++ exited with 0 +++ [ 137.559036][ T3937] ? gfs2_dirent_search+0xb10/0xb10 [ 137.564296][ T3937] gfs2_dirent_search+0x2ea/0xb10 [ 137.569338][ T3937] ? gfs2_dirent_search+0xb10/0xb10 [ 137.574558][ T3937] ? gfs2_dir_search+0x2a0/0x2a0 [ 137.579497][ T3937] ? gfs2_permission+0x3bf/0x430 [ 137.584451][ T3937] gfs2_dir_search+0x8c/0x2a0 [ 137.589136][ T3937] ? do_filldir_main+0x530/0x530 [ 137.594095][ T3937] ? inode_go_held+0xe4/0x1f0 [ 137.598789][ T3937] ? gfs2_glock_wait+0x213/0x2a0 [ 137.603722][ T3937] gfs2_lookupi+0x465/0x650 [ 137.608240][ T3937] ? gfs2_lookup_simple+0x170/0x170 [ 137.613444][ T3937] ? __gfs2_lookup+0x8c/0x260 [ 137.618137][ T3937] __gfs2_lookup+0x8c/0x260 [ 137.622744][ T3937] ? gfs2_atomic_open+0x230/0x230 [ 137.627766][ T3937] ? __d_lookup+0x6a4/0x770 [ 137.632272][ T3937] ? d_hash_and_lookup+0x1c0/0x1c0 [ 137.637401][ T3937] gfs2_atomic_open+0xa4/0x230 [ 137.642196][ T3937] path_openat+0xf39/0x2df0 [ 137.646698][ T3937] ? gfs2_rename2+0x3000/0x3000 [ 137.651569][ T3937] ? do_filp_open+0x4f0/0x4f0 [ 137.656275][ T3937] do_filp_open+0x264/0x4f0 [ 137.660780][ T3937] ? vfs_tmpfile+0x490/0x490 [ 137.665382][ T3937] ? do_raw_spin_unlock+0x134/0x8a0 [ 137.670584][ T3937] ? _raw_spin_unlock+0x24/0x40 [ 137.675433][ T3937] ? alloc_fd+0x5a7/0x640 [ 137.679803][ T3937] do_sys_openat2+0x124/0x4e0 [ 137.684508][ T3937] ? print_irqtrace_events+0x220/0x220 [ 137.689983][ T3937] ? ptrace_stop+0x74d/0x970 [ 137.694587][ T3937] ? do_sys_open+0x220/0x220 [ 137.699170][ T3937] ? lockdep_hardirqs_on+0x8d/0x130 [ 137.704361][ T3937] ? _raw_spin_unlock_irq+0x2a/0x40 [ 137.709552][ T3937] ? ptrace_notify+0x245/0x340 [ 137.714303][ T3937] __x64_sys_openat+0x243/0x290 [ 137.719148][ T3937] ? __ia32_sys_open+0x270/0x270 [ 137.724091][ T3937] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 137.730088][ T3937] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 137.736078][ T3937] do_syscall_64+0x3d/0xb0 [ 137.740487][ T3937] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 137.746470][ T3937] RIP: 0033:0x7fc8868064d9 [ 137.750890][ T3937] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 137.770493][ T3937] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 137.778929][ T3937] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 137.786906][ T3937] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 137.794884][ T3937] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 137.802859][ T3937] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3937] <... openat resumed>) = ? [pid 3937] +++ exited with 0 +++ [pid 3936] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3936, si_uid=0, si_status=0, si_utime=3, si_stime=26} --- umount2("./99", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./99", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./99/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./99/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./99/binderfs") = 0 [ 137.810820][ T3937] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 137.818901][ T3937] umount2("./99/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./99/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./99/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./99/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./99/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./99/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./99") = 0 mkdir("./100", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3939 ./strace-static-x86_64: Process 3939 attached [pid 3939] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3939] chdir("./100") = 0 [pid 3939] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3939] setpgid(0, 0) = 0 [pid 3939] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3939] write(3, "1000", 4) = 4 [pid 3939] close(3) = 0 [pid 3939] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3939] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3939] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3939] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3939] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3940], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3940 [pid 3939] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3939] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3940 attached [pid 3940] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3940] memfd_create("syzkaller", 0) = 3 [pid 3940] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3940] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3940] munmap(0x7fc87e392000, 16777216) = 0 [pid 3940] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3940] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3940] close(3) = 0 [pid 3940] mkdir("./file0", 0777) = 0 [ 138.123416][ T3940] loop0: detected capacity change from 0 to 32768 [ 138.143801][ T3940] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 138.152041][ T3940] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 138.162301][ T3940] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 138.171234][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 138.178022][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3940] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3940] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3940] chdir("./file0") = 0 [pid 3940] ioctl(4, LOOP_CLR_FD) = 0 [pid 3940] close(4) = 0 [pid 3940] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3939] <... futex resumed>) = 0 [pid 3940] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3939] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3939] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3940] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3940] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3940] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3939] <... futex resumed>) = 0 [pid 3940] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3939] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 138.216470][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 138.225262][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 138.230717][ T3940] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3939] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 138.263756][ T3940] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 138.273140][ T3940] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 138.273140][ T3940] inode = 12 2341 [ 138.273140][ T3940] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 138.292711][ T3940] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 138.302077][ T3940] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3940 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3939] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3939] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3939] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3939] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3941], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3941 [pid 3939] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3941 attached [pid 3941] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 138.312289][ T3940] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 138.321696][ T3941] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 138.321752][ T3940] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 138.330730][ T3941] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 138.337552][ T3940] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 138.346913][ T3941] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3940 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 138.355846][ T3940] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 138.365795][ T3941] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3941 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 138.372209][ T3940] gfs2: fsid=syz:syz.0: File system withdrawn [ 138.383959][ T3941] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 138.388048][ T3940] CPU: 1 PID: 3940 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 138.406752][ T3940] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 138.416810][ T3940] Call Trace: [ 138.420102][ T3940] [ 138.423033][ T3940] dump_stack_lvl+0x1b1/0x28e [ 138.427972][ T3940] ? nf_tcp_handle_invalid+0x62e/0x62e [ 138.433428][ T3940] ? panic+0x710/0x710 [ 138.437505][ T3940] ? kobject_uevent_env+0x46b/0x8e0 [ 138.442700][ T3940] ? do_raw_spin_unlock+0x134/0x8a0 [ 138.447900][ T3940] gfs2_withdraw+0xf33/0x1540 [ 138.452586][ T3940] ? gfs2_lm+0x220/0x220 [ 138.456820][ T3940] ? gfs2_dirent_scan+0xb6/0x650 [ 138.461760][ T3940] ? panic+0x710/0x710 [ 138.465825][ T3940] ? gfs2_permission+0x2ff/0x430 [ 138.470764][ T3940] ? gfs2_consist_inode_i+0xf3/0x110 [ 138.476048][ T3940] gfs2_dirent_scan+0x535/0x650 [ 138.480900][ T3940] ? gfs2_dirent_search+0xb10/0xb10 [ 138.486102][ T3940] gfs2_dirent_search+0x2ea/0xb10 [ 138.491127][ T3940] ? gfs2_dirent_search+0xb10/0xb10 [ 138.496323][ T3940] ? gfs2_dir_search+0x2a0/0x2a0 [ 138.501253][ T3940] ? gfs2_permission+0x3bf/0x430 [ 138.506192][ T3940] gfs2_dir_search+0x8c/0x2a0 [ 138.510870][ T3940] ? do_filldir_main+0x530/0x530 [ 138.515803][ T3940] ? inode_go_held+0xe4/0x1f0 [ 138.520480][ T3940] ? gfs2_glock_wait+0x213/0x2a0 [ 138.525414][ T3940] gfs2_lookupi+0x465/0x650 [ 138.529920][ T3940] ? gfs2_lookup_simple+0x170/0x170 [ 138.535115][ T3940] ? __gfs2_lookup+0x8c/0x260 [ 138.540267][ T3940] __gfs2_lookup+0x8c/0x260 [ 138.546504][ T3940] ? gfs2_atomic_open+0x230/0x230 [ 138.551526][ T3940] ? __d_lookup+0x6a4/0x770 [ 138.556021][ T3940] ? d_hash_and_lookup+0x1c0/0x1c0 [ 138.561126][ T3940] gfs2_atomic_open+0xa4/0x230 [ 138.565888][ T3940] path_openat+0xf39/0x2df0 [ 138.570390][ T3940] ? gfs2_rename2+0x3000/0x3000 [ 138.575250][ T3940] ? do_filp_open+0x4f0/0x4f0 [ 138.579933][ T3940] do_filp_open+0x264/0x4f0 [ 138.584435][ T3940] ? vfs_tmpfile+0x490/0x490 [ 138.589024][ T3940] ? do_raw_spin_unlock+0x134/0x8a0 [ 138.594225][ T3940] ? _raw_spin_unlock+0x24/0x40 [ 138.599075][ T3940] ? alloc_fd+0x5a7/0x640 [ 138.603406][ T3940] do_sys_openat2+0x124/0x4e0 [ 138.608082][ T3940] ? print_irqtrace_events+0x220/0x220 [ 138.613792][ T3940] ? ptrace_stop+0x74d/0x970 [ 138.618378][ T3940] ? do_sys_open+0x220/0x220 [ 138.622964][ T3940] ? lockdep_hardirqs_on+0x8d/0x130 [ 138.628158][ T3940] ? _raw_spin_unlock_irq+0x2a/0x40 [ 138.633350][ T3940] ? ptrace_notify+0x245/0x340 [ 138.638106][ T3940] __x64_sys_openat+0x243/0x290 [ 138.642956][ T3940] ? __ia32_sys_open+0x270/0x270 [ 138.647890][ T3940] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 138.653864][ T3940] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 138.659841][ T3940] do_syscall_64+0x3d/0xb0 [ 138.664255][ T3940] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 138.670142][ T3940] RIP: 0033:0x7fc8868064d9 [ 138.674549][ T3940] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 138.694147][ T3940] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 138.702551][ T3940] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3941] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3941] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3941] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3940] <... openat resumed>) = -1 EIO (Input/output error) [pid 3940] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3939] exit_group(0) = ? [pid 3941] <... futex resumed>) = ? [pid 3941] +++ exited with 0 +++ [pid 3940] <... futex resumed>) = ? [pid 3940] +++ exited with 0 +++ [pid 3939] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3939, si_uid=0, si_status=0, si_utime=4, si_stime=34} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./100", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./100", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./100/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./100/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./100/binderfs") = 0 [ 138.710513][ T3940] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 138.718500][ T3940] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 138.726486][ T3940] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 138.734454][ T3940] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 138.742436][ T3940] umount2("./100/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./100/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./100/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./100/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./100/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./100/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./100") = 0 mkdir("./101", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3942 ./strace-static-x86_64: Process 3942 attached [pid 3942] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3942] chdir("./101") = 0 [pid 3942] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3942] setpgid(0, 0) = 0 [pid 3942] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3942] write(3, "1000", 4) = 4 [pid 3942] close(3) = 0 [pid 3942] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3942] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3942] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3942] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3942] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3943 attached , parent_tid=[3943], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3943 [pid 3943] set_robust_list(0x7fc8867b29e0, 24 [pid 3942] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3943] <... set_robust_list resumed>) = 0 [pid 3942] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3943] memfd_create("syzkaller", 0) = 3 [pid 3943] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3943] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3943] munmap(0x7fc87e392000, 16777216) = 0 [pid 3943] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3943] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3943] close(3) = 0 [pid 3943] mkdir("./file0", 0777) = 0 [ 139.052771][ T3943] loop0: detected capacity change from 0 to 32768 [ 139.062811][ T3943] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 139.071167][ T3943] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 139.080806][ T3943] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 139.089584][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 139.096968][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3943] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3943] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3943] chdir("./file0") = 0 [pid 3943] ioctl(4, LOOP_CLR_FD) = 0 [pid 3943] close(4) = 0 [pid 3943] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3943] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3942] <... futex resumed>) = 0 [pid 3942] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3942] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3943] <... futex resumed>) = 0 [pid 3943] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3943] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3942] <... futex resumed>) = 0 [pid 3942] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3942] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3943] <... futex resumed>) = 1 [ 139.135426][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 139.143635][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 139.148932][ T3943] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 139.171020][ T3943] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3943] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3942] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3942] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3942] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3942] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3942] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3944], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3944 [pid 3942] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3944 attached [pid 3944] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 139.179928][ T3943] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 139.179928][ T3943] inode = 12 2341 [ 139.179928][ T3943] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 139.199065][ T3943] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 139.208703][ T3943] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3943 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 139.219562][ T3943] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 139.225901][ T3944] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 139.229079][ T3943] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 139.237114][ T3944] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 139.244089][ T3943] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 139.253404][ T3944] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3943 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 139.261932][ T3943] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 139.272197][ T3944] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3944 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 139.279989][ T3943] gfs2: fsid=syz:syz.0: File system withdrawn [ 139.288637][ T3944] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 139.294975][ T3943] CPU: 1 PID: 3943 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 139.313148][ T3943] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 139.323215][ T3943] Call Trace: [ 139.326519][ T3943] [ 139.329459][ T3943] dump_stack_lvl+0x1b1/0x28e [ 139.334128][ T3943] ? nf_tcp_handle_invalid+0x62e/0x62e [ 139.339576][ T3943] ? panic+0x710/0x710 [ 139.343635][ T3943] ? kobject_uevent_env+0x46b/0x8e0 [ 139.348832][ T3943] ? do_raw_spin_unlock+0x134/0x8a0 [ 139.354493][ T3943] gfs2_withdraw+0xf33/0x1540 [ 139.359290][ T3943] ? gfs2_lm+0x220/0x220 [ 139.363520][ T3943] ? gfs2_dirent_scan+0xb6/0x650 [ 139.368883][ T3943] ? panic+0x710/0x710 [ 139.372942][ T3943] ? gfs2_permission+0x2ff/0x430 [ 139.377871][ T3943] ? gfs2_consist_inode_i+0xf3/0x110 [pid 3944] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3942] exit_group(0) = ? [ 139.383150][ T3943] gfs2_dirent_scan+0x535/0x650 [ 139.388005][ T3943] ? gfs2_dirent_search+0xb10/0xb10 [ 139.393212][ T3943] gfs2_dirent_search+0x2ea/0xb10 [ 139.398499][ T3943] ? gfs2_dirent_search+0xb10/0xb10 [ 139.403807][ T3943] ? gfs2_dir_search+0x2a0/0x2a0 [ 139.408752][ T3943] ? gfs2_permission+0x3bf/0x430 [ 139.413708][ T3943] gfs2_dir_search+0x8c/0x2a0 [ 139.418382][ T3943] ? do_filldir_main+0x530/0x530 [ 139.423318][ T3943] ? inode_go_held+0xe4/0x1f0 [ 139.428003][ T3943] ? gfs2_glock_wait+0x213/0x2a0 [ 139.432933][ T3943] gfs2_lookupi+0x465/0x650 [ 139.437428][ T3943] ? gfs2_lookup_simple+0x170/0x170 [ 139.442617][ T3943] ? __gfs2_lookup+0x8c/0x260 [ 139.447288][ T3943] __gfs2_lookup+0x8c/0x260 [ 139.451794][ T3943] ? gfs2_atomic_open+0x230/0x230 [ 139.456913][ T3943] ? __d_lookup+0x6a4/0x770 [ 139.461414][ T3943] ? d_hash_and_lookup+0x1c0/0x1c0 [ 139.466534][ T3943] gfs2_atomic_open+0xa4/0x230 [ 139.471299][ T3943] path_openat+0xf39/0x2df0 [ 139.475803][ T3943] ? gfs2_rename2+0x3000/0x3000 [ 139.480668][ T3943] ? do_filp_open+0x4f0/0x4f0 [ 139.485366][ T3943] do_filp_open+0x264/0x4f0 [ 139.489859][ T3943] ? vfs_tmpfile+0x490/0x490 [ 139.494462][ T3943] ? do_raw_spin_unlock+0x134/0x8a0 [ 139.499670][ T3943] ? _raw_spin_unlock+0x24/0x40 [ 139.504517][ T3943] ? alloc_fd+0x5a7/0x640 [ 139.508841][ T3943] do_sys_openat2+0x124/0x4e0 [ 139.513510][ T3943] ? print_irqtrace_events+0x220/0x220 [ 139.518958][ T3943] ? ptrace_stop+0x74d/0x970 [ 139.523550][ T3943] ? do_sys_open+0x220/0x220 [ 139.528150][ T3943] ? lockdep_hardirqs_on+0x8d/0x130 [ 139.533343][ T3943] ? _raw_spin_unlock_irq+0x2a/0x40 [ 139.538549][ T3943] ? ptrace_notify+0x245/0x340 [ 139.543321][ T3943] __x64_sys_openat+0x243/0x290 [ 139.548176][ T3943] ? __ia32_sys_open+0x270/0x270 [ 139.553118][ T3943] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 139.559098][ T3943] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 139.565092][ T3943] do_syscall_64+0x3d/0xb0 [ 139.569508][ T3943] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 139.575407][ T3943] RIP: 0033:0x7fc8868064d9 [ 139.579916][ T3943] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 139.599513][ T3943] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 139.607919][ T3943] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 139.615896][ T3943] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 139.623879][ T3943] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3944] <... openat resumed>) = ? [pid 3943] <... openat resumed>) = ? [pid 3944] +++ exited with 0 +++ [pid 3943] +++ exited with 0 +++ [pid 3942] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3942, si_uid=0, si_status=0, si_utime=1, si_stime=43} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./101", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./101", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./101/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./101/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./101/binderfs") = 0 [ 139.631851][ T3943] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 139.639831][ T3943] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 139.647824][ T3943] umount2("./101/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./101/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./101/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./101/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./101/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./101/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./101") = 0 mkdir("./102", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3945 ./strace-static-x86_64: Process 3945 attached [pid 3945] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3945] chdir("./102") = 0 [pid 3945] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3945] setpgid(0, 0) = 0 [pid 3945] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3945] write(3, "1000", 4) = 4 [pid 3945] close(3) = 0 [pid 3945] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3945] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3945] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3945] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3945] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3946], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3946 [pid 3945] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3945] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3946 attached [pid 3946] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3946] memfd_create("syzkaller", 0) = 3 [pid 3946] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3946] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3946] munmap(0x7fc87e392000, 16777216) = 0 [pid 3946] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3946] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3946] close(3) = 0 [pid 3946] mkdir("./file0", 0777) = 0 [ 139.969799][ T3946] loop0: detected capacity change from 0 to 32768 [ 139.980465][ T3946] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 139.989020][ T3946] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 139.998690][ T3946] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 140.007360][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 140.014587][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3946] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3946] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3946] chdir("./file0") = 0 [pid 3946] ioctl(4, LOOP_CLR_FD) = 0 [pid 3946] close(4) = 0 [pid 3946] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3945] <... futex resumed>) = 0 [pid 3946] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3945] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3946] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3945] <... futex resumed>) = 0 [pid 3946] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3945] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3946] <... futex resumed>) = 0 [pid 3945] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3946] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3945] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 140.049206][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 140.057630][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 140.062926][ T3946] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 140.075728][ T3946] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 140.084467][ T3946] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 140.084467][ T3946] inode = 12 2341 [pid 3945] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 140.084467][ T3946] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 140.103450][ T3946] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 140.112690][ T3946] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3946 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 140.122833][ T3946] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 140.131468][ T3946] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 140.138761][ T3946] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3945] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3945] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3945] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3945] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3947], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3947 [pid 3945] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3947 attached [pid 3947] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3947] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3947] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 140.147688][ T3946] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 140.154452][ T3946] gfs2: fsid=syz:syz.0: File system withdrawn [ 140.160628][ T3946] CPU: 0 PID: 3946 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 140.171051][ T3946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 140.181110][ T3946] Call Trace: [ 140.184405][ T3946] [ 140.187358][ T3946] dump_stack_lvl+0x1b1/0x28e [ 140.192055][ T3946] ? nf_tcp_handle_invalid+0x62e/0x62e [ 140.197521][ T3946] ? panic+0x710/0x710 [ 140.201596][ T3946] ? kobject_uevent_env+0x46b/0x8e0 [ 140.206784][ T3946] ? do_raw_spin_unlock+0x134/0x8a0 [ 140.211992][ T3946] gfs2_withdraw+0xf33/0x1540 [ 140.216701][ T3946] ? gfs2_lm+0x220/0x220 [ 140.220944][ T3946] ? gfs2_dirent_scan+0xb6/0x650 [ 140.225872][ T3946] ? panic+0x710/0x710 [ 140.229932][ T3946] ? gfs2_permission+0x2ff/0x430 [ 140.234876][ T3946] ? gfs2_consist_inode_i+0xf3/0x110 [ 140.240174][ T3946] gfs2_dirent_scan+0x535/0x650 [ 140.245019][ T3946] ? gfs2_dirent_search+0xb10/0xb10 [ 140.250222][ T3946] gfs2_dirent_search+0x2ea/0xb10 [ 140.255260][ T3946] ? gfs2_dirent_search+0xb10/0xb10 [ 140.260449][ T3946] ? gfs2_dir_search+0x2a0/0x2a0 [ 140.265375][ T3946] ? gfs2_permission+0x3bf/0x430 [ 140.270315][ T3946] gfs2_dir_search+0x8c/0x2a0 [ 140.274993][ T3946] ? do_filldir_main+0x530/0x530 [ 140.279931][ T3946] ? inode_go_held+0xe4/0x1f0 [ 140.284605][ T3946] ? gfs2_glock_wait+0x213/0x2a0 [ 140.289536][ T3946] gfs2_lookupi+0x465/0x650 [ 140.294040][ T3946] ? gfs2_lookup_simple+0x170/0x170 [ 140.299233][ T3946] ? __gfs2_lookup+0x8c/0x260 [ 140.303911][ T3946] __gfs2_lookup+0x8c/0x260 [ 140.308410][ T3946] ? gfs2_atomic_open+0x230/0x230 [ 140.313429][ T3946] ? __d_lookup+0x6a4/0x770 [ 140.317929][ T3946] ? d_hash_and_lookup+0x1c0/0x1c0 [ 140.323031][ T3946] gfs2_atomic_open+0xa4/0x230 [ 140.327790][ T3946] path_openat+0xf39/0x2df0 [ 140.332289][ T3946] ? gfs2_rename2+0x3000/0x3000 [ 140.337152][ T3946] ? do_filp_open+0x4f0/0x4f0 [ 140.341862][ T3946] do_filp_open+0x264/0x4f0 [ 140.346357][ T3946] ? vfs_tmpfile+0x490/0x490 [ 140.350954][ T3946] ? do_raw_spin_unlock+0x134/0x8a0 [ 140.356237][ T3946] ? _raw_spin_unlock+0x24/0x40 [ 140.361084][ T3946] ? alloc_fd+0x5a7/0x640 [ 140.365413][ T3946] do_sys_openat2+0x124/0x4e0 [ 140.370094][ T3946] ? print_irqtrace_events+0x220/0x220 [ 140.375552][ T3946] ? ptrace_stop+0x74d/0x970 [ 140.380143][ T3946] ? do_sys_open+0x220/0x220 [ 140.384734][ T3946] ? lockdep_hardirqs_on+0x8d/0x130 [ 140.389928][ T3946] ? _raw_spin_unlock_irq+0x2a/0x40 [ 140.395122][ T3946] ? ptrace_notify+0x245/0x340 [ 140.399879][ T3946] __x64_sys_openat+0x243/0x290 [ 140.404727][ T3946] ? __ia32_sys_open+0x270/0x270 [ 140.409658][ T3946] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 140.415631][ T3946] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 140.421610][ T3946] do_syscall_64+0x3d/0xb0 [ 140.426019][ T3946] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 140.431905][ T3946] RIP: 0033:0x7fc8868064d9 [ 140.436312][ T3946] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 140.455907][ T3946] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 140.464309][ T3946] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 140.472274][ T3946] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 140.480236][ T3946] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 140.488195][ T3946] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3947] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3946] <... openat resumed>) = -1 EIO (Input/output error) [pid 3946] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3946] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3945] exit_group(0) = ? [pid 3946] <... futex resumed>) = ? [pid 3946] +++ exited with 0 +++ [pid 3947] <... futex resumed>) = ? [pid 3947] +++ exited with 0 +++ [pid 3945] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3945, si_uid=0, si_status=0, si_utime=1, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./102", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./102", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./102/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./102/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./102/binderfs") = 0 [ 140.496159][ T3946] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 140.504134][ T3946] umount2("./102/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./102/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./102/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./102/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./102/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./102/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./102") = 0 mkdir("./103", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3948 ./strace-static-x86_64: Process 3948 attached [pid 3948] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3948] chdir("./103") = 0 [pid 3948] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3948] setpgid(0, 0) = 0 [pid 3948] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3948] write(3, "1000", 4) = 4 [pid 3948] close(3) = 0 [pid 3948] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3948] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3948] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3948] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3948] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3949], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3949 [pid 3948] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3948] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3949 attached [pid 3949] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3949] memfd_create("syzkaller", 0) = 3 [pid 3949] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3949] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3949] munmap(0x7fc87e392000, 16777216) = 0 [pid 3949] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3949] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3949] close(3) = 0 [pid 3949] mkdir("./file0", 0777) = 0 [ 140.810629][ T3949] loop0: detected capacity change from 0 to 32768 [ 140.819996][ T3949] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 140.828515][ T3949] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 140.837881][ T3949] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 140.847207][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 140.854115][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3949] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3949] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3949] chdir("./file0") = 0 [pid 3949] ioctl(4, LOOP_CLR_FD) = 0 [pid 3949] close(4) = 0 [pid 3949] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3948] <... futex resumed>) = 0 [pid 3948] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3948] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3949] <... futex resumed>) = 1 [pid 3949] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3949] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3948] <... futex resumed>) = 0 [pid 3948] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3948] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3949] <... futex resumed>) = 1 [ 140.888260][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 140.896001][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 140.901511][ T3949] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 140.914893][ T3949] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 140.923339][ T3949] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 140.923339][ T3949] inode = 12 2341 [pid 3949] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3948] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3948] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3948] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3948] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3948] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3950], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3950 [pid 3948] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3950 attached [pid 3950] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 140.923339][ T3949] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 140.942472][ T3949] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 140.951988][ T3949] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3949 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 140.962535][ T3949] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 140.967536][ T3950] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 140.979416][ T3950] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 140.979416][ T3950] inode = 12 2341 [ 140.979416][ T3950] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 140.979791][ T3949] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 140.998535][ T3950] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 141.006113][ T3949] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 141.014715][ T3950] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3949 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 141.023457][ T3949] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 141.033449][ T3950] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3950 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 141.041627][ T3949] gfs2: fsid=syz:syz.0: File system withdrawn [ 141.049906][ T3950] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 141.055932][ T3949] CPU: 1 PID: 3949 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 141.074642][ T3949] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 141.084707][ T3949] Call Trace: [ 141.087991][ T3949] [ 141.090919][ T3949] dump_stack_lvl+0x1b1/0x28e [ 141.095605][ T3949] ? nf_tcp_handle_invalid+0x62e/0x62e [ 141.101059][ T3949] ? panic+0x710/0x710 [ 141.105135][ T3949] ? kobject_uevent_env+0x46b/0x8e0 [ 141.110325][ T3949] ? do_raw_spin_unlock+0x134/0x8a0 [ 141.115518][ T3949] gfs2_withdraw+0xf33/0x1540 [ 141.120282][ T3949] ? gfs2_lm+0x220/0x220 [ 141.124511][ T3949] ? gfs2_dirent_scan+0xb6/0x650 [ 141.129437][ T3949] ? panic+0x710/0x710 [ 141.133496][ T3949] ? gfs2_permission+0x2ff/0x430 [pid 3950] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3948] exit_group(0) = ? [ 141.138424][ T3949] ? gfs2_consist_inode_i+0xf3/0x110 [ 141.143700][ T3949] gfs2_dirent_scan+0x535/0x650 [ 141.148548][ T3949] ? gfs2_dirent_search+0xb10/0xb10 [ 141.153740][ T3949] gfs2_dirent_search+0x2ea/0xb10 [ 141.158783][ T3949] ? gfs2_dirent_search+0xb10/0xb10 [ 141.163972][ T3949] ? gfs2_dir_search+0x2a0/0x2a0 [ 141.168909][ T3949] ? gfs2_permission+0x3bf/0x430 [ 141.173842][ T3949] gfs2_dir_search+0x8c/0x2a0 [ 141.178515][ T3949] ? do_filldir_main+0x530/0x530 [ 141.183443][ T3949] ? inode_go_held+0xe4/0x1f0 [ 141.188126][ T3949] ? gfs2_glock_wait+0x213/0x2a0 [ 141.193069][ T3949] gfs2_lookupi+0x465/0x650 [ 141.197570][ T3949] ? gfs2_lookup_simple+0x170/0x170 [ 141.202780][ T3949] ? __gfs2_lookup+0x8c/0x260 [ 141.207450][ T3949] __gfs2_lookup+0x8c/0x260 [ 141.211946][ T3949] ? gfs2_atomic_open+0x230/0x230 [ 141.216957][ T3949] ? __d_lookup+0x6a4/0x770 [ 141.221442][ T3949] ? d_hash_and_lookup+0x1c0/0x1c0 [ 141.226540][ T3949] gfs2_atomic_open+0xa4/0x230 [ 141.231298][ T3949] path_openat+0xf39/0x2df0 [ 141.235788][ T3949] ? gfs2_rename2+0x3000/0x3000 [ 141.240633][ T3949] ? do_filp_open+0x4f0/0x4f0 [ 141.245304][ T3949] do_filp_open+0x264/0x4f0 [ 141.249789][ T3949] ? vfs_tmpfile+0x490/0x490 [ 141.254369][ T3949] ? do_raw_spin_unlock+0x134/0x8a0 [ 141.259555][ T3949] ? _raw_spin_unlock+0x24/0x40 [ 141.264390][ T3949] ? alloc_fd+0x5a7/0x640 [ 141.268711][ T3949] do_sys_openat2+0x124/0x4e0 [ 141.273386][ T3949] ? print_irqtrace_events+0x220/0x220 [ 141.278834][ T3949] ? ptrace_stop+0x74d/0x970 [ 141.283414][ T3949] ? do_sys_open+0x220/0x220 [ 141.287986][ T3949] ? lockdep_hardirqs_on+0x8d/0x130 [ 141.293169][ T3949] ? _raw_spin_unlock_irq+0x2a/0x40 [ 141.298722][ T3949] ? ptrace_notify+0x245/0x340 [ 141.303472][ T3949] __x64_sys_openat+0x243/0x290 [ 141.308309][ T3949] ? __ia32_sys_open+0x270/0x270 [ 141.313230][ T3949] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 141.319203][ T3949] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 141.325170][ T3949] do_syscall_64+0x3d/0xb0 [ 141.329570][ T3949] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 141.335448][ T3949] RIP: 0033:0x7fc8868064d9 [ 141.339853][ T3949] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 141.359451][ T3949] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 141.367875][ T3949] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 141.375835][ T3949] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3949] <... openat resumed>) = ? [pid 3949] +++ exited with 0 +++ [pid 3950] <... openat resumed>) = ? [pid 3950] +++ exited with 0 +++ [pid 3948] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3948, si_uid=0, si_status=0, si_utime=2, si_stime=39} --- umount2("./103", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./103", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./103/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./103/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./103/binderfs") = 0 [ 141.383808][ T3949] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 141.391765][ T3949] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 141.399742][ T3949] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 141.407730][ T3949] umount2("./103/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./103/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./103/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./103/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./103/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./103/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./103") = 0 mkdir("./104", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3951 ./strace-static-x86_64: Process 3951 attached [pid 3951] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3951] chdir("./104") = 0 [pid 3951] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3951] setpgid(0, 0) = 0 [pid 3951] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3951] write(3, "1000", 4) = 4 [pid 3951] close(3) = 0 [pid 3951] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3951] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3951] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3951] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3951] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3952 attached , parent_tid=[3952], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3952 [pid 3952] set_robust_list(0x7fc8867b29e0, 24 [pid 3951] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3952] <... set_robust_list resumed>) = 0 [pid 3951] <... futex resumed>) = 0 [pid 3951] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3952] memfd_create("syzkaller", 0) = 3 [pid 3952] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3952] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3952] munmap(0x7fc87e392000, 16777216) = 0 [pid 3952] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3952] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3952] close(3) = 0 [pid 3952] mkdir("./file0", 0777) = 0 [ 141.713863][ T3952] loop0: detected capacity change from 0 to 32768 [ 141.725601][ T3952] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 141.734129][ T3952] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 141.744035][ T3952] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 141.753061][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 141.759899][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3952] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3952] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3952] chdir("./file0") = 0 [pid 3952] ioctl(4, LOOP_CLR_FD) = 0 [pid 3952] close(4) = 0 [pid 3952] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3951] <... futex resumed>) = 0 [pid 3951] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3951] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3952] <... futex resumed>) = 1 [pid 3952] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3952] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3951] <... futex resumed>) = 0 [pid 3951] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3951] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3952] <... futex resumed>) = 1 [ 141.799447][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 141.808355][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 141.813693][ T3952] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3952] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3951] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3951] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3951] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [ 141.839887][ T3952] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 141.848983][ T3952] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 141.848983][ T3952] inode = 12 2341 [ 141.848983][ T3952] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 141.868351][ T3952] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 141.877757][ T3952] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3952 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3951] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3951] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3953], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3953 [pid 3951] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3953 attached [pid 3953] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3953] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3953] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 141.888374][ T3952] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 141.896898][ T3952] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 141.904142][ T3952] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 141.912986][ T3952] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 141.921085][ T3952] gfs2: fsid=syz:syz.0: File system withdrawn [ 141.927168][ T3952] CPU: 0 PID: 3952 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 141.937573][ T3952] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 141.947636][ T3952] Call Trace: [ 141.950911][ T3952] [ 141.953831][ T3952] dump_stack_lvl+0x1b1/0x28e [ 141.958501][ T3952] ? nf_tcp_handle_invalid+0x62e/0x62e [ 141.963949][ T3952] ? panic+0x710/0x710 [ 141.968013][ T3952] ? kobject_uevent_env+0x46b/0x8e0 [ 141.973287][ T3952] ? do_raw_spin_unlock+0x134/0x8a0 [ 141.978502][ T3952] gfs2_withdraw+0xf33/0x1540 [ 141.983206][ T3952] ? gfs2_lm+0x220/0x220 [pid 3953] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3951] exit_group(0 [pid 3953] <... futex resumed>) = ? [pid 3951] <... exit_group resumed>) = ? [pid 3953] +++ exited with 0 +++ [ 141.987444][ T3952] ? gfs2_dirent_scan+0xb6/0x650 [ 141.992392][ T3952] ? panic+0x710/0x710 [ 141.996449][ T3952] ? gfs2_permission+0x2ff/0x430 [ 142.001378][ T3952] ? gfs2_consist_inode_i+0xf3/0x110 [ 142.006666][ T3952] gfs2_dirent_scan+0x535/0x650 [ 142.011530][ T3952] ? gfs2_dirent_search+0xb10/0xb10 [ 142.016735][ T3952] gfs2_dirent_search+0x2ea/0xb10 [ 142.021774][ T3952] ? gfs2_dirent_search+0xb10/0xb10 [ 142.026978][ T3952] ? gfs2_dir_search+0x2a0/0x2a0 [ 142.031930][ T3952] ? gfs2_permission+0x3bf/0x430 [ 142.036868][ T3952] gfs2_dir_search+0x8c/0x2a0 [ 142.041542][ T3952] ? do_filldir_main+0x530/0x530 [ 142.046469][ T3952] ? inode_go_held+0xe4/0x1f0 [ 142.051139][ T3952] ? gfs2_glock_wait+0x213/0x2a0 [ 142.056068][ T3952] gfs2_lookupi+0x465/0x650 [ 142.060565][ T3952] ? gfs2_lookup_simple+0x170/0x170 [ 142.065754][ T3952] ? __gfs2_lookup+0x8c/0x260 [ 142.070424][ T3952] __gfs2_lookup+0x8c/0x260 [ 142.074951][ T3952] ? gfs2_atomic_open+0x230/0x230 [ 142.080090][ T3952] ? __d_lookup+0x6a4/0x770 [ 142.084607][ T3952] ? d_hash_and_lookup+0x1c0/0x1c0 [ 142.089727][ T3952] gfs2_atomic_open+0xa4/0x230 [ 142.094491][ T3952] path_openat+0xf39/0x2df0 [ 142.098988][ T3952] ? gfs2_rename2+0x3000/0x3000 [ 142.103855][ T3952] ? do_filp_open+0x4f0/0x4f0 [ 142.108550][ T3952] do_filp_open+0x264/0x4f0 [ 142.113043][ T3952] ? vfs_tmpfile+0x490/0x490 [ 142.117642][ T3952] ? do_raw_spin_unlock+0x134/0x8a0 [ 142.122851][ T3952] ? _raw_spin_unlock+0x24/0x40 [ 142.127696][ T3952] ? alloc_fd+0x5a7/0x640 [ 142.132022][ T3952] do_sys_openat2+0x124/0x4e0 [ 142.136690][ T3952] ? print_irqtrace_events+0x220/0x220 [ 142.142136][ T3952] ? ptrace_stop+0x74d/0x970 [ 142.146730][ T3952] ? do_sys_open+0x220/0x220 [ 142.151322][ T3952] ? lockdep_hardirqs_on+0x8d/0x130 [ 142.156508][ T3952] ? _raw_spin_unlock_irq+0x2a/0x40 [ 142.161718][ T3952] ? ptrace_notify+0x245/0x340 [ 142.166501][ T3952] __x64_sys_openat+0x243/0x290 [ 142.172492][ T3952] ? __ia32_sys_open+0x270/0x270 [ 142.177440][ T3952] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 142.183419][ T3952] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 142.189409][ T3952] do_syscall_64+0x3d/0xb0 [ 142.193818][ T3952] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 142.199704][ T3952] RIP: 0033:0x7fc8868064d9 [ 142.204112][ T3952] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 142.224074][ T3952] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 142.232566][ T3952] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3952] <... openat resumed>) = ? [pid 3952] +++ exited with 0 +++ [pid 3951] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3951, si_uid=0, si_status=0, si_utime=2, si_stime=27} --- umount2("./104", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./104", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./104/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./104/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./104/binderfs") = 0 [ 142.240529][ T3952] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 142.248493][ T3952] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 142.256466][ T3952] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 142.264442][ T3952] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 142.272432][ T3952] umount2("./104/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./104/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./104/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./104/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./104/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./104/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./104") = 0 mkdir("./105", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3954 ./strace-static-x86_64: Process 3954 attached [pid 3954] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3954] chdir("./105") = 0 [pid 3954] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3954] setpgid(0, 0) = 0 [pid 3954] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3954] write(3, "1000", 4) = 4 [pid 3954] close(3) = 0 [pid 3954] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3954] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3954] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3954] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3954] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3955], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3955 [pid 3954] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3954] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3955 attached [pid 3955] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3955] memfd_create("syzkaller", 0) = 3 [pid 3955] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3955] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3955] munmap(0x7fc87e392000, 16777216) = 0 [pid 3955] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3955] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3955] close(3) = 0 [pid 3955] mkdir("./file0", 0777) = 0 [ 142.555360][ T3955] loop0: detected capacity change from 0 to 32768 [ 142.566356][ T3955] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 142.574583][ T3955] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 142.584304][ T3955] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 142.592982][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 142.599751][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3955] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3955] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3955] chdir("./file0") = 0 [pid 3955] ioctl(4, LOOP_CLR_FD) = 0 [pid 3955] close(4) = 0 [pid 3955] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3954] <... futex resumed>) = 0 [pid 3954] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3954] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3955] <... futex resumed>) = 1 [pid 3955] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3955] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3954] <... futex resumed>) = 0 [pid 3954] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3954] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3955] <... futex resumed>) = 1 [ 142.633886][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 142.642178][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 142.647449][ T3955] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 142.664889][ T3955] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 142.673738][ T3955] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3955] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3954] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 142.673738][ T3955] inode = 12 2341 [ 142.673738][ T3955] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 142.692434][ T3955] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 142.701542][ T3955] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3955 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 142.713442][ T3955] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 142.721994][ T3955] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3954] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3954] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3954] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3954] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3956], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3956 [pid 3954] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3956 attached [pid 3956] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3956] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3956] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 142.729586][ T3955] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 142.738643][ T3955] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 142.746663][ T3955] gfs2: fsid=syz:syz.0: File system withdrawn [ 142.753060][ T3955] CPU: 1 PID: 3955 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 142.763502][ T3955] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 142.773619][ T3955] Call Trace: [ 142.776915][ T3955] [ 142.779860][ T3955] dump_stack_lvl+0x1b1/0x28e [ 142.784548][ T3955] ? nf_tcp_handle_invalid+0x62e/0x62e [ 142.790012][ T3955] ? panic+0x710/0x710 [ 142.794089][ T3955] ? kobject_uevent_env+0x46b/0x8e0 [ 142.799296][ T3955] ? do_raw_spin_unlock+0x134/0x8a0 [ 142.804492][ T3955] gfs2_withdraw+0xf33/0x1540 [ 142.809180][ T3955] ? gfs2_lm+0x220/0x220 [ 142.813432][ T3955] ? gfs2_dirent_scan+0xb6/0x650 [ 142.818384][ T3955] ? panic+0x710/0x710 [ 142.822489][ T3955] ? gfs2_permission+0x2ff/0x430 [ 142.827455][ T3955] ? gfs2_consist_inode_i+0xf3/0x110 [ 142.832749][ T3955] gfs2_dirent_scan+0x535/0x650 [ 142.837620][ T3955] ? gfs2_dirent_search+0xb10/0xb10 [ 142.842842][ T3955] gfs2_dirent_search+0x2ea/0xb10 [ 142.847870][ T3955] ? gfs2_dirent_search+0xb10/0xb10 [ 142.853073][ T3955] ? gfs2_dir_search+0x2a0/0x2a0 [ 142.858009][ T3955] ? gfs2_permission+0x3bf/0x430 [ 142.862973][ T3955] gfs2_dir_search+0x8c/0x2a0 [ 142.867681][ T3955] ? do_filldir_main+0x530/0x530 [ 142.872644][ T3955] ? inode_go_held+0xe4/0x1f0 [ 142.877344][ T3955] ? gfs2_glock_wait+0x213/0x2a0 [ 142.883255][ T3955] gfs2_lookupi+0x465/0x650 [ 142.887776][ T3955] ? gfs2_lookup_simple+0x170/0x170 [ 142.892976][ T3955] ? __gfs2_lookup+0x8c/0x260 [ 142.897656][ T3955] __gfs2_lookup+0x8c/0x260 [ 142.902156][ T3955] ? gfs2_atomic_open+0x230/0x230 [ 142.907194][ T3955] ? __d_lookup+0x6a4/0x770 [ 142.911703][ T3955] ? d_hash_and_lookup+0x1c0/0x1c0 [ 142.916808][ T3955] gfs2_atomic_open+0xa4/0x230 [ 142.921571][ T3955] path_openat+0xf39/0x2df0 [ 142.926075][ T3955] ? gfs2_rename2+0x3000/0x3000 [ 142.930929][ T3955] ? do_filp_open+0x4f0/0x4f0 [ 142.935609][ T3955] do_filp_open+0x264/0x4f0 [ 142.940106][ T3955] ? vfs_tmpfile+0x490/0x490 [ 142.944698][ T3955] ? do_raw_spin_unlock+0x134/0x8a0 [ 142.949896][ T3955] ? _raw_spin_unlock+0x24/0x40 [ 142.954743][ T3955] ? alloc_fd+0x5a7/0x640 [ 142.959074][ T3955] do_sys_openat2+0x124/0x4e0 [ 142.963749][ T3955] ? print_irqtrace_events+0x220/0x220 [ 142.969199][ T3955] ? ptrace_stop+0x74d/0x970 [ 142.973787][ T3955] ? do_sys_open+0x220/0x220 [ 142.978369][ T3955] ? lockdep_hardirqs_on+0x8d/0x130 [ 142.983560][ T3955] ? _raw_spin_unlock_irq+0x2a/0x40 [ 142.988755][ T3955] ? ptrace_notify+0x245/0x340 [ 142.993510][ T3955] __x64_sys_openat+0x243/0x290 [ 142.998358][ T3955] ? __ia32_sys_open+0x270/0x270 [ 143.003295][ T3955] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 143.009268][ T3955] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 143.015250][ T3955] do_syscall_64+0x3d/0xb0 [ 143.019661][ T3955] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 143.025550][ T3955] RIP: 0033:0x7fc8868064d9 [ 143.029959][ T3955] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 143.049560][ T3955] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 143.057970][ T3955] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 143.065935][ T3955] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 143.073898][ T3955] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3956] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3955] <... openat resumed>) = -1 EIO (Input/output error) [pid 3955] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3955] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3954] exit_group(0 [pid 3956] <... futex resumed>) = ? [pid 3955] <... futex resumed>) = ? [pid 3954] <... exit_group resumed>) = ? [pid 3955] +++ exited with 0 +++ [pid 3956] +++ exited with 0 +++ [pid 3954] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3954, si_uid=0, si_status=0, si_utime=3, si_stime=28} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./105", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./105", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./105/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./105/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./105/binderfs") = 0 [ 143.081857][ T3955] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 143.089842][ T3955] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 143.097817][ T3955] umount2("./105/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./105/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./105/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./105/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./105/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./105/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./105") = 0 mkdir("./106", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3957 ./strace-static-x86_64: Process 3957 attached [pid 3957] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3957] chdir("./106") = 0 [pid 3957] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3957] setpgid(0, 0) = 0 [pid 3957] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3957] write(3, "1000", 4) = 4 [pid 3957] close(3) = 0 [pid 3957] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3957] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3957] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3957] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3957] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3958 attached , parent_tid=[3958], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3958 [pid 3958] set_robust_list(0x7fc8867b29e0, 24 [pid 3957] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3958] <... set_robust_list resumed>) = 0 [pid 3957] <... futex resumed>) = 0 [pid 3957] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3958] memfd_create("syzkaller", 0) = 3 [pid 3958] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3958] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3958] munmap(0x7fc87e392000, 16777216) = 0 [pid 3958] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3958] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3958] close(3) = 0 [pid 3958] mkdir("./file0", 0777) = 0 [ 143.388078][ T3958] loop0: detected capacity change from 0 to 32768 [ 143.397852][ T3958] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 143.406084][ T3958] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 143.416078][ T3958] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 143.424877][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 143.432005][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3958] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3958] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3958] chdir("./file0") = 0 [pid 3958] ioctl(4, LOOP_CLR_FD) = 0 [pid 3958] close(4) = 0 [pid 3958] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3957] <... futex resumed>) = 0 [pid 3957] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3957] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3958] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3958] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3957] <... futex resumed>) = 0 [pid 3957] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3958] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3957] <... futex resumed>) = 0 [ 143.468321][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 143.477129][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 143.482446][ T3958] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 143.508590][ T3958] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 143.517097][ T3958] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 143.517097][ T3958] inode = 12 2341 [ 143.517097][ T3958] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 143.536018][ T3958] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 143.545369][ T3958] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3958 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3957] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3957] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3957] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3957] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3957] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3959], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3959 [pid 3957] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3959 attached [pid 3959] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3959] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3959] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 143.555678][ T3958] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 143.564529][ T3958] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 143.571901][ T3958] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 143.580907][ T3958] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 143.588759][ T3958] gfs2: fsid=syz:syz.0: File system withdrawn [ 143.594996][ T3958] CPU: 0 PID: 3958 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 143.605415][ T3958] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 143.615474][ T3958] Call Trace: [ 143.618768][ T3958] [ 143.621697][ T3958] dump_stack_lvl+0x1b1/0x28e [ 143.626373][ T3958] ? nf_tcp_handle_invalid+0x62e/0x62e [ 143.631824][ T3958] ? panic+0x710/0x710 [ 143.635882][ T3958] ? kobject_uevent_env+0x46b/0x8e0 [ 143.641082][ T3958] ? do_raw_spin_unlock+0x134/0x8a0 [ 143.646285][ T3958] gfs2_withdraw+0xf33/0x1540 [ 143.650975][ T3958] ? gfs2_lm+0x220/0x220 [pid 3959] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3957] exit_group(0 [pid 3959] <... futex resumed>) = ? [pid 3957] <... exit_group resumed>) = ? [pid 3959] +++ exited with 0 +++ [ 143.655205][ T3958] ? gfs2_dirent_scan+0xb6/0x650 [ 143.660131][ T3958] ? panic+0x710/0x710 [ 143.664183][ T3958] ? gfs2_permission+0x2ff/0x430 [ 143.669177][ T3958] ? gfs2_consist_inode_i+0xf3/0x110 [ 143.674468][ T3958] gfs2_dirent_scan+0x535/0x650 [ 143.679333][ T3958] ? gfs2_dirent_search+0xb10/0xb10 [ 143.684548][ T3958] gfs2_dirent_search+0x2ea/0xb10 [ 143.689569][ T3958] ? gfs2_dirent_search+0xb10/0xb10 [ 143.694761][ T3958] ? gfs2_dir_search+0x2a0/0x2a0 [ 143.699696][ T3958] ? gfs2_permission+0x3bf/0x430 [ 143.704665][ T3958] gfs2_dir_search+0x8c/0x2a0 [ 143.709371][ T3958] ? do_filldir_main+0x530/0x530 [ 143.714324][ T3958] ? inode_go_held+0xe4/0x1f0 [ 143.719007][ T3958] ? gfs2_glock_wait+0x213/0x2a0 [ 143.723951][ T3958] gfs2_lookupi+0x465/0x650 [ 143.728464][ T3958] ? gfs2_lookup_simple+0x170/0x170 [ 143.733669][ T3958] ? __gfs2_lookup+0x8c/0x260 [ 143.738354][ T3958] __gfs2_lookup+0x8c/0x260 [ 143.742857][ T3958] ? gfs2_atomic_open+0x230/0x230 [ 143.747890][ T3958] ? __d_lookup+0x6a4/0x770 [ 143.752395][ T3958] ? d_hash_and_lookup+0x1c0/0x1c0 [ 143.757506][ T3958] gfs2_atomic_open+0xa4/0x230 [ 143.762279][ T3958] path_openat+0xf39/0x2df0 [ 143.766777][ T3958] ? gfs2_rename2+0x3000/0x3000 [ 143.771626][ T3958] ? do_filp_open+0x4f0/0x4f0 [ 143.776318][ T3958] do_filp_open+0x264/0x4f0 [ 143.780824][ T3958] ? vfs_tmpfile+0x490/0x490 [ 143.785423][ T3958] ? do_raw_spin_unlock+0x134/0x8a0 [ 143.790623][ T3958] ? _raw_spin_unlock+0x24/0x40 [ 143.795466][ T3958] ? alloc_fd+0x5a7/0x640 [ 143.799789][ T3958] do_sys_openat2+0x124/0x4e0 [ 143.804545][ T3958] ? print_irqtrace_events+0x220/0x220 [ 143.809992][ T3958] ? ptrace_stop+0x74d/0x970 [ 143.814576][ T3958] ? do_sys_open+0x220/0x220 [ 143.819155][ T3958] ? lockdep_hardirqs_on+0x8d/0x130 [ 143.824341][ T3958] ? _raw_spin_unlock_irq+0x2a/0x40 [ 143.829529][ T3958] ? ptrace_notify+0x245/0x340 [ 143.834282][ T3958] __x64_sys_openat+0x243/0x290 [ 143.839123][ T3958] ? __ia32_sys_open+0x270/0x270 [ 143.844071][ T3958] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 143.850063][ T3958] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 143.856094][ T3958] do_syscall_64+0x3d/0xb0 [ 143.860505][ T3958] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 143.866395][ T3958] RIP: 0033:0x7fc8868064d9 [ 143.870802][ T3958] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 143.890410][ T3958] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 143.898843][ T3958] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3958] <... openat resumed>) = ? [pid 3958] +++ exited with 0 +++ [pid 3957] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3957, si_uid=0, si_status=0, si_utime=0, si_stime=30} --- umount2("./106", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./106", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./106/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./106/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./106/binderfs") = 0 [ 143.906818][ T3958] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 143.914797][ T3958] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 143.922756][ T3958] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 143.930717][ T3958] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 143.938707][ T3958] umount2("./106/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./106/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./106/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./106/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./106/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./106/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./106") = 0 mkdir("./107", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3960 ./strace-static-x86_64: Process 3960 attached [pid 3960] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3960] chdir("./107") = 0 [pid 3960] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3960] setpgid(0, 0) = 0 [pid 3960] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3960] write(3, "1000", 4) = 4 [pid 3960] close(3) = 0 [pid 3960] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3960] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3960] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3960] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3960] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3961], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3961 [pid 3960] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3960] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3961 attached [pid 3961] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3961] memfd_create("syzkaller", 0) = 3 [pid 3961] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3961] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3961] munmap(0x7fc87e392000, 16777216) = 0 [pid 3961] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3961] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3961] close(3) = 0 [pid 3961] mkdir("./file0", 0777) = 0 [ 144.227408][ T3961] loop0: detected capacity change from 0 to 32768 [ 144.238622][ T3961] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 144.248989][ T3961] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 144.258936][ T3961] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 144.267792][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 144.274776][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3961] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3961] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3961] chdir("./file0") = 0 [pid 3961] ioctl(4, LOOP_CLR_FD) = 0 [pid 3961] close(4) = 0 [pid 3961] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3960] <... futex resumed>) = 0 [pid 3960] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3960] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3961] <... futex resumed>) = 1 [pid 3961] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3961] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3960] <... futex resumed>) = 0 [pid 3960] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3960] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3961] <... futex resumed>) = 1 [ 144.308096][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 144.317450][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 144.322889][ T3961] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 3961] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3960] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3960] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 3960] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 144.351182][ T3961] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 144.359940][ T3961] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 144.359940][ T3961] inode = 12 2341 [ 144.359940][ T3961] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 144.379298][ T3961] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 144.388743][ T3961] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3961 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3960] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3960] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3960] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3962], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3962 [pid 3960] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3962 attached [pid 3962] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3962] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3962] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 144.399650][ T3961] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 144.408377][ T3961] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 144.416226][ T3961] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 144.425057][ T3961] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 144.432714][ T3961] gfs2: fsid=syz:syz.0: File system withdrawn [ 144.439126][ T3961] CPU: 0 PID: 3961 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 144.449532][ T3961] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 144.459641][ T3961] Call Trace: [ 144.462908][ T3961] [ 144.465823][ T3961] dump_stack_lvl+0x1b1/0x28e [ 144.470490][ T3961] ? nf_tcp_handle_invalid+0x62e/0x62e [ 144.475930][ T3961] ? panic+0x710/0x710 [ 144.479985][ T3961] ? kobject_uevent_env+0x46b/0x8e0 [ 144.485170][ T3961] ? do_raw_spin_unlock+0x134/0x8a0 [ 144.490359][ T3961] gfs2_withdraw+0xf33/0x1540 [ 144.495030][ T3961] ? gfs2_lm+0x220/0x220 [ 144.499251][ T3961] ? gfs2_dirent_scan+0xb6/0x650 [ 144.504180][ T3961] ? panic+0x710/0x710 [ 144.508228][ T3961] ? gfs2_permission+0x2ff/0x430 [ 144.513155][ T3961] ? gfs2_consist_inode_i+0xf3/0x110 [ 144.518433][ T3961] gfs2_dirent_scan+0x535/0x650 [ 144.523271][ T3961] ? gfs2_dirent_search+0xb10/0xb10 [ 144.528456][ T3961] gfs2_dirent_search+0x2ea/0xb10 [ 144.533470][ T3961] ? gfs2_dirent_search+0xb10/0xb10 [ 144.538654][ T3961] ? gfs2_dir_search+0x2a0/0x2a0 [ 144.543575][ T3961] ? gfs2_permission+0x3bf/0x430 [ 144.548499][ T3961] gfs2_dir_search+0x8c/0x2a0 [ 144.553170][ T3961] ? do_filldir_main+0x530/0x530 [ 144.558182][ T3961] ? inode_go_held+0xe4/0x1f0 [ 144.562845][ T3961] ? gfs2_glock_wait+0x213/0x2a0 [ 144.567766][ T3961] gfs2_lookupi+0x465/0x650 [ 144.572260][ T3961] ? gfs2_lookup_simple+0x170/0x170 [ 144.577444][ T3961] ? __gfs2_lookup+0x8c/0x260 [ 144.582112][ T3961] __gfs2_lookup+0x8c/0x260 [ 144.586616][ T3961] ? gfs2_atomic_open+0x230/0x230 [ 144.591628][ T3961] ? __d_lookup+0x6a4/0x770 [ 144.596116][ T3961] ? d_hash_and_lookup+0x1c0/0x1c0 [ 144.601222][ T3961] gfs2_atomic_open+0xa4/0x230 [ 144.605998][ T3961] path_openat+0xf39/0x2df0 [ 144.610501][ T3961] ? gfs2_rename2+0x3000/0x3000 [ 144.615361][ T3961] ? do_filp_open+0x4f0/0x4f0 [ 144.620045][ T3961] do_filp_open+0x264/0x4f0 [ 144.624545][ T3961] ? vfs_tmpfile+0x490/0x490 [ 144.629128][ T3961] ? do_raw_spin_unlock+0x134/0x8a0 [ 144.634315][ T3961] ? _raw_spin_unlock+0x24/0x40 [ 144.639152][ T3961] ? alloc_fd+0x5a7/0x640 [ 144.643473][ T3961] do_sys_openat2+0x124/0x4e0 [ 144.648140][ T3961] ? print_irqtrace_events+0x220/0x220 [ 144.653587][ T3961] ? ptrace_stop+0x74d/0x970 [ 144.658512][ T3961] ? do_sys_open+0x220/0x220 [ 144.663086][ T3961] ? lockdep_hardirqs_on+0x8d/0x130 [ 144.668274][ T3961] ? _raw_spin_unlock_irq+0x2a/0x40 [ 144.673482][ T3961] ? ptrace_notify+0x245/0x340 [ 144.678232][ T3961] __x64_sys_openat+0x243/0x290 [ 144.683081][ T3961] ? __ia32_sys_open+0x270/0x270 [ 144.688008][ T3961] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 144.693978][ T3961] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 144.699947][ T3961] do_syscall_64+0x3d/0xb0 [ 144.704348][ T3961] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 144.710225][ T3961] RIP: 0033:0x7fc8868064d9 [ 144.714627][ T3961] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 144.734244][ T3961] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 144.742653][ T3961] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3962] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3961] <... openat resumed>) = -1 EIO (Input/output error) [pid 3961] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3961] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3960] exit_group(0 [pid 3962] <... futex resumed>) = ? [pid 3960] <... exit_group resumed>) = ? [pid 3962] +++ exited with 0 +++ [pid 3961] <... futex resumed>) = ? [pid 3961] +++ exited with 0 +++ [pid 3960] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3960, si_uid=0, si_status=0, si_utime=2, si_stime=29} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./107", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./107", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./107/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./107/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./107/binderfs") = 0 [ 144.750619][ T3961] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 144.758601][ T3961] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 144.766580][ T3961] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 144.774539][ T3961] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 144.782512][ T3961] umount2("./107/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./107/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./107/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./107/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./107/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./107/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./107") = 0 mkdir("./108", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3963 ./strace-static-x86_64: Process 3963 attached [pid 3963] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3963] chdir("./108") = 0 [pid 3963] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3963] setpgid(0, 0) = 0 [pid 3963] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3963] write(3, "1000", 4) = 4 [pid 3963] close(3) = 0 [pid 3963] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3963] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3963] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3963] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3963] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3964 attached [pid 3964] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3964] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3963] <... clone resumed>, parent_tid=[3964], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3964 [pid 3963] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3964] <... futex resumed>) = 0 [pid 3963] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3964] memfd_create("syzkaller", 0) = 3 [pid 3964] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3964] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3964] munmap(0x7fc87e392000, 16777216) = 0 [pid 3964] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3964] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3964] close(3) = 0 [pid 3964] mkdir("./file0", 0777) = 0 [ 145.100451][ T3964] loop0: detected capacity change from 0 to 32768 [ 145.109887][ T3964] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 145.118230][ T3964] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 145.127727][ T3964] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 145.138106][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 145.145303][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3964] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3964] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3964] chdir("./file0") = 0 [pid 3964] ioctl(4, LOOP_CLR_FD) = 0 [pid 3964] close(4) = 0 [pid 3964] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3963] <... futex resumed>) = 0 [pid 3963] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3963] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3964] <... futex resumed>) = 1 [pid 3964] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3964] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3963] <... futex resumed>) = 0 [pid 3963] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3963] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3964] <... futex resumed>) = 1 [ 145.182464][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 145.190682][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 145.195956][ T3964] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 145.218204][ T3964] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3964] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3963] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3963] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3963] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3963] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3963] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3965], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3965 [pid 3963] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3965 attached [pid 3965] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3965] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3965] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 145.227109][ T3964] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 145.227109][ T3964] inode = 12 2341 [ 145.227109][ T3964] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 145.246098][ T3964] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 145.255625][ T3964] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3964 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 145.265732][ T3964] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 145.274242][ T3964] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 145.281517][ T3964] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 145.290384][ T3964] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 145.298322][ T3964] gfs2: fsid=syz:syz.0: File system withdrawn [ 145.304547][ T3964] CPU: 0 PID: 3964 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 145.314977][ T3964] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 145.325040][ T3964] Call Trace: [ 145.328307][ T3964] [ 145.331227][ T3964] dump_stack_lvl+0x1b1/0x28e [ 145.335908][ T3964] ? nf_tcp_handle_invalid+0x62e/0x62e [ 145.341408][ T3964] ? panic+0x710/0x710 [ 145.345489][ T3964] ? kobject_uevent_env+0x46b/0x8e0 [ 145.350709][ T3964] ? do_raw_spin_unlock+0x134/0x8a0 [ 145.355902][ T3964] gfs2_withdraw+0xf33/0x1540 [ 145.360579][ T3964] ? gfs2_lm+0x220/0x220 [ 145.364813][ T3964] ? gfs2_dirent_scan+0xb6/0x650 [ 145.369753][ T3964] ? panic+0x710/0x710 [ 145.373829][ T3964] ? gfs2_permission+0x2ff/0x430 [pid 3965] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3963] exit_group(0 [pid 3965] <... futex resumed>) = ? [pid 3963] <... exit_group resumed>) = ? [pid 3965] +++ exited with 0 +++ [ 145.378777][ T3964] ? gfs2_consist_inode_i+0xf3/0x110 [ 145.384056][ T3964] gfs2_dirent_scan+0x535/0x650 [ 145.388915][ T3964] ? gfs2_dirent_search+0xb10/0xb10 [ 145.394106][ T3964] gfs2_dirent_search+0x2ea/0xb10 [ 145.399136][ T3964] ? gfs2_dirent_search+0xb10/0xb10 [ 145.404366][ T3964] ? gfs2_dir_search+0x2a0/0x2a0 [ 145.409332][ T3964] ? gfs2_permission+0x3bf/0x430 [ 145.414284][ T3964] gfs2_dir_search+0x8c/0x2a0 [ 145.418965][ T3964] ? do_filldir_main+0x530/0x530 [ 145.423912][ T3964] ? inode_go_held+0xe4/0x1f0 [ 145.428602][ T3964] ? gfs2_glock_wait+0x213/0x2a0 [ 145.433543][ T3964] gfs2_lookupi+0x465/0x650 [ 145.438055][ T3964] ? gfs2_lookup_simple+0x170/0x170 [ 145.443260][ T3964] ? __gfs2_lookup+0x8c/0x260 [ 145.447943][ T3964] __gfs2_lookup+0x8c/0x260 [ 145.452443][ T3964] ? gfs2_atomic_open+0x230/0x230 [ 145.457473][ T3964] ? __d_lookup+0x6a4/0x770 [ 145.461978][ T3964] ? d_hash_and_lookup+0x1c0/0x1c0 [ 145.467093][ T3964] gfs2_atomic_open+0xa4/0x230 [ 145.471870][ T3964] path_openat+0xf39/0x2df0 [ 145.476371][ T3964] ? gfs2_rename2+0x3000/0x3000 [ 145.481223][ T3964] ? do_filp_open+0x4f0/0x4f0 [ 145.485899][ T3964] do_filp_open+0x264/0x4f0 [ 145.490402][ T3964] ? vfs_tmpfile+0x490/0x490 [ 145.495000][ T3964] ? do_raw_spin_unlock+0x134/0x8a0 [ 145.500204][ T3964] ? _raw_spin_unlock+0x24/0x40 [ 145.505063][ T3964] ? alloc_fd+0x5a7/0x640 [ 145.509388][ T3964] do_sys_openat2+0x124/0x4e0 [ 145.514055][ T3964] ? print_irqtrace_events+0x220/0x220 [ 145.519500][ T3964] ? ptrace_stop+0x74d/0x970 [ 145.524084][ T3964] ? do_sys_open+0x220/0x220 [ 145.528663][ T3964] ? lockdep_hardirqs_on+0x8d/0x130 [ 145.533855][ T3964] ? _raw_spin_unlock_irq+0x2a/0x40 [ 145.539043][ T3964] ? ptrace_notify+0x245/0x340 [ 145.543797][ T3964] __x64_sys_openat+0x243/0x290 [ 145.548658][ T3964] ? __ia32_sys_open+0x270/0x270 [ 145.553598][ T3964] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 145.559590][ T3964] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 145.565570][ T3964] do_syscall_64+0x3d/0xb0 [ 145.569984][ T3964] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 145.575879][ T3964] RIP: 0033:0x7fc8868064d9 [ 145.580300][ T3964] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 145.599902][ T3964] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 145.608308][ T3964] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 145.616276][ T3964] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 145.624257][ T3964] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3964] <... openat resumed>) = ? [pid 3964] +++ exited with 0 +++ [pid 3963] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3963, si_uid=0, si_status=0, si_utime=1, si_stime=31} --- umount2("./108", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./108", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./108/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./108/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./108/binderfs") = 0 [ 145.632243][ T3964] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 145.640218][ T3964] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 145.648190][ T3964] umount2("./108/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./108/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./108/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./108/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./108/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./108/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./108") = 0 mkdir("./109", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3966 ./strace-static-x86_64: Process 3966 attached [pid 3966] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3966] chdir("./109") = 0 [pid 3966] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3966] setpgid(0, 0) = 0 [pid 3966] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3966] write(3, "1000", 4) = 4 [pid 3966] close(3) = 0 [pid 3966] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3966] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3966] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3966] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3966] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3967], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3967 [pid 3966] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3966] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3967 attached [pid 3967] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3967] memfd_create("syzkaller", 0) = 3 [pid 3967] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3967] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3967] munmap(0x7fc87e392000, 16777216) = 0 [pid 3967] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3967] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3967] close(3) = 0 [pid 3967] mkdir("./file0", 0777) = 0 [ 145.944663][ T3967] loop0: detected capacity change from 0 to 32768 [ 145.954442][ T3967] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 145.962904][ T3967] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 145.972917][ T3967] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 145.981886][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 145.988663][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3967] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3967] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3967] chdir("./file0") = 0 [pid 3967] ioctl(4, LOOP_CLR_FD) = 0 [pid 3967] close(4) = 0 [pid 3967] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3966] <... futex resumed>) = 0 [pid 3966] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3966] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3967] <... futex resumed>) = 1 [pid 3967] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3967] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3966] <... futex resumed>) = 0 [pid 3966] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3966] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3967] <... futex resumed>) = 1 [ 146.023500][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 146.031046][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 146.036299][ T3967] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 146.061122][ T3967] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3967] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3966] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3966] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3966] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3966] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3966] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3968], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3968 [pid 3966] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3968 attached [ 146.070293][ T3967] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 146.070293][ T3967] inode = 12 2341 [ 146.070293][ T3967] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 146.089138][ T3967] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 146.098938][ T3967] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3967 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 146.109021][ T3967] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3968] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3968] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3968] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 146.117824][ T3967] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 146.125164][ T3967] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 146.134048][ T3967] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 146.142247][ T3967] gfs2: fsid=syz:syz.0: File system withdrawn [ 146.148581][ T3967] CPU: 1 PID: 3967 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 146.159015][ T3967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 146.169087][ T3967] Call Trace: [ 146.172372][ T3967] [ 146.175295][ T3967] dump_stack_lvl+0x1b1/0x28e [ 146.179967][ T3967] ? nf_tcp_handle_invalid+0x62e/0x62e [ 146.185425][ T3967] ? panic+0x710/0x710 [ 146.189484][ T3967] ? kobject_uevent_env+0x46b/0x8e0 [ 146.194942][ T3967] ? do_raw_spin_unlock+0x134/0x8a0 [ 146.200160][ T3967] gfs2_withdraw+0xf33/0x1540 [ 146.204856][ T3967] ? gfs2_lm+0x220/0x220 [ 146.209114][ T3967] ? gfs2_dirent_scan+0xb6/0x650 [ 146.214062][ T3967] ? panic+0x710/0x710 [ 146.218136][ T3967] ? gfs2_permission+0x2ff/0x430 [pid 3968] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3966] exit_group(0 [pid 3968] <... futex resumed>) = ? [pid 3966] <... exit_group resumed>) = ? [pid 3968] +++ exited with 0 +++ [ 146.223069][ T3967] ? gfs2_consist_inode_i+0xf3/0x110 [ 146.228356][ T3967] gfs2_dirent_scan+0x535/0x650 [ 146.233224][ T3967] ? gfs2_dirent_search+0xb10/0xb10 [ 146.238426][ T3967] gfs2_dirent_search+0x2ea/0xb10 [ 146.243466][ T3967] ? gfs2_dirent_search+0xb10/0xb10 [ 146.248674][ T3967] ? gfs2_dir_search+0x2a0/0x2a0 [ 146.253699][ T3967] ? gfs2_permission+0x3bf/0x430 [ 146.258649][ T3967] gfs2_dir_search+0x8c/0x2a0 [ 146.263334][ T3967] ? do_filldir_main+0x530/0x530 [ 146.268290][ T3967] ? inode_go_held+0xe4/0x1f0 [ 146.272964][ T3967] ? gfs2_glock_wait+0x213/0x2a0 [ 146.277920][ T3967] gfs2_lookupi+0x465/0x650 [ 146.282440][ T3967] ? gfs2_lookup_simple+0x170/0x170 [ 146.287645][ T3967] ? __gfs2_lookup+0x8c/0x260 [ 146.292338][ T3967] __gfs2_lookup+0x8c/0x260 [ 146.296836][ T3967] ? gfs2_atomic_open+0x230/0x230 [ 146.301859][ T3967] ? __d_lookup+0x6a4/0x770 [ 146.306350][ T3967] ? d_hash_and_lookup+0x1c0/0x1c0 [ 146.311453][ T3967] gfs2_atomic_open+0xa4/0x230 [ 146.316213][ T3967] path_openat+0xf39/0x2df0 [ 146.320729][ T3967] ? gfs2_rename2+0x3000/0x3000 [ 146.325597][ T3967] ? do_filp_open+0x4f0/0x4f0 [ 146.330294][ T3967] do_filp_open+0x264/0x4f0 [ 146.334802][ T3967] ? vfs_tmpfile+0x490/0x490 [ 146.339409][ T3967] ? do_raw_spin_unlock+0x134/0x8a0 [ 146.344611][ T3967] ? _raw_spin_unlock+0x24/0x40 [ 146.349465][ T3967] ? alloc_fd+0x5a7/0x640 [ 146.353823][ T3967] do_sys_openat2+0x124/0x4e0 [ 146.358520][ T3967] ? print_irqtrace_events+0x220/0x220 [ 146.363967][ T3967] ? ptrace_stop+0x74d/0x970 [ 146.368550][ T3967] ? do_sys_open+0x220/0x220 [ 146.373147][ T3967] ? lockdep_hardirqs_on+0x8d/0x130 [ 146.378356][ T3967] ? _raw_spin_unlock_irq+0x2a/0x40 [ 146.383557][ T3967] ? ptrace_notify+0x245/0x340 [ 146.388321][ T3967] __x64_sys_openat+0x243/0x290 [ 146.393185][ T3967] ? __ia32_sys_open+0x270/0x270 [ 146.398117][ T3967] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 146.404097][ T3967] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 146.410085][ T3967] do_syscall_64+0x3d/0xb0 [ 146.414553][ T3967] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 146.420460][ T3967] RIP: 0033:0x7fc8868064d9 [ 146.424869][ T3967] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 146.444472][ T3967] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 146.452891][ T3967] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 146.460864][ T3967] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3967] <... openat resumed>) = ? [pid 3967] +++ exited with 0 +++ [pid 3966] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3966, si_uid=0, si_status=0, si_utime=4, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./109", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./109", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./109/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./109/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./109/binderfs") = 0 [ 146.468828][ T3967] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 146.476793][ T3967] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 146.484769][ T3967] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 146.492757][ T3967] umount2("./109/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./109/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./109/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./109/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./109/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./109/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./109") = 0 mkdir("./110", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3969 attached , child_tidptr=0x55555635f5d0) = 3969 [pid 3969] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3969] chdir("./110") = 0 [pid 3969] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3969] setpgid(0, 0) = 0 [pid 3969] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3969] write(3, "1000", 4) = 4 [pid 3969] close(3) = 0 [pid 3969] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3969] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3969] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3969] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3969] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3970], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3970 [pid 3969] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3970 attached [pid 3969] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3970] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3970] memfd_create("syzkaller", 0) = 3 [pid 3970] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3970] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3970] munmap(0x7fc87e392000, 16777216) = 0 [pid 3970] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3970] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3970] close(3) = 0 [pid 3970] mkdir("./file0", 0777) = 0 [ 146.791523][ T3970] loop0: detected capacity change from 0 to 32768 [ 146.802553][ T3970] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 146.810799][ T3970] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 146.819731][ T3970] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 146.828422][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 146.835332][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3970] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3970] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3970] chdir("./file0") = 0 [pid 3970] ioctl(4, LOOP_CLR_FD) = 0 [pid 3970] close(4) = 0 [pid 3970] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3969] <... futex resumed>) = 0 [pid 3969] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3969] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3970] <... futex resumed>) = 1 [pid 3970] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3970] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3969] <... futex resumed>) = 0 [pid 3969] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3969] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3970] <... futex resumed>) = 1 [ 146.868786][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 146.877569][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 146.883089][ T3970] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 146.898177][ T3970] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 146.906697][ T3970] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 146.906697][ T3970] inode = 12 2341 [pid 3970] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3969] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 146.906697][ T3970] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 146.925447][ T3970] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 146.934660][ T3970] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3970 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 146.944798][ T3970] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 146.953346][ T3970] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 146.960655][ T3970] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3969] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 146.969471][ T3970] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 146.976162][ T3970] gfs2: fsid=syz:syz.0: File system withdrawn [ 146.982392][ T3970] CPU: 0 PID: 3970 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 146.992816][ T3970] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 147.002862][ T3970] Call Trace: [ 147.006131][ T3970] [ 147.009054][ T3970] dump_stack_lvl+0x1b1/0x28e [ 147.013731][ T3970] ? nf_tcp_handle_invalid+0x62e/0x62e [ 147.019179][ T3970] ? panic+0x710/0x710 [ 147.023248][ T3970] ? kobject_uevent_env+0x46b/0x8e0 [ 147.028439][ T3970] ? do_raw_spin_unlock+0x134/0x8a0 [ 147.033637][ T3970] gfs2_withdraw+0xf33/0x1540 [ 147.038318][ T3970] ? gfs2_lm+0x220/0x220 [ 147.042550][ T3970] ? gfs2_dirent_scan+0xb6/0x650 [ 147.047483][ T3970] ? panic+0x710/0x710 [ 147.051543][ T3970] ? gfs2_permission+0x2ff/0x430 [ 147.056479][ T3970] ? gfs2_consist_inode_i+0xf3/0x110 [ 147.061759][ T3970] gfs2_dirent_scan+0x535/0x650 [ 147.066605][ T3970] ? gfs2_dirent_search+0xb10/0xb10 [ 147.071798][ T3970] gfs2_dirent_search+0x2ea/0xb10 [ 147.076822][ T3970] ? gfs2_dirent_search+0xb10/0xb10 [ 147.082019][ T3970] ? gfs2_dir_search+0x2a0/0x2a0 [ 147.086952][ T3970] ? gfs2_permission+0x3bf/0x430 [ 147.091890][ T3970] gfs2_dir_search+0x8c/0x2a0 [ 147.096564][ T3970] ? do_filldir_main+0x530/0x530 [ 147.101493][ T3970] ? inode_go_held+0xe4/0x1f0 [ 147.106168][ T3970] ? gfs2_glock_wait+0x213/0x2a0 [ 147.111099][ T3970] gfs2_lookupi+0x465/0x650 [ 147.115601][ T3970] ? gfs2_lookup_simple+0x170/0x170 [ 147.120794][ T3970] ? __gfs2_lookup+0x8c/0x260 [ 147.125471][ T3970] __gfs2_lookup+0x8c/0x260 [ 147.129971][ T3970] ? gfs2_atomic_open+0x230/0x230 [ 147.134989][ T3970] ? __d_lookup+0x6a4/0x770 [ 147.139483][ T3970] ? d_hash_and_lookup+0x1c0/0x1c0 [ 147.144585][ T3970] gfs2_atomic_open+0xa4/0x230 [ 147.149345][ T3970] path_openat+0xf39/0x2df0 [ 147.153845][ T3970] ? gfs2_rename2+0x3000/0x3000 [ 147.158701][ T3970] ? do_filp_open+0x4f0/0x4f0 [ 147.163379][ T3970] do_filp_open+0x264/0x4f0 [ 147.167877][ T3970] ? vfs_tmpfile+0x490/0x490 [ 147.172468][ T3970] ? do_raw_spin_unlock+0x134/0x8a0 [ 147.177665][ T3970] ? _raw_spin_unlock+0x24/0x40 [ 147.182514][ T3970] ? alloc_fd+0x5a7/0x640 [ 147.186855][ T3970] do_sys_openat2+0x124/0x4e0 [ 147.191530][ T3970] ? print_irqtrace_events+0x220/0x220 [ 147.196981][ T3970] ? ptrace_stop+0x74d/0x970 [ 147.201565][ T3970] ? do_sys_open+0x220/0x220 [ 147.206149][ T3970] ? lockdep_hardirqs_on+0x8d/0x130 [ 147.211343][ T3970] ? _raw_spin_unlock_irq+0x2a/0x40 [ 147.216539][ T3970] ? ptrace_notify+0x245/0x340 [ 147.221296][ T3970] __x64_sys_openat+0x243/0x290 [ 147.226144][ T3970] ? __ia32_sys_open+0x270/0x270 [ 147.231081][ T3970] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 147.237055][ T3970] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 147.243032][ T3970] do_syscall_64+0x3d/0xb0 [ 147.247441][ T3970] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 147.253326][ T3970] RIP: 0033:0x7fc8868064d9 [ 147.257732][ T3970] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 147.277330][ T3970] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 147.285735][ T3970] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 147.293712][ T3970] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 147.301673][ T3970] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 147.309638][ T3970] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3969] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3969] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3969] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3971], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3971 [pid 3969] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3971 attached [pid 3970] <... openat resumed>) = -1 EIO (Input/output error) [pid 3971] set_robust_list(0x7fc87f3919e0, 24 [pid 3970] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3971] <... set_robust_list resumed>) = 0 [pid 3971] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 3970] <... futex resumed>) = 0 [pid 3971] <... openat resumed>) = -1 EIO (Input/output error) [pid 3970] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3971] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 3969] exit_group(0) = ? [pid 3971] <... futex resumed>) = ? [pid 3970] <... futex resumed>) = ? [pid 3971] +++ exited with 0 +++ [pid 3970] +++ exited with 0 +++ [pid 3969] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3969, si_uid=0, si_status=0, si_utime=0, si_stime=33} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./110", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./110", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./110/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./110/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./110/binderfs") = 0 [ 147.317689][ T3970] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 147.325664][ T3970] umount2("./110/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./110/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./110/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./110/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./110/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./110/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./110") = 0 mkdir("./111", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3972 ./strace-static-x86_64: Process 3972 attached [pid 3972] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3972] chdir("./111") = 0 [pid 3972] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3972] setpgid(0, 0) = 0 [pid 3972] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3972] write(3, "1000", 4) = 4 [pid 3972] close(3) = 0 [pid 3972] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3972] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3972] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3972] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3972] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3973 attached , parent_tid=[3973], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3973 [pid 3972] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3972] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3973] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3973] memfd_create("syzkaller", 0) = 3 [pid 3973] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3973] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3973] munmap(0x7fc87e392000, 16777216) = 0 [pid 3973] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3973] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3973] close(3) = 0 [pid 3973] mkdir("./file0", 0777) = 0 [ 147.626845][ T3973] loop0: detected capacity change from 0 to 32768 [ 147.637616][ T3973] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 147.645853][ T3973] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 147.655538][ T3973] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 147.664228][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 147.671078][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3973] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3973] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3973] chdir("./file0") = 0 [pid 3973] ioctl(4, LOOP_CLR_FD) = 0 [pid 3973] close(4) = 0 [pid 3973] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3972] <... futex resumed>) = 0 [pid 3973] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3972] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3973] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3972] <... futex resumed>) = 0 [pid 3973] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3972] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3973] <... futex resumed>) = 0 [pid 3972] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3973] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3972] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3973] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3972] <... futex resumed>) = 0 [pid 3973] openat(AT_FDCWD, "./file0", O_RDONLY [ 147.709432][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 147.717161][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 147.722582][ T3973] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 147.741723][ T3973] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 147.750381][ T3973] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 3972] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 147.750381][ T3973] inode = 12 2341 [ 147.750381][ T3973] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 147.769406][ T3973] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 147.778905][ T3973] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3973 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 147.789065][ T3973] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 147.797889][ T3973] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3972] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3972] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3972] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3972] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3974], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3974 [pid 3972] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3974 attached [pid 3974] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3974] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3974] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 147.805556][ T3973] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 147.815104][ T3973] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 147.822405][ T3973] gfs2: fsid=syz:syz.0: File system withdrawn [ 147.828970][ T3973] CPU: 1 PID: 3973 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 147.839430][ T3973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 147.849492][ T3973] Call Trace: [ 147.852775][ T3973] [ 147.855700][ T3973] dump_stack_lvl+0x1b1/0x28e [ 147.860374][ T3973] ? nf_tcp_handle_invalid+0x62e/0x62e [ 147.865838][ T3973] ? panic+0x710/0x710 [ 147.869916][ T3973] ? kobject_uevent_env+0x46b/0x8e0 [ 147.875118][ T3973] ? do_raw_spin_unlock+0x134/0x8a0 [ 147.880349][ T3973] gfs2_withdraw+0xf33/0x1540 [ 147.885061][ T3973] ? gfs2_lm+0x220/0x220 [ 147.889295][ T3973] ? gfs2_dirent_scan+0xb6/0x650 [ 147.894225][ T3973] ? panic+0x710/0x710 [ 147.898284][ T3973] ? gfs2_permission+0x2ff/0x430 [ 147.903228][ T3973] ? gfs2_consist_inode_i+0xf3/0x110 [ 147.908531][ T3973] gfs2_dirent_scan+0x535/0x650 [ 147.913406][ T3973] ? gfs2_dirent_search+0xb10/0xb10 [ 147.918615][ T3973] gfs2_dirent_search+0x2ea/0xb10 [ 147.923652][ T3973] ? gfs2_dirent_search+0xb10/0xb10 [ 147.928863][ T3973] ? gfs2_dir_search+0x2a0/0x2a0 [ 147.933910][ T3973] ? gfs2_permission+0x3bf/0x430 [ 147.939028][ T3973] gfs2_dir_search+0x8c/0x2a0 [ 147.943705][ T3973] ? do_filldir_main+0x530/0x530 [ 147.948639][ T3973] ? inode_go_held+0xe4/0x1f0 [ 147.953316][ T3973] ? gfs2_glock_wait+0x213/0x2a0 [ 147.958335][ T3973] gfs2_lookupi+0x465/0x650 [ 147.962838][ T3973] ? gfs2_lookup_simple+0x170/0x170 [ 147.968029][ T3973] ? __gfs2_lookup+0x8c/0x260 [ 147.972705][ T3973] __gfs2_lookup+0x8c/0x260 [ 147.977228][ T3973] ? gfs2_atomic_open+0x230/0x230 [ 147.982251][ T3973] ? __d_lookup+0x6a4/0x770 [ 147.986744][ T3973] ? d_hash_and_lookup+0x1c0/0x1c0 [ 147.991854][ T3973] gfs2_atomic_open+0xa4/0x230 [ 147.996618][ T3973] path_openat+0xf39/0x2df0 [ 148.001121][ T3973] ? gfs2_rename2+0x3000/0x3000 [ 148.006039][ T3973] ? do_filp_open+0x4f0/0x4f0 [ 148.010719][ T3973] do_filp_open+0x264/0x4f0 [ 148.015218][ T3973] ? vfs_tmpfile+0x490/0x490 [ 148.019810][ T3973] ? do_raw_spin_unlock+0x134/0x8a0 [ 148.025008][ T3973] ? _raw_spin_unlock+0x24/0x40 [ 148.029857][ T3973] ? alloc_fd+0x5a7/0x640 [ 148.034196][ T3973] do_sys_openat2+0x124/0x4e0 [ 148.038892][ T3973] ? print_irqtrace_events+0x220/0x220 [ 148.044345][ T3973] ? ptrace_stop+0x74d/0x970 [ 148.048935][ T3973] ? do_sys_open+0x220/0x220 [ 148.053524][ T3973] ? lockdep_hardirqs_on+0x8d/0x130 [ 148.058731][ T3973] ? _raw_spin_unlock_irq+0x2a/0x40 [ 148.063929][ T3973] ? ptrace_notify+0x245/0x340 [ 148.068689][ T3973] __x64_sys_openat+0x243/0x290 [ 148.073537][ T3973] ? __ia32_sys_open+0x270/0x270 [ 148.078473][ T3973] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 148.084447][ T3973] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 148.090428][ T3973] do_syscall_64+0x3d/0xb0 [ 148.094839][ T3973] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 148.100726][ T3973] RIP: 0033:0x7fc8868064d9 [ 148.105132][ T3973] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 148.124732][ T3973] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 148.133136][ T3973] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 148.141096][ T3973] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 148.149057][ T3973] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3974] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3973] <... openat resumed>) = -1 EIO (Input/output error) [pid 3973] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3972] exit_group(0 [pid 3973] ????( [pid 3974] <... futex resumed>) = ? [pid 3973] <... ???? resumed>) = ? [pid 3972] <... exit_group resumed>) = ? [pid 3974] +++ exited with 0 +++ [pid 3973] +++ exited with 0 +++ [pid 3972] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3972, si_uid=0, si_status=0, si_utime=0, si_stime=32} --- umount2("./111", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./111", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./111/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./111/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./111/binderfs") = 0 [ 148.157020][ T3973] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 148.164980][ T3973] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 148.172955][ T3973] umount2("./111/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./111/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./111/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./111/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./111/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./111/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./111") = 0 mkdir("./112", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3975 attached , child_tidptr=0x55555635f5d0) = 3975 [pid 3975] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3975] chdir("./112") = 0 [pid 3975] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3975] setpgid(0, 0) = 0 [pid 3975] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3975] write(3, "1000", 4) = 4 [pid 3975] close(3) = 0 [pid 3975] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3975] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3975] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3975] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3975] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3976], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3976 [pid 3975] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3975] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3976 attached [pid 3976] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3976] memfd_create("syzkaller", 0) = 3 [pid 3976] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3976] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3976] munmap(0x7fc87e392000, 16777216) = 0 [pid 3976] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3976] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3976] close(3) = 0 [pid 3976] mkdir("./file0", 0777) = 0 [ 148.477798][ T3976] loop0: detected capacity change from 0 to 32768 [ 148.488394][ T3976] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 148.496796][ T3976] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 148.506297][ T3976] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 148.514832][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 148.522060][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3976] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3976] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3976] chdir("./file0") = 0 [pid 3976] ioctl(4, LOOP_CLR_FD) = 0 [pid 3976] close(4) = 0 [pid 3976] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3975] <... futex resumed>) = 0 [pid 3976] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3975] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3976] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3975] <... futex resumed>) = 0 [pid 3976] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3975] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3976] <... futex resumed>) = 0 [pid 3975] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3976] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3975] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 148.560955][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 148.568543][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 148.573919][ T3976] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 148.586797][ T3976] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 148.595588][ T3976] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 148.595588][ T3976] inode = 12 2341 [pid 3975] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3975] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3975] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3975] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3975] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3977], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3977 [ 148.595588][ T3976] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 148.614470][ T3976] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 148.623570][ T3976] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3976 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 148.633770][ T3976] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 148.642521][ T3976] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 148.649800][ T3976] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 3975] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3977 attached [pid 3977] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3977] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3977] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 148.658730][ T3976] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 148.665391][ T3976] gfs2: fsid=syz:syz.0: File system withdrawn [ 148.671849][ T3976] CPU: 0 PID: 3976 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 148.682291][ T3976] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 148.692360][ T3976] Call Trace: [ 148.695642][ T3976] [ 148.698564][ T3976] dump_stack_lvl+0x1b1/0x28e [ 148.703253][ T3976] ? nf_tcp_handle_invalid+0x62e/0x62e [ 148.708703][ T3976] ? panic+0x710/0x710 [ 148.713199][ T3976] ? kobject_uevent_env+0x46b/0x8e0 [ 148.718397][ T3976] ? do_raw_spin_unlock+0x134/0x8a0 [ 148.723612][ T3976] gfs2_withdraw+0xf33/0x1540 [ 148.728308][ T3976] ? gfs2_lm+0x220/0x220 [ 148.732557][ T3976] ? gfs2_dirent_scan+0xb6/0x650 [ 148.737503][ T3976] ? panic+0x710/0x710 [ 148.741561][ T3976] ? gfs2_permission+0x2ff/0x430 [ 148.746505][ T3976] ? gfs2_consist_inode_i+0xf3/0x110 [ 148.751802][ T3976] gfs2_dirent_scan+0x535/0x650 [ 148.756663][ T3976] ? gfs2_dirent_search+0xb10/0xb10 [ 148.761876][ T3976] gfs2_dirent_search+0x2ea/0xb10 [ 148.766933][ T3976] ? gfs2_dirent_search+0xb10/0xb10 [ 148.772150][ T3976] ? gfs2_dir_search+0x2a0/0x2a0 [ 148.777080][ T3976] ? gfs2_permission+0x3bf/0x430 [ 148.782028][ T3976] gfs2_dir_search+0x8c/0x2a0 [ 148.786711][ T3976] ? do_filldir_main+0x530/0x530 [ 148.791649][ T3976] ? inode_go_held+0xe4/0x1f0 [ 148.796325][ T3976] ? gfs2_glock_wait+0x213/0x2a0 [ 148.801265][ T3976] gfs2_lookupi+0x465/0x650 [ 148.805769][ T3976] ? gfs2_lookup_simple+0x170/0x170 [ 148.810959][ T3976] ? __gfs2_lookup+0x8c/0x260 [ 148.815637][ T3976] __gfs2_lookup+0x8c/0x260 [ 148.820140][ T3976] ? gfs2_atomic_open+0x230/0x230 [ 148.825165][ T3976] ? __d_lookup+0x6a4/0x770 [ 148.829660][ T3976] ? d_hash_and_lookup+0x1c0/0x1c0 [ 148.834763][ T3976] gfs2_atomic_open+0xa4/0x230 [ 148.839524][ T3976] path_openat+0xf39/0x2df0 [ 148.844033][ T3976] ? gfs2_rename2+0x3000/0x3000 [ 148.848891][ T3976] ? do_filp_open+0x4f0/0x4f0 [ 148.853574][ T3976] do_filp_open+0x264/0x4f0 [ 148.858071][ T3976] ? vfs_tmpfile+0x490/0x490 [ 148.862662][ T3976] ? do_raw_spin_unlock+0x134/0x8a0 [ 148.867863][ T3976] ? _raw_spin_unlock+0x24/0x40 [ 148.872713][ T3976] ? alloc_fd+0x5a7/0x640 [ 148.877058][ T3976] do_sys_openat2+0x124/0x4e0 [ 148.881733][ T3976] ? print_irqtrace_events+0x220/0x220 [ 148.887186][ T3976] ? ptrace_stop+0x74d/0x970 [ 148.891770][ T3976] ? do_sys_open+0x220/0x220 [ 148.896353][ T3976] ? lockdep_hardirqs_on+0x8d/0x130 [ 148.901548][ T3976] ? _raw_spin_unlock_irq+0x2a/0x40 [ 148.906741][ T3976] ? ptrace_notify+0x245/0x340 [ 148.911495][ T3976] __x64_sys_openat+0x243/0x290 [ 148.916372][ T3976] ? __ia32_sys_open+0x270/0x270 [ 148.921312][ T3976] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 148.927287][ T3976] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 148.933262][ T3976] do_syscall_64+0x3d/0xb0 [ 148.937669][ T3976] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 148.943551][ T3976] RIP: 0033:0x7fc8868064d9 [ 148.947956][ T3976] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 148.967554][ T3976] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 148.975959][ T3976] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 148.983922][ T3976] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 148.991884][ T3976] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 148.999880][ T3976] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3977] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3976] <... openat resumed>) = -1 EIO (Input/output error) [pid 3976] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3975] exit_group(0 [pid 3977] <... futex resumed>) = ? [pid 3975] <... exit_group resumed>) = ? [pid 3977] +++ exited with 0 +++ [pid 3976] +++ exited with 0 +++ [pid 3975] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3975, si_uid=0, si_status=0, si_utime=3, si_stime=29} --- umount2("./112", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./112", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./112/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./112/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./112/binderfs") = 0 [ 149.007851][ T3976] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 149.015829][ T3976] umount2("./112/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./112/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./112/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./112/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./112/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./112/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./112") = 0 mkdir("./113", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3978 ./strace-static-x86_64: Process 3978 attached [pid 3978] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3978] chdir("./113") = 0 [pid 3978] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3978] setpgid(0, 0) = 0 [pid 3978] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3978] write(3, "1000", 4) = 4 [pid 3978] close(3) = 0 [pid 3978] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3978] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3978] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3978] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3978] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3979 attached , parent_tid=[3979], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3979 [pid 3979] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3979] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3978] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3978] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3979] <... futex resumed>) = 0 [pid 3979] memfd_create("syzkaller", 0) = 3 [pid 3979] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3979] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3979] munmap(0x7fc87e392000, 16777216) = 0 [pid 3979] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3979] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3979] close(3) = 0 [pid 3979] mkdir("./file0", 0777) = 0 [ 149.338007][ T3979] loop0: detected capacity change from 0 to 32768 [ 149.349728][ T3979] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 149.358697][ T3979] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 149.368151][ T3979] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 149.377072][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 149.384005][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3979] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3979] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3979] chdir("./file0") = 0 [pid 3979] ioctl(4, LOOP_CLR_FD) = 0 [pid 3979] close(4) = 0 [pid 3979] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3978] <... futex resumed>) = 0 [pid 3979] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3978] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3979] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3978] <... futex resumed>) = 0 [pid 3979] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3978] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3979] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3979] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3978] <... futex resumed>) = 0 [pid 3979] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3978] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3979] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3979] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3978] <... futex resumed>) = 0 [ 149.423007][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 149.431202][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 149.436469][ T3979] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 149.461441][ T3979] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 149.471169][ T3979] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 149.471169][ T3979] inode = 12 2341 [ 149.471169][ T3979] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 149.490479][ T3979] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 149.499548][ T3979] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3979 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 149.510500][ T3979] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3978] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3978] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3978] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3978] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3978] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3980], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3980 [pid 3978] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3980 attached [pid 3980] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3980] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3980] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 149.518932][ T3979] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 149.526529][ T3979] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 149.535426][ T3979] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 149.543749][ T3979] gfs2: fsid=syz:syz.0: File system withdrawn [ 149.549837][ T3979] CPU: 0 PID: 3979 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 149.560264][ T3979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 149.570323][ T3979] Call Trace: [ 149.573603][ T3979] [ 149.576542][ T3979] dump_stack_lvl+0x1b1/0x28e [ 149.581254][ T3979] ? nf_tcp_handle_invalid+0x62e/0x62e [ 149.587403][ T3979] ? panic+0x710/0x710 [ 149.591490][ T3979] ? kobject_uevent_env+0x46b/0x8e0 [ 149.596691][ T3979] ? do_raw_spin_unlock+0x134/0x8a0 [ 149.601906][ T3979] gfs2_withdraw+0xf33/0x1540 [ 149.606601][ T3979] ? gfs2_lm+0x220/0x220 [ 149.610836][ T3979] ? gfs2_dirent_scan+0xb6/0x650 [ 149.615767][ T3979] ? panic+0x710/0x710 [ 149.619832][ T3979] ? gfs2_permission+0x2ff/0x430 [ 149.624766][ T3979] ? gfs2_consist_inode_i+0xf3/0x110 [ 149.630056][ T3979] gfs2_dirent_scan+0x535/0x650 [ 149.634915][ T3979] ? gfs2_dirent_search+0xb10/0xb10 [ 149.640133][ T3979] gfs2_dirent_search+0x2ea/0xb10 [ 149.645151][ T3979] ? gfs2_dirent_search+0xb10/0xb10 [ 149.650347][ T3979] ? gfs2_dir_search+0x2a0/0x2a0 [ 149.655282][ T3979] ? gfs2_permission+0x3bf/0x430 [ 149.660254][ T3979] gfs2_dir_search+0x8c/0x2a0 [ 149.664938][ T3979] ? do_filldir_main+0x530/0x530 [pid 3980] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3978] exit_group(0 [pid 3980] <... futex resumed>) = ? [pid 3978] <... exit_group resumed>) = ? [pid 3980] +++ exited with 0 +++ [ 149.669891][ T3979] ? inode_go_held+0xe4/0x1f0 [ 149.674578][ T3979] ? gfs2_glock_wait+0x213/0x2a0 [ 149.679516][ T3979] gfs2_lookupi+0x465/0x650 [ 149.684020][ T3979] ? gfs2_lookup_simple+0x170/0x170 [ 149.689215][ T3979] ? __gfs2_lookup+0x8c/0x260 [ 149.693907][ T3979] __gfs2_lookup+0x8c/0x260 [ 149.698508][ T3979] ? gfs2_atomic_open+0x230/0x230 [ 149.703537][ T3979] ? __d_lookup+0x6a4/0x770 [ 149.708042][ T3979] ? d_hash_and_lookup+0x1c0/0x1c0 [ 149.713158][ T3979] gfs2_atomic_open+0xa4/0x230 [ 149.717934][ T3979] path_openat+0xf39/0x2df0 [ 149.722434][ T3979] ? gfs2_rename2+0x3000/0x3000 [ 149.727285][ T3979] ? do_filp_open+0x4f0/0x4f0 [ 149.731959][ T3979] do_filp_open+0x264/0x4f0 [ 149.736460][ T3979] ? vfs_tmpfile+0x490/0x490 [ 149.741062][ T3979] ? do_raw_spin_unlock+0x134/0x8a0 [ 149.746267][ T3979] ? _raw_spin_unlock+0x24/0x40 [ 149.751127][ T3979] ? alloc_fd+0x5a7/0x640 [ 149.755457][ T3979] do_sys_openat2+0x124/0x4e0 [ 149.760134][ T3979] ? print_irqtrace_events+0x220/0x220 [ 149.765599][ T3979] ? ptrace_stop+0x74d/0x970 [ 149.770197][ T3979] ? do_sys_open+0x220/0x220 [ 149.774777][ T3979] ? lockdep_hardirqs_on+0x8d/0x130 [ 149.779968][ T3979] ? _raw_spin_unlock_irq+0x2a/0x40 [ 149.785257][ T3979] ? ptrace_notify+0x245/0x340 [ 149.790024][ T3979] __x64_sys_openat+0x243/0x290 [ 149.794880][ T3979] ? __ia32_sys_open+0x270/0x270 [ 149.799818][ T3979] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 149.805806][ T3979] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 149.811977][ T3979] do_syscall_64+0x3d/0xb0 [ 149.816384][ T3979] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 149.822278][ T3979] RIP: 0033:0x7fc8868064d9 [ 149.826694][ T3979] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 149.846293][ T3979] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 149.854703][ T3979] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 149.862669][ T3979] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3979] <... openat resumed>) = ? [pid 3979] +++ exited with 0 +++ [pid 3978] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3978, si_uid=0, si_status=0, si_utime=2, si_stime=31} --- umount2("./113", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./113", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./113/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./113/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./113/binderfs") = 0 [ 149.870644][ T3979] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 149.878619][ T3979] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 149.886681][ T3979] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 149.894741][ T3979] umount2("./113/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./113/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./113/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./113/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./113/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./113/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./113") = 0 mkdir("./114", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3981 ./strace-static-x86_64: Process 3981 attached [pid 3981] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3981] chdir("./114") = 0 [pid 3981] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3981] setpgid(0, 0) = 0 [pid 3981] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3981] write(3, "1000", 4) = 4 [pid 3981] close(3) = 0 [pid 3981] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3981] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3981] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3981] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3981] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3982], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3982 [pid 3981] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3981] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3982 attached [pid 3982] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3982] memfd_create("syzkaller", 0) = 3 [pid 3982] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3982] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3982] munmap(0x7fc87e392000, 16777216) = 0 [pid 3982] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3982] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3982] close(3) = 0 [pid 3982] mkdir("./file0", 0777) = 0 [ 150.197258][ T3982] loop0: detected capacity change from 0 to 32768 [ 150.208958][ T3982] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 150.217345][ T3982] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 150.226216][ T3982] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 150.234894][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 150.241987][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3982] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3982] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3982] chdir("./file0") = 0 [pid 3982] ioctl(4, LOOP_CLR_FD) = 0 [pid 3982] close(4) = 0 [pid 3982] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3982] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3981] <... futex resumed>) = 0 [pid 3981] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3982] <... futex resumed>) = 0 [pid 3981] <... futex resumed>) = 1 [pid 3982] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3981] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3982] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3982] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3981] <... futex resumed>) = 0 [pid 3982] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3981] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3982] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3981] <... futex resumed>) = 0 [pid 3982] openat(AT_FDCWD, "./file0", O_RDONLY [ 150.282252][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 150.289783][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 150.295118][ T3982] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 150.316703][ T3982] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3981] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3981] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3981] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3981] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [ 150.325993][ T3982] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 150.325993][ T3982] inode = 12 2341 [ 150.325993][ T3982] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 150.344730][ T3982] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 150.353953][ T3982] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3982 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 150.364795][ T3982] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 150.373346][ T3982] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 3981] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3983], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3983 [pid 3981] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3983 attached [pid 3983] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3983] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3983] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 150.381245][ T3982] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 150.390901][ T3982] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 150.397448][ T3982] gfs2: fsid=syz:syz.0: File system withdrawn [ 150.403631][ T3982] CPU: 1 PID: 3982 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 150.414061][ T3982] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 150.424146][ T3982] Call Trace: [ 150.427429][ T3982] [ 150.430367][ T3982] dump_stack_lvl+0x1b1/0x28e [ 150.435064][ T3982] ? nf_tcp_handle_invalid+0x62e/0x62e [ 150.440541][ T3982] ? panic+0x710/0x710 [ 150.444607][ T3982] ? kobject_uevent_env+0x46b/0x8e0 [ 150.449805][ T3982] ? do_raw_spin_unlock+0x134/0x8a0 [ 150.455021][ T3982] gfs2_withdraw+0xf33/0x1540 [ 150.459726][ T3982] ? gfs2_lm+0x220/0x220 [ 150.463964][ T3982] ? gfs2_dirent_scan+0xb6/0x650 [ 150.468910][ T3982] ? panic+0x710/0x710 [ 150.472999][ T3982] ? gfs2_permission+0x2ff/0x430 [ 150.477953][ T3982] ? gfs2_consist_inode_i+0xf3/0x110 [ 150.483247][ T3982] gfs2_dirent_scan+0x535/0x650 [ 150.488122][ T3982] ? gfs2_dirent_search+0xb10/0xb10 [ 150.493341][ T3982] gfs2_dirent_search+0x2ea/0xb10 [ 150.498398][ T3982] ? gfs2_dirent_search+0xb10/0xb10 [ 150.503625][ T3982] ? gfs2_dir_search+0x2a0/0x2a0 [ 150.508560][ T3982] ? gfs2_permission+0x3bf/0x430 [ 150.514105][ T3982] gfs2_dir_search+0x8c/0x2a0 [ 150.519048][ T3982] ? do_filldir_main+0x530/0x530 [ 150.525111][ T3982] ? inode_go_held+0xe4/0x1f0 [ 150.529784][ T3982] ? gfs2_glock_wait+0x213/0x2a0 [ 150.534714][ T3982] gfs2_lookupi+0x465/0x650 [ 150.539217][ T3982] ? gfs2_lookup_simple+0x170/0x170 [ 150.544412][ T3982] ? __gfs2_lookup+0x8c/0x260 [ 150.549088][ T3982] __gfs2_lookup+0x8c/0x260 [ 150.553590][ T3982] ? gfs2_atomic_open+0x230/0x230 [ 150.558612][ T3982] ? __d_lookup+0x6a4/0x770 [ 150.563104][ T3982] ? d_hash_and_lookup+0x1c0/0x1c0 [ 150.568227][ T3982] gfs2_atomic_open+0xa4/0x230 [ 150.573023][ T3982] path_openat+0xf39/0x2df0 [ 150.577535][ T3982] ? gfs2_rename2+0x3000/0x3000 [ 150.582413][ T3982] ? do_filp_open+0x4f0/0x4f0 [ 150.587117][ T3982] do_filp_open+0x264/0x4f0 [ 150.591622][ T3982] ? vfs_tmpfile+0x490/0x490 [ 150.596217][ T3982] ? do_raw_spin_unlock+0x134/0x8a0 [ 150.601420][ T3982] ? _raw_spin_unlock+0x24/0x40 [ 150.606267][ T3982] ? alloc_fd+0x5a7/0x640 [ 150.610598][ T3982] do_sys_openat2+0x124/0x4e0 [ 150.615297][ T3982] ? print_irqtrace_events+0x220/0x220 [ 150.620917][ T3982] ? ptrace_stop+0x74d/0x970 [ 150.625532][ T3982] ? do_sys_open+0x220/0x220 [ 150.630134][ T3982] ? lockdep_hardirqs_on+0x8d/0x130 [ 150.635330][ T3982] ? _raw_spin_unlock_irq+0x2a/0x40 [ 150.640528][ T3982] ? ptrace_notify+0x245/0x340 [ 150.645282][ T3982] __x64_sys_openat+0x243/0x290 [ 150.650131][ T3982] ? __ia32_sys_open+0x270/0x270 [ 150.655063][ T3982] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 150.661040][ T3982] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 150.667016][ T3982] do_syscall_64+0x3d/0xb0 [ 150.671427][ T3982] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 150.677311][ T3982] RIP: 0033:0x7fc8868064d9 [ 150.681717][ T3982] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 150.701321][ T3982] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 150.709729][ T3982] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 150.717784][ T3982] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 150.725758][ T3982] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3983] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3982] <... openat resumed>) = -1 EIO (Input/output error) [pid 3982] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3982] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3981] exit_group(0) = ? [pid 3982] <... futex resumed>) = ? [pid 3983] <... futex resumed>) = ? [pid 3982] +++ exited with 0 +++ [pid 3983] +++ exited with 0 +++ [pid 3981] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3981, si_uid=0, si_status=0, si_utime=3, si_stime=27} --- umount2("./114", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./114", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./114/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./114/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./114/binderfs") = 0 [ 150.733722][ T3982] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 150.741689][ T3982] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 150.749664][ T3982] umount2("./114/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./114/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./114/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./114/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./114/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./114/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./114") = 0 mkdir("./115", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3984 ./strace-static-x86_64: Process 3984 attached [pid 3984] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3984] chdir("./115") = 0 [pid 3984] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3984] setpgid(0, 0) = 0 [pid 3984] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3984] write(3, "1000", 4) = 4 [pid 3984] close(3) = 0 [pid 3984] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3984] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3984] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3984] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3984] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3985 attached , parent_tid=[3985], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3985 [pid 3984] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3985] set_robust_list(0x7fc8867b29e0, 24 [pid 3984] <... futex resumed>) = 0 [pid 3985] <... set_robust_list resumed>) = 0 [pid 3984] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3985] memfd_create("syzkaller", 0) = 3 [pid 3985] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3985] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3985] munmap(0x7fc87e392000, 16777216) = 0 [pid 3985] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3985] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3985] close(3) = 0 [pid 3985] mkdir("./file0", 0777) = 0 [ 151.045257][ T3985] loop0: detected capacity change from 0 to 32768 [ 151.056620][ T3985] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 151.065360][ T3985] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 151.074903][ T3985] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 151.083995][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 151.090831][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3985] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3985] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3985] chdir("./file0") = 0 [pid 3985] ioctl(4, LOOP_CLR_FD) = 0 [pid 3985] close(4) = 0 [pid 3985] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3984] <... futex resumed>) = 0 [pid 3984] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3984] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3985] <... futex resumed>) = 1 [pid 3985] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3985] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3984] <... futex resumed>) = 0 [pid 3984] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3984] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3985] <... futex resumed>) = 1 [ 151.125994][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 151.133526][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 151.138775][ T3985] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 151.160638][ T3985] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3985] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3984] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3984] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3984] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3984] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3984] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3986], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3986 [pid 3984] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3986 attached [pid 3986] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3986] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3986] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 151.169437][ T3985] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 151.169437][ T3985] inode = 12 2341 [ 151.169437][ T3985] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 151.188646][ T3985] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 151.198019][ T3985] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3985 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 151.208609][ T3985] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 151.217622][ T3985] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 151.225600][ T3985] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 151.234407][ T3985] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 151.242339][ T3985] gfs2: fsid=syz:syz.0: File system withdrawn [ 151.248420][ T3985] CPU: 0 PID: 3985 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 151.258825][ T3985] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 151.268885][ T3985] Call Trace: [ 151.272156][ T3985] [ 151.275077][ T3985] dump_stack_lvl+0x1b1/0x28e [ 151.279746][ T3985] ? nf_tcp_handle_invalid+0x62e/0x62e [ 151.285236][ T3985] ? panic+0x710/0x710 [ 151.289305][ T3985] ? kobject_uevent_env+0x46b/0x8e0 [ 151.294504][ T3985] ? do_raw_spin_unlock+0x134/0x8a0 [ 151.299726][ T3985] gfs2_withdraw+0xf33/0x1540 [ 151.304423][ T3985] ? gfs2_lm+0x220/0x220 [ 151.308666][ T3985] ? gfs2_dirent_scan+0xb6/0x650 [ 151.313621][ T3985] ? panic+0x710/0x710 [ 151.317703][ T3985] ? gfs2_permission+0x2ff/0x430 [pid 3986] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3984] exit_group(0 [pid 3986] <... futex resumed>) = ? [pid 3984] <... exit_group resumed>) = ? [pid 3986] +++ exited with 0 +++ [ 151.322680][ T3985] ? gfs2_consist_inode_i+0xf3/0x110 [ 151.328007][ T3985] gfs2_dirent_scan+0x535/0x650 [ 151.332856][ T3985] ? gfs2_dirent_search+0xb10/0xb10 [ 151.338067][ T3985] gfs2_dirent_search+0x2ea/0xb10 [ 151.343102][ T3985] ? gfs2_dirent_search+0xb10/0xb10 [ 151.348317][ T3985] ? gfs2_dir_search+0x2a0/0x2a0 [ 151.353253][ T3985] ? gfs2_permission+0x3bf/0x430 [ 151.358227][ T3985] gfs2_dir_search+0x8c/0x2a0 [ 151.362920][ T3985] ? do_filldir_main+0x530/0x530 [ 151.367872][ T3985] ? inode_go_held+0xe4/0x1f0 [ 151.372561][ T3985] ? gfs2_glock_wait+0x213/0x2a0 [ 151.377499][ T3985] gfs2_lookupi+0x465/0x650 [ 151.382018][ T3985] ? gfs2_lookup_simple+0x170/0x170 [ 151.387222][ T3985] ? __gfs2_lookup+0x8c/0x260 [ 151.391910][ T3985] __gfs2_lookup+0x8c/0x260 [ 151.396407][ T3985] ? gfs2_atomic_open+0x230/0x230 [ 151.401424][ T3985] ? __d_lookup+0x6a4/0x770 [ 151.405915][ T3985] ? d_hash_and_lookup+0x1c0/0x1c0 [ 151.411017][ T3985] gfs2_atomic_open+0xa4/0x230 [ 151.415774][ T3985] path_openat+0xf39/0x2df0 [ 151.421227][ T3985] ? gfs2_rename2+0x3000/0x3000 [ 151.426077][ T3985] ? do_filp_open+0x4f0/0x4f0 [ 151.430750][ T3985] do_filp_open+0x264/0x4f0 [ 151.435250][ T3985] ? vfs_tmpfile+0x490/0x490 [ 151.439854][ T3985] ? do_raw_spin_unlock+0x134/0x8a0 [ 151.445057][ T3985] ? _raw_spin_unlock+0x24/0x40 [ 151.449917][ T3985] ? alloc_fd+0x5a7/0x640 [ 151.454244][ T3985] do_sys_openat2+0x124/0x4e0 [ 151.458911][ T3985] ? print_irqtrace_events+0x220/0x220 [ 151.464365][ T3985] ? ptrace_stop+0x74d/0x970 [ 151.468961][ T3985] ? do_sys_open+0x220/0x220 [ 151.473545][ T3985] ? lockdep_hardirqs_on+0x8d/0x130 [ 151.478732][ T3985] ? _raw_spin_unlock_irq+0x2a/0x40 [ 151.483937][ T3985] ? ptrace_notify+0x245/0x340 [ 151.488689][ T3985] __x64_sys_openat+0x243/0x290 [ 151.493530][ T3985] ? __ia32_sys_open+0x270/0x270 [ 151.498470][ T3985] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 151.504458][ T3985] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 151.510428][ T3985] do_syscall_64+0x3d/0xb0 [ 151.514831][ T3985] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 151.520721][ T3985] RIP: 0033:0x7fc8868064d9 [ 151.525138][ T3985] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 151.544733][ T3985] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 151.553138][ T3985] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 151.561098][ T3985] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 151.569059][ T3985] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 3985] <... openat resumed>) = ? [pid 3985] +++ exited with 0 +++ [pid 3984] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3984, si_uid=0, si_status=0, si_utime=1, si_stime=29} --- umount2("./115", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./115", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./115/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./115/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./115/binderfs") = 0 [ 151.577029][ T3985] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 151.585011][ T3985] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 151.592999][ T3985] umount2("./115/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./115/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./115/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./115/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./115/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./115/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./115") = 0 mkdir("./116", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3987 ./strace-static-x86_64: Process 3987 attached [pid 3987] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3987] chdir("./116") = 0 [pid 3987] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3987] setpgid(0, 0) = 0 [pid 3987] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3987] write(3, "1000", 4) = 4 [pid 3987] close(3) = 0 [pid 3987] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3987] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3987] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3987] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3987] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3988], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3988 [pid 3987] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3987] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3988 attached [pid 3988] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3988] memfd_create("syzkaller", 0) = 3 [pid 3988] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3988] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3988] munmap(0x7fc87e392000, 16777216) = 0 [pid 3988] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3988] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3988] close(3) = 0 [pid 3988] mkdir("./file0", 0777) = 0 [ 151.898615][ T3988] loop0: detected capacity change from 0 to 32768 [ 151.908233][ T3988] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 151.916836][ T3988] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 151.926469][ T3988] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 151.935006][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 151.941931][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3988] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3988] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3988] chdir("./file0") = 0 [pid 3988] ioctl(4, LOOP_CLR_FD) = 0 [pid 3988] close(4) = 0 [pid 3988] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3987] <... futex resumed>) = 0 [pid 3987] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3987] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3988] <... futex resumed>) = 1 [pid 3988] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3988] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3987] <... futex resumed>) = 0 [pid 3987] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3987] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3988] <... futex resumed>) = 1 [ 151.982678][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 151.990260][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 151.995506][ T3988] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 152.019640][ T3988] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 3988] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3987] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3987] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3987] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3987] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3987] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3989], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3989 [pid 3987] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3989 attached [pid 3989] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3989] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3989] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 152.028501][ T3988] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 152.028501][ T3988] inode = 12 2341 [ 152.028501][ T3988] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 152.048097][ T3988] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 152.057441][ T3988] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3988 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 152.068365][ T3988] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 152.077084][ T3988] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 152.084342][ T3988] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 152.093172][ T3988] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 152.101247][ T3988] gfs2: fsid=syz:syz.0: File system withdrawn [ 152.107316][ T3988] CPU: 0 PID: 3988 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 152.117731][ T3988] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 152.127789][ T3988] Call Trace: [ 152.131060][ T3988] [ 152.133979][ T3988] dump_stack_lvl+0x1b1/0x28e [ 152.138745][ T3988] ? nf_tcp_handle_invalid+0x62e/0x62e [ 152.145253][ T3988] ? panic+0x710/0x710 [ 152.149312][ T3988] ? kobject_uevent_env+0x46b/0x8e0 [ 152.154512][ T3988] ? do_raw_spin_unlock+0x134/0x8a0 [ 152.159718][ T3988] gfs2_withdraw+0xf33/0x1540 [ 152.164413][ T3988] ? gfs2_lm+0x220/0x220 [ 152.168641][ T3988] ? gfs2_dirent_scan+0xb6/0x650 [ 152.173675][ T3988] ? panic+0x710/0x710 [ 152.177747][ T3988] ? gfs2_permission+0x2ff/0x430 [pid 3989] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3987] exit_group(0 [pid 3989] <... futex resumed>) = ? [pid 3987] <... exit_group resumed>) = ? [pid 3989] +++ exited with 0 +++ [ 152.182677][ T3988] ? gfs2_consist_inode_i+0xf3/0x110 [ 152.187966][ T3988] gfs2_dirent_scan+0x535/0x650 [ 152.192826][ T3988] ? gfs2_dirent_search+0xb10/0xb10 [ 152.198020][ T3988] gfs2_dirent_search+0x2ea/0xb10 [ 152.203051][ T3988] ? gfs2_dirent_search+0xb10/0xb10 [ 152.208262][ T3988] ? gfs2_dir_search+0x2a0/0x2a0 [ 152.213192][ T3988] ? gfs2_permission+0x3bf/0x430 [ 152.218146][ T3988] gfs2_dir_search+0x8c/0x2a0 [ 152.222825][ T3988] ? do_filldir_main+0x530/0x530 [ 152.227756][ T3988] ? inode_go_held+0xe4/0x1f0 [ 152.232426][ T3988] ? gfs2_glock_wait+0x213/0x2a0 [ 152.237380][ T3988] gfs2_lookupi+0x465/0x650 [ 152.241896][ T3988] ? gfs2_lookup_simple+0x170/0x170 [ 152.247132][ T3988] ? __gfs2_lookup+0x8c/0x260 [ 152.251816][ T3988] __gfs2_lookup+0x8c/0x260 [ 152.256312][ T3988] ? gfs2_atomic_open+0x230/0x230 [ 152.261332][ T3988] ? __d_lookup+0x6a4/0x770 [ 152.265822][ T3988] ? d_hash_and_lookup+0x1c0/0x1c0 [ 152.270933][ T3988] gfs2_atomic_open+0xa4/0x230 [ 152.275695][ T3988] path_openat+0xf39/0x2df0 [ 152.280204][ T3988] ? gfs2_rename2+0x3000/0x3000 [ 152.285081][ T3988] ? do_filp_open+0x4f0/0x4f0 [ 152.289760][ T3988] do_filp_open+0x264/0x4f0 [ 152.294266][ T3988] ? vfs_tmpfile+0x490/0x490 [ 152.298868][ T3988] ? do_raw_spin_unlock+0x134/0x8a0 [ 152.304061][ T3988] ? _raw_spin_unlock+0x24/0x40 [ 152.308904][ T3988] ? alloc_fd+0x5a7/0x640 [ 152.313252][ T3988] do_sys_openat2+0x124/0x4e0 [ 152.317943][ T3988] ? print_irqtrace_events+0x220/0x220 [ 152.323393][ T3988] ? ptrace_stop+0x74d/0x970 [ 152.327977][ T3988] ? do_sys_open+0x220/0x220 [ 152.332567][ T3988] ? lockdep_hardirqs_on+0x8d/0x130 [ 152.337774][ T3988] ? _raw_spin_unlock_irq+0x2a/0x40 [ 152.343001][ T3988] ? ptrace_notify+0x245/0x340 [ 152.347771][ T3988] __x64_sys_openat+0x243/0x290 [ 152.352632][ T3988] ? __ia32_sys_open+0x270/0x270 [ 152.357579][ T3988] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 152.363572][ T3988] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 152.369562][ T3988] do_syscall_64+0x3d/0xb0 [ 152.373983][ T3988] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 152.379886][ T3988] RIP: 0033:0x7fc8868064d9 [ 152.384290][ T3988] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 152.403893][ T3988] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 152.412305][ T3988] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 152.420357][ T3988] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3988] <... openat resumed>) = ? [pid 3988] +++ exited with 0 +++ [pid 3987] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3987, si_uid=0, si_status=0, si_utime=1, si_stime=29} --- umount2("./116", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./116", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./116/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./116/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./116/binderfs") = 0 [ 152.428318][ T3988] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 152.436281][ T3988] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 152.444254][ T3988] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 152.452253][ T3988] umount2("./116/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./116/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./116/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./116/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./116/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./116/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./116") = 0 mkdir("./117", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3990 ./strace-static-x86_64: Process 3990 attached [pid 3990] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3990] chdir("./117") = 0 [pid 3990] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3990] setpgid(0, 0) = 0 [pid 3990] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3990] write(3, "1000", 4) = 4 [pid 3990] close(3) = 0 [pid 3990] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3990] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3990] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3990] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3990] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3991 attached [pid 3991] set_robust_list(0x7fc8867b29e0, 24 [pid 3990] <... clone resumed>, parent_tid=[3991], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3991 [pid 3990] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3990] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 3991] <... set_robust_list resumed>) = 0 [pid 3991] memfd_create("syzkaller", 0) = 3 [pid 3991] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3991] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3991] munmap(0x7fc87e392000, 16777216) = 0 [pid 3991] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3991] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3991] close(3) = 0 [pid 3991] mkdir("./file0", 0777) = 0 [ 152.755403][ T3991] loop0: detected capacity change from 0 to 32768 [ 152.767124][ T3991] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 152.775379][ T3991] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 152.784531][ T3991] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 152.793899][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 152.800748][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3991] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3991] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3991] chdir("./file0") = 0 [pid 3991] ioctl(4, LOOP_CLR_FD) = 0 [pid 3991] close(4) = 0 [pid 3991] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3991] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3990] <... futex resumed>) = 0 [pid 3990] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3991] <... futex resumed>) = 0 [pid 3990] <... futex resumed>) = 1 [pid 3991] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3990] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3991] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3991] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3990] <... futex resumed>) = 0 [pid 3991] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3990] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 152.840108][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 152.848941][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 152.854354][ T3991] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 152.879453][ T3991] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 152.888820][ T3991] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 152.888820][ T3991] inode = 12 2341 [ 152.888820][ T3991] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 152.907962][ T3991] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 152.917786][ T3991] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3991 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 152.928115][ T3991] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 3990] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3990] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3990] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3990] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3990] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3992], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3992 [pid 3990] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3992 attached [pid 3992] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3992] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3992] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 152.936790][ T3991] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 152.944793][ T3991] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 152.954149][ T3991] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 152.960991][ T3991] gfs2: fsid=syz:syz.0: File system withdrawn [ 152.967089][ T3991] CPU: 1 PID: 3991 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 152.977513][ T3991] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 152.987561][ T3991] Call Trace: [ 152.990842][ T3991] [ 152.993887][ T3991] dump_stack_lvl+0x1b1/0x28e [ 152.998575][ T3991] ? nf_tcp_handle_invalid+0x62e/0x62e [ 153.004037][ T3991] ? panic+0x710/0x710 [ 153.008185][ T3991] ? kobject_uevent_env+0x46b/0x8e0 [ 153.013384][ T3991] ? do_raw_spin_unlock+0x134/0x8a0 [ 153.018594][ T3991] gfs2_withdraw+0xf33/0x1540 [ 153.023290][ T3991] ? gfs2_lm+0x220/0x220 [ 153.027553][ T3991] ? gfs2_dirent_scan+0xb6/0x650 [ 153.032519][ T3991] ? panic+0x710/0x710 [pid 3992] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3990] exit_group(0 [pid 3992] <... futex resumed>) = ? [pid 3990] <... exit_group resumed>) = ? [pid 3992] +++ exited with 0 +++ [ 153.036578][ T3991] ? gfs2_permission+0x2ff/0x430 [ 153.041533][ T3991] ? gfs2_consist_inode_i+0xf3/0x110 [ 153.046830][ T3991] gfs2_dirent_scan+0x535/0x650 [ 153.051691][ T3991] ? gfs2_dirent_search+0xb10/0xb10 [ 153.056887][ T3991] gfs2_dirent_search+0x2ea/0xb10 [ 153.061915][ T3991] ? gfs2_dirent_search+0xb10/0xb10 [ 153.067130][ T3991] ? gfs2_dir_search+0x2a0/0x2a0 [ 153.072078][ T3991] ? gfs2_permission+0x3bf/0x430 [ 153.077030][ T3991] gfs2_dir_search+0x8c/0x2a0 [ 153.081728][ T3991] ? do_filldir_main+0x530/0x530 [ 153.086669][ T3991] ? inode_go_held+0xe4/0x1f0 [ 153.091357][ T3991] ? gfs2_glock_wait+0x213/0x2a0 [ 153.096307][ T3991] gfs2_lookupi+0x465/0x650 [ 153.100821][ T3991] ? gfs2_lookup_simple+0x170/0x170 [ 153.106015][ T3991] ? __gfs2_lookup+0x8c/0x260 [ 153.110690][ T3991] __gfs2_lookup+0x8c/0x260 [ 153.115185][ T3991] ? gfs2_atomic_open+0x230/0x230 [ 153.120213][ T3991] ? __d_lookup+0x6a4/0x770 [ 153.124718][ T3991] ? d_hash_and_lookup+0x1c0/0x1c0 [ 153.129822][ T3991] gfs2_atomic_open+0xa4/0x230 [ 153.134679][ T3991] path_openat+0xf39/0x2df0 [ 153.139191][ T3991] ? gfs2_rename2+0x3000/0x3000 [ 153.144041][ T3991] ? do_filp_open+0x4f0/0x4f0 [ 153.148727][ T3991] do_filp_open+0x264/0x4f0 [ 153.153325][ T3991] ? vfs_tmpfile+0x490/0x490 [ 153.157908][ T3991] ? do_raw_spin_unlock+0x134/0x8a0 [ 153.163099][ T3991] ? _raw_spin_unlock+0x24/0x40 [ 153.167949][ T3991] ? alloc_fd+0x5a7/0x640 [ 153.172278][ T3991] do_sys_openat2+0x124/0x4e0 [ 153.176948][ T3991] ? print_irqtrace_events+0x220/0x220 [ 153.182395][ T3991] ? ptrace_stop+0x74d/0x970 [ 153.186987][ T3991] ? do_sys_open+0x220/0x220 [ 153.191619][ T3991] ? lockdep_hardirqs_on+0x8d/0x130 [ 153.196901][ T3991] ? _raw_spin_unlock_irq+0x2a/0x40 [ 153.202103][ T3991] ? ptrace_notify+0x245/0x340 [ 153.206873][ T3991] __x64_sys_openat+0x243/0x290 [ 153.211727][ T3991] ? __ia32_sys_open+0x270/0x270 [ 153.216680][ T3991] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 153.222655][ T3991] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 153.228648][ T3991] do_syscall_64+0x3d/0xb0 [ 153.233057][ T3991] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 153.238941][ T3991] RIP: 0033:0x7fc8868064d9 [ 153.243442][ T3991] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 153.263064][ T3991] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 153.271469][ T3991] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 153.281167][ T3991] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 3991] <... openat resumed>) = ? [pid 3991] +++ exited with 0 +++ [pid 3990] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3990, si_uid=0, si_status=0, si_utime=0, si_stime=32} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./117", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./117", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./117/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./117/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./117/binderfs") = 0 [ 153.289130][ T3991] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 153.297099][ T3991] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 153.305079][ T3991] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 153.313066][ T3991] umount2("./117/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./117/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./117/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./117/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./117/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./117/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./117") = 0 mkdir("./118", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3993 ./strace-static-x86_64: Process 3993 attached [pid 3993] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3993] chdir("./118") = 0 [pid 3993] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3993] setpgid(0, 0) = 0 [pid 3993] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3993] write(3, "1000", 4) = 4 [pid 3993] close(3) = 0 [pid 3993] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3993] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3993] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3993] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3993] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3994], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3994 [pid 3993] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3993] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3994 attached [pid 3994] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3994] memfd_create("syzkaller", 0) = 3 [pid 3994] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3994] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3994] munmap(0x7fc87e392000, 16777216) = 0 [pid 3994] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3994] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3994] close(3) = 0 [pid 3994] mkdir("./file0", 0777) = 0 [ 153.607926][ T3994] loop0: detected capacity change from 0 to 32768 [ 153.620704][ T3994] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 153.628972][ T3994] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 153.638105][ T3994] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 153.646732][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 153.653669][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3994] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3994] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3994] chdir("./file0") = 0 [pid 3994] ioctl(4, LOOP_CLR_FD) = 0 [pid 3994] close(4) = 0 [pid 3994] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3993] <... futex resumed>) = 0 [pid 3994] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3993] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3994] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3993] <... futex resumed>) = 0 [pid 3994] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 3993] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3994] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3994] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3993] <... futex resumed>) = 0 [pid 3994] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3993] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 3994] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3993] <... futex resumed>) = 0 [pid 3993] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 153.691072][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 153.699766][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 153.705278][ T3994] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 153.738773][ T3994] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 153.747365][ T3994] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 153.747365][ T3994] inode = 12 2341 [ 153.747365][ T3994] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 153.766494][ T3994] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 153.776052][ T3994] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3994 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 3994] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3993] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3993] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3993] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3993] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3993] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3995], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3995 [pid 3993] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3995 attached [pid 3995] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3995] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3995] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 153.786129][ T3994] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 153.794646][ T3994] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 153.801931][ T3994] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 153.810747][ T3994] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 153.818598][ T3994] gfs2: fsid=syz:syz.0: File system withdrawn [ 153.824777][ T3994] CPU: 0 PID: 3994 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 153.835205][ T3994] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 153.845264][ T3994] Call Trace: [ 153.848533][ T3994] [ 153.851455][ T3994] dump_stack_lvl+0x1b1/0x28e [ 153.856137][ T3994] ? nf_tcp_handle_invalid+0x62e/0x62e [ 153.861611][ T3994] ? panic+0x710/0x710 [ 153.865684][ T3994] ? kobject_uevent_env+0x46b/0x8e0 [ 153.870874][ T3994] ? do_raw_spin_unlock+0x134/0x8a0 [ 153.876075][ T3994] gfs2_withdraw+0xf33/0x1540 [ 153.880755][ T3994] ? gfs2_lm+0x220/0x220 [ 153.884988][ T3994] ? gfs2_dirent_scan+0xb6/0x650 [ 153.889926][ T3994] ? panic+0x710/0x710 [ 153.893996][ T3994] ? gfs2_permission+0x2ff/0x430 [ 153.898939][ T3994] ? gfs2_consist_inode_i+0xf3/0x110 [ 153.904230][ T3994] gfs2_dirent_scan+0x535/0x650 [ 153.909095][ T3994] ? gfs2_dirent_search+0xb10/0xb10 [ 153.914311][ T3994] gfs2_dirent_search+0x2ea/0xb10 [ 153.919344][ T3994] ? gfs2_dirent_search+0xb10/0xb10 [ 153.925519][ T3994] ? gfs2_dir_search+0x2a0/0x2a0 [ 153.930888][ T3994] ? gfs2_permission+0x3bf/0x430 [ 153.935836][ T3994] gfs2_dir_search+0x8c/0x2a0 [ 153.940514][ T3994] ? do_filldir_main+0x530/0x530 [ 153.945447][ T3994] ? inode_go_held+0xe4/0x1f0 [ 153.950132][ T3994] ? gfs2_glock_wait+0x213/0x2a0 [ 153.955060][ T3994] gfs2_lookupi+0x465/0x650 [ 153.959560][ T3994] ? gfs2_lookup_simple+0x170/0x170 [ 153.964752][ T3994] ? __gfs2_lookup+0x8c/0x260 [ 153.969441][ T3994] __gfs2_lookup+0x8c/0x260 [ 153.973941][ T3994] ? gfs2_atomic_open+0x230/0x230 [ 153.978961][ T3994] ? __d_lookup+0x6a4/0x770 [ 153.983460][ T3994] ? d_hash_and_lookup+0x1c0/0x1c0 [ 153.988565][ T3994] gfs2_atomic_open+0xa4/0x230 [ 153.993328][ T3994] path_openat+0xf39/0x2df0 [ 153.997833][ T3994] ? gfs2_rename2+0x3000/0x3000 [ 154.002686][ T3994] ? do_filp_open+0x4f0/0x4f0 [ 154.007368][ T3994] do_filp_open+0x264/0x4f0 [ 154.011864][ T3994] ? vfs_tmpfile+0x490/0x490 [ 154.016455][ T3994] ? do_raw_spin_unlock+0x134/0x8a0 [ 154.021650][ T3994] ? _raw_spin_unlock+0x24/0x40 [ 154.026513][ T3994] ? alloc_fd+0x5a7/0x640 [ 154.030845][ T3994] do_sys_openat2+0x124/0x4e0 [ 154.035516][ T3994] ? print_irqtrace_events+0x220/0x220 [ 154.040963][ T3994] ? ptrace_stop+0x74d/0x970 [ 154.045548][ T3994] ? do_sys_open+0x220/0x220 [ 154.050131][ T3994] ? lockdep_hardirqs_on+0x8d/0x130 [ 154.055326][ T3994] ? _raw_spin_unlock_irq+0x2a/0x40 [ 154.060519][ T3994] ? ptrace_notify+0x245/0x340 [ 154.065274][ T3994] __x64_sys_openat+0x243/0x290 [ 154.070120][ T3994] ? __ia32_sys_open+0x270/0x270 [ 154.075052][ T3994] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 154.081034][ T3994] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 154.087017][ T3994] do_syscall_64+0x3d/0xb0 [ 154.091424][ T3994] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 154.097308][ T3994] RIP: 0033:0x7fc8868064d9 [ 154.101714][ T3994] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 154.121318][ T3994] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 154.129725][ T3994] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 3995] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3994] <... openat resumed>) = -1 EIO (Input/output error) [pid 3994] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3994] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3993] exit_group(0 [pid 3995] <... futex resumed>) = ? [pid 3994] <... futex resumed>) = ? [pid 3994] +++ exited with 0 +++ [pid 3993] <... exit_group resumed>) = ? [pid 3995] +++ exited with 0 +++ [pid 3993] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3993, si_uid=0, si_status=0, si_utime=2, si_stime=27} --- umount2("./118", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./118", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./118/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./118/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./118/binderfs") = 0 [ 154.137689][ T3994] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 154.145652][ T3994] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 154.153633][ T3994] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 154.161598][ T3994] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 154.169577][ T3994] umount2("./118/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./118/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./118/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./118/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./118/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./118/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./118") = 0 mkdir("./119", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3996 attached , child_tidptr=0x55555635f5d0) = 3996 [pid 3996] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3996] chdir("./119") = 0 [pid 3996] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3996] setpgid(0, 0) = 0 [pid 3996] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3996] write(3, "1000", 4) = 4 [pid 3996] close(3) = 0 [pid 3996] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3996] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3996] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3996] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3996] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3997], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 3997 [pid 3996] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3996] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 3997 attached [pid 3997] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3997] memfd_create("syzkaller", 0) = 3 [pid 3997] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3997] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 3997] munmap(0x7fc87e392000, 16777216) = 0 [pid 3997] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3997] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3997] close(3) = 0 [pid 3997] mkdir("./file0", 0777) = 0 [ 154.484131][ T3997] loop0: detected capacity change from 0 to 32768 [ 154.494947][ T3997] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 154.503723][ T3997] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 154.513276][ T3997] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 154.522116][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 154.528885][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 3997] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 3997] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3997] chdir("./file0") = 0 [pid 3997] ioctl(4, LOOP_CLR_FD) = 0 [pid 3997] close(4) = 0 [pid 3997] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3996] <... futex resumed>) = 0 [pid 3996] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3996] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3997] <... futex resumed>) = 1 [pid 3997] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 3997] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3996] <... futex resumed>) = 0 [pid 3996] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3996] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3997] <... futex resumed>) = 1 [ 154.566530][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 154.574129][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 154.579386][ T3997] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 154.594186][ T3997] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 154.602736][ T3997] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 154.602736][ T3997] inode = 12 2341 [pid 3997] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3996] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3996] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3996] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3996] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3996] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3998], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 3998 [pid 3996] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3998 attached [pid 3998] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 3998] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 3998] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 154.602736][ T3997] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 154.622048][ T3997] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 154.632178][ T3997] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:3997 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 154.642496][ T3997] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 154.651356][ T3997] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 154.658676][ T3997] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 154.667720][ T3997] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 154.674583][ T3997] gfs2: fsid=syz:syz.0: File system withdrawn [ 154.681112][ T3997] CPU: 0 PID: 3997 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 154.691524][ T3997] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 154.701580][ T3997] Call Trace: [ 154.704861][ T3997] [ 154.707781][ T3997] dump_stack_lvl+0x1b1/0x28e [ 154.712455][ T3997] ? nf_tcp_handle_invalid+0x62e/0x62e [ 154.717906][ T3997] ? panic+0x710/0x710 [ 154.721980][ T3997] ? kobject_uevent_env+0x46b/0x8e0 [ 154.727179][ T3997] ? do_raw_spin_unlock+0x134/0x8a0 [ 154.732393][ T3997] gfs2_withdraw+0xf33/0x1540 [ 154.737106][ T3997] ? gfs2_lm+0x220/0x220 [ 154.741350][ T3997] ? gfs2_dirent_scan+0xb6/0x650 [ 154.746286][ T3997] ? panic+0x710/0x710 [ 154.750343][ T3997] ? gfs2_permission+0x2ff/0x430 [ 154.755366][ T3997] ? gfs2_consist_inode_i+0xf3/0x110 [ 154.760657][ T3997] gfs2_dirent_scan+0x535/0x650 [pid 3998] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3996] exit_group(0 [pid 3998] <... futex resumed>) = ? [pid 3996] <... exit_group resumed>) = ? [pid 3998] +++ exited with 0 +++ [ 154.765529][ T3997] ? gfs2_dirent_search+0xb10/0xb10 [ 154.770724][ T3997] gfs2_dirent_search+0x2ea/0xb10 [ 154.775761][ T3997] ? gfs2_dirent_search+0xb10/0xb10 [ 154.780968][ T3997] ? gfs2_dir_search+0x2a0/0x2a0 [ 154.785914][ T3997] ? gfs2_permission+0x3bf/0x430 [ 154.790965][ T3997] gfs2_dir_search+0x8c/0x2a0 [ 154.795659][ T3997] ? do_filldir_main+0x530/0x530 [ 154.800591][ T3997] ? inode_go_held+0xe4/0x1f0 [ 154.805267][ T3997] ? gfs2_glock_wait+0x213/0x2a0 [ 154.810200][ T3997] gfs2_lookupi+0x465/0x650 [ 154.814701][ T3997] ? gfs2_lookup_simple+0x170/0x170 [ 154.819892][ T3997] ? __gfs2_lookup+0x8c/0x260 [ 154.824562][ T3997] __gfs2_lookup+0x8c/0x260 [ 154.829843][ T3997] ? gfs2_atomic_open+0x230/0x230 [ 154.834860][ T3997] ? __d_lookup+0x6a4/0x770 [ 154.839379][ T3997] ? d_hash_and_lookup+0x1c0/0x1c0 [ 154.844499][ T3997] gfs2_atomic_open+0xa4/0x230 [ 154.849256][ T3997] path_openat+0xf39/0x2df0 [ 154.853779][ T3997] ? gfs2_rename2+0x3000/0x3000 [ 154.858651][ T3997] ? do_filp_open+0x4f0/0x4f0 [ 154.863327][ T3997] do_filp_open+0x264/0x4f0 [ 154.867843][ T3997] ? vfs_tmpfile+0x490/0x490 [ 154.872435][ T3997] ? do_raw_spin_unlock+0x134/0x8a0 [ 154.877627][ T3997] ? _raw_spin_unlock+0x24/0x40 [ 154.882469][ T3997] ? alloc_fd+0x5a7/0x640 [ 154.886806][ T3997] do_sys_openat2+0x124/0x4e0 [ 154.891490][ T3997] ? print_irqtrace_events+0x220/0x220 [ 154.896935][ T3997] ? ptrace_stop+0x74d/0x970 [ 154.901535][ T3997] ? do_sys_open+0x220/0x220 [ 154.906123][ T3997] ? lockdep_hardirqs_on+0x8d/0x130 [ 154.911323][ T3997] ? _raw_spin_unlock_irq+0x2a/0x40 [ 154.916516][ T3997] ? ptrace_notify+0x245/0x340 [ 154.921274][ T3997] __x64_sys_openat+0x243/0x290 [ 154.926126][ T3997] ? __ia32_sys_open+0x270/0x270 [ 154.931056][ T3997] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 154.937042][ T3997] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 154.943023][ T3997] do_syscall_64+0x3d/0xb0 [ 154.947435][ T3997] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 154.953685][ T3997] RIP: 0033:0x7fc8868064d9 [ 154.958095][ T3997] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 154.977701][ T3997] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 154.986642][ T3997] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 154.994620][ T3997] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 155.002593][ T3997] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 155.010553][ T3997] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 3997] <... openat resumed>) = ? [pid 3997] +++ exited with 0 +++ [pid 3996] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3996, si_uid=0, si_status=0, si_utime=3, si_stime=31} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./119", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./119", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./119/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./119/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./119/binderfs") = 0 [ 155.018539][ T3997] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 155.026553][ T3997] umount2("./119/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./119/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./119/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./119/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./119/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./119/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./119") = 0 mkdir("./120", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 3999 ./strace-static-x86_64: Process 3999 attached [pid 3999] set_robust_list(0x55555635f5e0, 24) = 0 [pid 3999] chdir("./120") = 0 [pid 3999] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3999] setpgid(0, 0) = 0 [pid 3999] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3999] write(3, "1000", 4) = 4 [pid 3999] close(3) = 0 [pid 3999] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3999] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3999] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 3999] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3999] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4000], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4000 [pid 3999] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 4000 attached [pid 4000] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 3999] <... futex resumed>) = 0 [pid 4000] memfd_create("syzkaller", 0) = 3 [pid 4000] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 3999] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4000] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4000] munmap(0x7fc87e392000, 16777216) = 0 [pid 4000] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4000] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4000] close(3) = 0 [pid 4000] mkdir("./file0", 0777) = 0 [ 155.318692][ T4000] loop0: detected capacity change from 0 to 32768 [ 155.329303][ T4000] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 155.337595][ T4000] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 155.347314][ T4000] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 155.356123][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 155.363242][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4000] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4000] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4000] chdir("./file0") = 0 [pid 4000] ioctl(4, LOOP_CLR_FD) = 0 [pid 4000] close(4) = 0 [pid 4000] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3999] <... futex resumed>) = 0 [pid 3999] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3999] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4000] <... futex resumed>) = 1 [pid 4000] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4000] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 3999] <... futex resumed>) = 0 [pid 3999] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3999] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4000] <... futex resumed>) = 1 [ 155.399381][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 155.407142][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 155.412465][ T4000] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 155.425732][ T4000] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 155.434261][ T4000] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 155.434261][ T4000] inode = 12 2341 [pid 4000] openat(AT_FDCWD, "./file0", O_RDONLY [pid 3999] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 3999] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3999] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 3999] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3999] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4001], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4001 [pid 3999] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4001 attached [pid 4001] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4001] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4001] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 155.434261][ T4000] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 155.453034][ T4000] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 155.462205][ T4000] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4000 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 155.472325][ T4000] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 155.480990][ T4000] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 155.488211][ T4000] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 155.497116][ T4000] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 155.503707][ T4000] gfs2: fsid=syz:syz.0: File system withdrawn [ 155.509786][ T4000] CPU: 0 PID: 4000 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 155.520209][ T4000] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 155.530268][ T4000] Call Trace: [ 155.533535][ T4000] [ 155.536454][ T4000] dump_stack_lvl+0x1b1/0x28e [ 155.541145][ T4000] ? nf_tcp_handle_invalid+0x62e/0x62e [ 155.546620][ T4000] ? panic+0x710/0x710 [ 155.550704][ T4000] ? kobject_uevent_env+0x46b/0x8e0 [ 155.555910][ T4000] ? do_raw_spin_unlock+0x134/0x8a0 [ 155.561117][ T4000] gfs2_withdraw+0xf33/0x1540 [ 155.565795][ T4000] ? gfs2_lm+0x220/0x220 [ 155.570026][ T4000] ? gfs2_dirent_scan+0xb6/0x650 [ 155.574971][ T4000] ? panic+0x710/0x710 [ 155.579060][ T4000] ? gfs2_permission+0x2ff/0x430 [ 155.584036][ T4000] ? gfs2_consist_inode_i+0xf3/0x110 [ 155.589324][ T4000] gfs2_dirent_scan+0x535/0x650 [ 155.594256][ T4000] ? gfs2_dirent_search+0xb10/0xb10 [ 155.599452][ T4000] gfs2_dirent_search+0x2ea/0xb10 [ 155.604485][ T4000] ? gfs2_dirent_search+0xb10/0xb10 [ 155.609712][ T4000] ? gfs2_dir_search+0x2a0/0x2a0 [ 155.614660][ T4000] ? gfs2_permission+0x3bf/0x430 [ 155.619614][ T4000] gfs2_dir_search+0x8c/0x2a0 [ 155.624297][ T4000] ? do_filldir_main+0x530/0x530 [ 155.629236][ T4000] ? inode_go_held+0xe4/0x1f0 [ 155.634606][ T4000] ? gfs2_glock_wait+0x213/0x2a0 [ 155.639535][ T4000] gfs2_lookupi+0x465/0x650 [ 155.644038][ T4000] ? gfs2_lookup_simple+0x170/0x170 [ 155.649232][ T4000] ? __gfs2_lookup+0x8c/0x260 [ 155.653914][ T4000] __gfs2_lookup+0x8c/0x260 [ 155.658415][ T4000] ? gfs2_atomic_open+0x230/0x230 [ 155.663525][ T4000] ? __d_lookup+0x6a4/0x770 [ 155.668019][ T4000] ? d_hash_and_lookup+0x1c0/0x1c0 [ 155.673125][ T4000] gfs2_atomic_open+0xa4/0x230 [ 155.677885][ T4000] path_openat+0xf39/0x2df0 [ 155.682400][ T4000] ? gfs2_rename2+0x3000/0x3000 [ 155.687259][ T4000] ? do_filp_open+0x4f0/0x4f0 [ 155.691944][ T4000] do_filp_open+0x264/0x4f0 [ 155.696438][ T4000] ? vfs_tmpfile+0x490/0x490 [ 155.701028][ T4000] ? do_raw_spin_unlock+0x134/0x8a0 [ 155.706227][ T4000] ? _raw_spin_unlock+0x24/0x40 [ 155.711075][ T4000] ? alloc_fd+0x5a7/0x640 [ 155.715420][ T4000] do_sys_openat2+0x124/0x4e0 [ 155.720092][ T4000] ? print_irqtrace_events+0x220/0x220 [ 155.725543][ T4000] ? ptrace_stop+0x74d/0x970 [ 155.730125][ T4000] ? do_sys_open+0x220/0x220 [ 155.734709][ T4000] ? lockdep_hardirqs_on+0x8d/0x130 [ 155.739898][ T4000] ? _raw_spin_unlock_irq+0x2a/0x40 [ 155.745093][ T4000] ? ptrace_notify+0x245/0x340 [ 155.749846][ T4000] __x64_sys_openat+0x243/0x290 [ 155.754689][ T4000] ? __ia32_sys_open+0x270/0x270 [ 155.759620][ T4000] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 155.765592][ T4000] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 155.771564][ T4000] do_syscall_64+0x3d/0xb0 [ 155.775972][ T4000] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 155.781876][ T4000] RIP: 0033:0x7fc8868064d9 [ 155.786294][ T4000] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 155.805904][ T4000] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 155.814321][ T4000] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 155.822286][ T4000] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 155.830250][ T4000] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 155.838214][ T4000] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 4001] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4000] <... openat resumed>) = -1 EIO (Input/output error) [pid 4000] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4000] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3999] exit_group(0 [pid 4001] <... futex resumed>) = ? [pid 4000] <... futex resumed>) = ? [pid 4001] +++ exited with 0 +++ [pid 4000] +++ exited with 0 +++ [pid 3999] <... exit_group resumed>) = ? [pid 3999] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3999, si_uid=0, si_status=0, si_utime=2, si_stime=32} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./120", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./120", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./120/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./120/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./120/binderfs") = 0 [ 155.846175][ T4000] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 155.854151][ T4000] umount2("./120/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./120/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./120/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./120/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./120/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./120/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./120") = 0 mkdir("./121", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4002 ./strace-static-x86_64: Process 4002 attached [pid 4002] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4002] chdir("./121") = 0 [pid 4002] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4002] setpgid(0, 0) = 0 [pid 4002] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4002] write(3, "1000", 4) = 4 [pid 4002] close(3) = 0 [pid 4002] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4002] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4002] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4002] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4002] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4003 attached , parent_tid=[4003], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4003 [pid 4002] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4002] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4003] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4003] memfd_create("syzkaller", 0) = 3 [pid 4003] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4003] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4003] munmap(0x7fc87e392000, 16777216) = 0 [pid 4003] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4003] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4003] close(3) = 0 [pid 4003] mkdir("./file0", 0777) = 0 [ 156.144294][ T4003] loop0: detected capacity change from 0 to 32768 [ 156.154442][ T4003] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 156.162937][ T4003] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 156.173242][ T4003] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 156.181863][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 156.188687][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4003] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4003] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4003] chdir("./file0") = 0 [pid 4003] ioctl(4, LOOP_CLR_FD) = 0 [pid 4003] close(4) = 0 [pid 4003] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4003] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4002] <... futex resumed>) = 0 [pid 4002] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4002] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4003] <... futex resumed>) = 0 [pid 4003] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4003] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4002] <... futex resumed>) = 0 [pid 4002] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4002] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4003] <... futex resumed>) = 1 [ 156.221734][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 156.229277][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 156.234659][ T4003] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 156.257655][ T4003] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 156.266397][ T4003] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 156.266397][ T4003] inode = 12 2341 [ 156.266397][ T4003] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 156.285833][ T4003] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 156.295181][ T4003] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4003 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 156.305227][ T4003] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 156.313778][ T4003] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 4003] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4002] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4002] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4002] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4002] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4002] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4004], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4004 [pid 4002] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 156.321021][ T4003] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 156.330251][ T4003] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 156.336948][ T4003] gfs2: fsid=syz:syz.0: File system withdrawn [ 156.344202][ T4003] CPU: 0 PID: 4003 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 156.354644][ T4003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 156.364703][ T4003] Call Trace: [ 156.367977][ T4003] ./strace-static-x86_64: Process 4004 attached [pid 4004] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4004] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4004] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 156.370905][ T4003] dump_stack_lvl+0x1b1/0x28e [ 156.375582][ T4003] ? nf_tcp_handle_invalid+0x62e/0x62e [ 156.381030][ T4003] ? panic+0x710/0x710 [ 156.385088][ T4003] ? kobject_uevent_env+0x46b/0x8e0 [ 156.390282][ T4003] ? do_raw_spin_unlock+0x134/0x8a0 [ 156.395498][ T4003] gfs2_withdraw+0xf33/0x1540 [ 156.400178][ T4003] ? gfs2_lm+0x220/0x220 [ 156.404405][ T4003] ? gfs2_dirent_scan+0xb6/0x650 [ 156.409344][ T4003] ? panic+0x710/0x710 [ 156.413404][ T4003] ? gfs2_permission+0x2ff/0x430 [ 156.418344][ T4003] ? gfs2_consist_inode_i+0xf3/0x110 [ 156.423639][ T4003] gfs2_dirent_scan+0x535/0x650 [ 156.428490][ T4003] ? gfs2_dirent_search+0xb10/0xb10 [ 156.433687][ T4003] gfs2_dirent_search+0x2ea/0xb10 [ 156.438706][ T4003] ? gfs2_dirent_search+0xb10/0xb10 [ 156.443902][ T4003] ? gfs2_dir_search+0x2a0/0x2a0 [ 156.448836][ T4003] ? gfs2_permission+0x3bf/0x430 [ 156.453773][ T4003] gfs2_dir_search+0x8c/0x2a0 [ 156.458447][ T4003] ? do_filldir_main+0x530/0x530 [ 156.463377][ T4003] ? inode_go_held+0xe4/0x1f0 [ 156.468073][ T4003] ? gfs2_glock_wait+0x213/0x2a0 [ 156.473005][ T4003] gfs2_lookupi+0x465/0x650 [ 156.477507][ T4003] ? gfs2_lookup_simple+0x170/0x170 [ 156.482701][ T4003] ? __gfs2_lookup+0x8c/0x260 [ 156.487377][ T4003] __gfs2_lookup+0x8c/0x260 [ 156.491878][ T4003] ? gfs2_atomic_open+0x230/0x230 [ 156.496908][ T4003] ? __d_lookup+0x6a4/0x770 [ 156.501402][ T4003] ? d_hash_and_lookup+0x1c0/0x1c0 [ 156.506505][ T4003] gfs2_atomic_open+0xa4/0x230 [ 156.511266][ T4003] path_openat+0xf39/0x2df0 [ 156.515766][ T4003] ? gfs2_rename2+0x3000/0x3000 [ 156.520633][ T4003] ? do_filp_open+0x4f0/0x4f0 [ 156.525316][ T4003] do_filp_open+0x264/0x4f0 [ 156.529831][ T4003] ? vfs_tmpfile+0x490/0x490 [ 156.534422][ T4003] ? do_raw_spin_unlock+0x134/0x8a0 [ 156.539621][ T4003] ? _raw_spin_unlock+0x24/0x40 [ 156.544470][ T4003] ? alloc_fd+0x5a7/0x640 [ 156.548801][ T4003] do_sys_openat2+0x124/0x4e0 [ 156.553471][ T4003] ? print_irqtrace_events+0x220/0x220 [ 156.558923][ T4003] ? ptrace_stop+0x74d/0x970 [ 156.563510][ T4003] ? do_sys_open+0x220/0x220 [ 156.568092][ T4003] ? lockdep_hardirqs_on+0x8d/0x130 [ 156.573287][ T4003] ? _raw_spin_unlock_irq+0x2a/0x40 [ 156.578487][ T4003] ? ptrace_notify+0x245/0x340 [ 156.583253][ T4003] __x64_sys_openat+0x243/0x290 [ 156.588099][ T4003] ? __ia32_sys_open+0x270/0x270 [ 156.593035][ T4003] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 156.599098][ T4003] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 156.605069][ T4003] do_syscall_64+0x3d/0xb0 [ 156.609479][ T4003] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 156.615365][ T4003] RIP: 0033:0x7fc8868064d9 [ 156.619860][ T4003] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 156.639579][ T4003] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 156.647997][ T4003] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 156.655971][ T4003] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 156.663950][ T4003] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4004] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4003] <... openat resumed>) = -1 EIO (Input/output error) [pid 4003] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4002] exit_group(0) = ? [pid 4004] <... futex resumed>) = ? [pid 4004] +++ exited with 0 +++ [pid 4003] <... futex resumed>) = ? [pid 4003] +++ exited with 0 +++ [pid 4002] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4002, si_uid=0, si_status=0, si_utime=2, si_stime=27} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./121", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./121", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./121/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./121/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./121/binderfs") = 0 [ 156.671917][ T4003] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 156.679877][ T4003] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 156.687855][ T4003] umount2("./121/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./121/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./121/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./121/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./121/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./121/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./121") = 0 mkdir("./122", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4005 ./strace-static-x86_64: Process 4005 attached [pid 4005] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4005] chdir("./122") = 0 [pid 4005] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4005] setpgid(0, 0) = 0 [pid 4005] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4005] write(3, "1000", 4) = 4 [pid 4005] close(3) = 0 [pid 4005] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4005] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4005] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4005] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4005] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4006], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4006 ./strace-static-x86_64: Process 4006 attached [pid 4005] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4005] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4006] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4006] memfd_create("syzkaller", 0) = 3 [pid 4006] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4006] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4006] munmap(0x7fc87e392000, 16777216) = 0 [pid 4006] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4006] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4006] close(3) = 0 [pid 4006] mkdir("./file0", 0777) = 0 [ 156.986686][ T4006] loop0: detected capacity change from 0 to 32768 [ 156.998017][ T4006] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 157.006496][ T4006] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 157.015543][ T4006] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 157.024467][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 157.031410][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4006] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4006] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4006] chdir("./file0") = 0 [pid 4006] ioctl(4, LOOP_CLR_FD) = 0 [pid 4006] close(4) = 0 [pid 4006] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4005] <... futex resumed>) = 0 [pid 4005] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4005] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4006] <... futex resumed>) = 1 [pid 4006] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4006] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4005] <... futex resumed>) = 0 [pid 4005] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4005] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4006] <... futex resumed>) = 1 [ 157.066309][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 157.075048][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 157.080591][ T4006] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 157.104734][ T4006] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4006] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4005] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4005] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4005] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4005] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4005] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4007], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4007 [pid 4005] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4007 attached [pid 4007] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 157.113488][ T4006] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 157.113488][ T4006] inode = 12 2341 [ 157.113488][ T4006] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 157.132555][ T4006] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 157.141845][ T4006] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4006 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 157.151988][ T4006] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 157.157486][ T4007] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 157.161135][ T4006] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 157.169651][ T4007] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 157.176328][ T4006] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 157.185532][ T4007] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4006 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 157.195033][ T4006] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 157.204414][ T4007] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4007 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 157.212538][ T4006] gfs2: fsid=syz:syz.0: File system withdrawn [ 157.220911][ T4007] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 157.227224][ T4006] CPU: 1 PID: 4006 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 157.245419][ T4006] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 157.255514][ T4006] Call Trace: [ 157.258792][ T4006] [ 157.261730][ T4006] dump_stack_lvl+0x1b1/0x28e [ 157.266411][ T4006] ? nf_tcp_handle_invalid+0x62e/0x62e [ 157.271885][ T4006] ? panic+0x710/0x710 [ 157.275952][ T4006] ? kobject_uevent_env+0x46b/0x8e0 [ 157.281248][ T4006] ? do_raw_spin_unlock+0x134/0x8a0 [ 157.286448][ T4006] gfs2_withdraw+0xf33/0x1540 [ 157.291133][ T4006] ? gfs2_lm+0x220/0x220 [ 157.295365][ T4006] ? gfs2_dirent_scan+0xb6/0x650 [ 157.300302][ T4006] ? panic+0x710/0x710 [ 157.304362][ T4006] ? gfs2_permission+0x2ff/0x430 [ 157.309298][ T4006] ? gfs2_consist_inode_i+0xf3/0x110 [ 157.314579][ T4006] gfs2_dirent_scan+0x535/0x650 [ 157.319429][ T4006] ? gfs2_dirent_search+0xb10/0xb10 [ 157.324649][ T4006] gfs2_dirent_search+0x2ea/0xb10 [ 157.329672][ T4006] ? gfs2_dirent_search+0xb10/0xb10 [ 157.334867][ T4006] ? gfs2_dir_search+0x2a0/0x2a0 [ 157.339798][ T4006] ? gfs2_permission+0x3bf/0x430 [ 157.344737][ T4006] gfs2_dir_search+0x8c/0x2a0 [ 157.349413][ T4006] ? do_filldir_main+0x530/0x530 [ 157.354348][ T4006] ? inode_go_held+0xe4/0x1f0 [ 157.359028][ T4006] ? gfs2_glock_wait+0x213/0x2a0 [ 157.363963][ T4006] gfs2_lookupi+0x465/0x650 [ 157.368471][ T4006] ? gfs2_lookup_simple+0x170/0x170 [ 157.373666][ T4006] ? __gfs2_lookup+0x8c/0x260 [ 157.378344][ T4006] __gfs2_lookup+0x8c/0x260 [ 157.382843][ T4006] ? gfs2_atomic_open+0x230/0x230 [ 157.387866][ T4006] ? __d_lookup+0x6a4/0x770 [ 157.392361][ T4006] ? d_hash_and_lookup+0x1c0/0x1c0 [ 157.397467][ T4006] gfs2_atomic_open+0xa4/0x230 [ 157.402231][ T4006] path_openat+0xf39/0x2df0 [ 157.406736][ T4006] ? gfs2_rename2+0x3000/0x3000 [ 157.411597][ T4006] ? do_filp_open+0x4f0/0x4f0 [ 157.416281][ T4006] do_filp_open+0x264/0x4f0 [ 157.420788][ T4006] ? vfs_tmpfile+0x490/0x490 [ 157.425384][ T4006] ? do_raw_spin_unlock+0x134/0x8a0 [ 157.430592][ T4006] ? _raw_spin_unlock+0x24/0x40 [ 157.435441][ T4006] ? alloc_fd+0x5a7/0x640 [ 157.439775][ T4006] do_sys_openat2+0x124/0x4e0 [ 157.444448][ T4006] ? print_irqtrace_events+0x220/0x220 [ 157.449896][ T4006] ? ptrace_stop+0x74d/0x970 [ 157.454484][ T4006] ? do_sys_open+0x220/0x220 [ 157.459071][ T4006] ? lockdep_hardirqs_on+0x8d/0x130 [ 157.464267][ T4006] ? _raw_spin_unlock_irq+0x2a/0x40 [ 157.469640][ T4006] ? ptrace_notify+0x245/0x340 [ 157.474397][ T4006] __x64_sys_openat+0x243/0x290 [ 157.479243][ T4006] ? __ia32_sys_open+0x270/0x270 [ 157.484191][ T4006] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 157.490168][ T4006] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 157.496144][ T4006] do_syscall_64+0x3d/0xb0 [ 157.500553][ T4006] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 157.506437][ T4006] RIP: 0033:0x7fc8868064d9 [ 157.510845][ T4006] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 157.530446][ T4006] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 157.538854][ T4006] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 157.546818][ T4006] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 157.554795][ T4006] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4007] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4006] <... openat resumed>) = -1 EIO (Input/output error) [pid 4007] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 4006] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4007] <... futex resumed>) = 0 [pid 4006] <... futex resumed>) = 0 [pid 4007] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4005] exit_group(0 [pid 4007] <... futex resumed>) = ? [pid 4005] <... exit_group resumed>) = ? [pid 4007] +++ exited with 0 +++ [pid 4006] +++ exited with 0 +++ [pid 4005] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4005, si_uid=0, si_status=0, si_utime=2, si_stime=40} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./122", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./122", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./122/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./122/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./122/binderfs") = 0 [ 157.562756][ T4006] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 157.570717][ T4006] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 157.578713][ T4006] umount2("./122/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./122/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./122/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./122/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./122/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./122/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./122") = 0 mkdir("./123", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4008 ./strace-static-x86_64: Process 4008 attached [pid 4008] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4008] chdir("./123") = 0 [pid 4008] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4008] setpgid(0, 0) = 0 [pid 4008] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4008] write(3, "1000", 4) = 4 [pid 4008] close(3) = 0 [pid 4008] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4008] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4008] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4008] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4008] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4009 attached , parent_tid=[4009], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4009 [pid 4009] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4009] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4008] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4009] <... futex resumed>) = 0 [pid 4008] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4009] memfd_create("syzkaller", 0) = 3 [pid 4009] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4009] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4009] munmap(0x7fc87e392000, 16777216) = 0 [pid 4009] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4009] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4009] close(3) = 0 [pid 4009] mkdir("./file0", 0777) = 0 [ 157.882118][ T4009] loop0: detected capacity change from 0 to 32768 [ 157.892727][ T4009] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 157.900969][ T4009] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 157.911390][ T4009] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 157.920370][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 157.927157][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4009] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4009] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4009] chdir("./file0") = 0 [pid 4009] ioctl(4, LOOP_CLR_FD) = 0 [pid 4009] close(4) = 0 [pid 4009] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4008] <... futex resumed>) = 0 [pid 4008] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4008] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4009] <... futex resumed>) = 1 [pid 4009] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4009] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4008] <... futex resumed>) = 0 [pid 4008] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4008] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4009] <... futex resumed>) = 1 [ 157.965783][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 157.973389][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 157.978643][ T4009] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 157.995389][ T4009] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 158.007020][ T4009] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 4009] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4008] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4008] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 4008] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4008] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4008] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4008] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4010], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4010 [pid 4008] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4010 attached [pid 4010] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 158.007020][ T4009] inode = 12 2341 [ 158.007020][ T4009] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 158.025939][ T4009] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 158.035308][ T4009] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4009 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 158.045946][ T4009] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 158.052642][ T4010] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 158.055281][ T4009] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 158.063779][ T4010] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 158.069979][ T4009] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 158.069992][ T4009] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 158.071752][ T4009] gfs2: fsid=syz:syz.0: File system withdrawn [ 158.080039][ T4010] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4009 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 158.087857][ T4009] CPU: 1 PID: 4009 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 158.094756][ T4010] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4010 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 158.100234][ T4009] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 158.100247][ T4009] Call Trace: [ 158.100255][ T4009] [ 158.100264][ T4009] dump_stack_lvl+0x1b1/0x28e [ 158.100287][ T4009] ? nf_tcp_handle_invalid+0x62e/0x62e [ 158.100305][ T4009] ? panic+0x710/0x710 [ 158.100323][ T4009] ? kobject_uevent_env+0x46b/0x8e0 [ 158.111641][ T4010] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 158.120673][ T4009] ? do_raw_spin_unlock+0x134/0x8a0 [ 158.120710][ T4009] gfs2_withdraw+0xf33/0x1540 [ 158.120746][ T4009] ? gfs2_lm+0x220/0x220 [ 158.120762][ T4009] ? gfs2_dirent_scan+0xb6/0x650 [ 158.193748][ T4009] ? panic+0x710/0x710 [ 158.197818][ T4009] ? gfs2_permission+0x2ff/0x430 [ 158.202757][ T4009] ? gfs2_consist_inode_i+0xf3/0x110 [ 158.208041][ T4009] gfs2_dirent_scan+0x535/0x650 [ 158.212894][ T4009] ? gfs2_dirent_search+0xb10/0xb10 [ 158.218089][ T4009] gfs2_dirent_search+0x2ea/0xb10 [ 158.223112][ T4009] ? gfs2_dirent_search+0xb10/0xb10 [ 158.228311][ T4009] ? gfs2_dir_search+0x2a0/0x2a0 [ 158.233246][ T4009] ? gfs2_permission+0x3bf/0x430 [ 158.238183][ T4009] gfs2_dir_search+0x8c/0x2a0 [ 158.242858][ T4009] ? do_filldir_main+0x530/0x530 [ 158.247793][ T4009] ? inode_go_held+0xe4/0x1f0 [ 158.252470][ T4009] ? gfs2_glock_wait+0x213/0x2a0 [ 158.257400][ T4009] gfs2_lookupi+0x465/0x650 [ 158.261904][ T4009] ? gfs2_lookup_simple+0x170/0x170 [ 158.267881][ T4009] ? __gfs2_lookup+0x8c/0x260 [ 158.272578][ T4009] __gfs2_lookup+0x8c/0x260 [ 158.277079][ T4009] ? gfs2_atomic_open+0x230/0x230 [ 158.282104][ T4009] ? __d_lookup+0x6a4/0x770 [ 158.286597][ T4009] ? d_hash_and_lookup+0x1c0/0x1c0 [ 158.291703][ T4009] gfs2_atomic_open+0xa4/0x230 [ 158.296465][ T4009] path_openat+0xf39/0x2df0 [ 158.300966][ T4009] ? gfs2_rename2+0x3000/0x3000 [ 158.305828][ T4009] ? do_filp_open+0x4f0/0x4f0 [ 158.310511][ T4009] do_filp_open+0x264/0x4f0 [ 158.315007][ T4009] ? vfs_tmpfile+0x490/0x490 [ 158.319601][ T4009] ? do_raw_spin_unlock+0x134/0x8a0 [ 158.326621][ T4009] ? _raw_spin_unlock+0x24/0x40 [ 158.331464][ T4009] ? alloc_fd+0x5a7/0x640 [ 158.335802][ T4009] do_sys_openat2+0x124/0x4e0 [ 158.340471][ T4009] ? print_irqtrace_events+0x220/0x220 [ 158.345922][ T4009] ? ptrace_stop+0x74d/0x970 [ 158.350506][ T4009] ? do_sys_open+0x220/0x220 [ 158.355095][ T4009] ? lockdep_hardirqs_on+0x8d/0x130 [ 158.360289][ T4009] ? _raw_spin_unlock_irq+0x2a/0x40 [ 158.365484][ T4009] ? ptrace_notify+0x245/0x340 [ 158.370238][ T4009] __x64_sys_openat+0x243/0x290 [ 158.375084][ T4009] ? __ia32_sys_open+0x270/0x270 [ 158.380018][ T4009] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 158.386010][ T4009] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 158.391986][ T4009] do_syscall_64+0x3d/0xb0 [ 158.396481][ T4009] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 158.402364][ T4009] RIP: 0033:0x7fc8868064d9 [ 158.406770][ T4009] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 158.426374][ T4009] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 158.434785][ T4009] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 158.442748][ T4009] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 158.450712][ T4009] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 158.458674][ T4009] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 4010] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 4009] <... openat resumed>) = -1 EIO (Input/output error) [pid 4009] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4009] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4010] <... openat resumed>) = -1 EIO (Input/output error) [pid 4010] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4008] exit_group(0 [pid 4009] <... futex resumed>) = ? [pid 4008] <... exit_group resumed>) = ? [pid 4009] +++ exited with 0 +++ [pid 4010] +++ exited with 0 +++ [pid 4008] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4008, si_uid=0, si_status=0, si_utime=3, si_stime=33} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./123", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./123", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./123/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./123/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./123/binderfs") = 0 [ 158.466634][ T4009] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 158.474609][ T4009] umount2("./123/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./123/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./123/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./123/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./123/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./123/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./123") = 0 mkdir("./124", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4011 ./strace-static-x86_64: Process 4011 attached [pid 4011] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4011] chdir("./124") = 0 [pid 4011] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4011] setpgid(0, 0) = 0 [pid 4011] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4011] write(3, "1000", 4) = 4 [pid 4011] close(3) = 0 [pid 4011] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4011] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4011] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4011] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4011] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4012 attached , parent_tid=[4012], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4012 [pid 4012] set_robust_list(0x7fc8867b29e0, 24 [pid 4011] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4012] <... set_robust_list resumed>) = 0 [pid 4011] <... futex resumed>) = 0 [pid 4011] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4012] memfd_create("syzkaller", 0) = 3 [pid 4012] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4012] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4012] munmap(0x7fc87e392000, 16777216) = 0 [pid 4012] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4012] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4012] close(3) = 0 [pid 4012] mkdir("./file0", 0777) = 0 [ 158.770988][ T4012] loop0: detected capacity change from 0 to 32768 [ 158.783058][ T4012] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 158.791522][ T4012] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 158.801681][ T4012] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 158.810569][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 158.817357][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4012] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4012] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4012] chdir("./file0") = 0 [pid 4012] ioctl(4, LOOP_CLR_FD) = 0 [pid 4012] close(4) = 0 [pid 4012] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4011] <... futex resumed>) = 0 [pid 4011] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4011] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4012] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4012] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4011] <... futex resumed>) = 0 [pid 4011] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4011] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 158.852418][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 158.861340][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 158.866595][ T4012] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 158.887929][ T4012] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4012] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4011] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4011] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 4011] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4011] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4011] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4011] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4013], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4013 [pid 4011] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4013 attached [pid 4013] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4013] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4013] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 158.896961][ T4012] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 158.896961][ T4012] inode = 12 2341 [ 158.896961][ T4012] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 158.916282][ T4012] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 158.925972][ T4012] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4012 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 158.936368][ T4012] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 158.944883][ T4012] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 158.952257][ T4012] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 158.961137][ T4012] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 158.967668][ T4012] gfs2: fsid=syz:syz.0: File system withdrawn [ 158.973834][ T4012] CPU: 0 PID: 4012 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 158.984263][ T4012] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 158.994321][ T4012] Call Trace: [ 158.997598][ T4012] [ 159.000519][ T4012] dump_stack_lvl+0x1b1/0x28e [ 159.005206][ T4012] ? nf_tcp_handle_invalid+0x62e/0x62e [ 159.010678][ T4012] ? panic+0x710/0x710 [ 159.014771][ T4012] ? kobject_uevent_env+0x46b/0x8e0 [ 159.019977][ T4012] ? do_raw_spin_unlock+0x134/0x8a0 [ 159.025172][ T4012] gfs2_withdraw+0xf33/0x1540 [ 159.029851][ T4012] ? gfs2_lm+0x220/0x220 [ 159.034083][ T4012] ? gfs2_dirent_scan+0xb6/0x650 [ 159.039023][ T4012] ? panic+0x710/0x710 [ 159.043086][ T4012] ? gfs2_permission+0x2ff/0x430 [ 159.048024][ T4012] ? gfs2_consist_inode_i+0xf3/0x110 [ 159.053308][ T4012] gfs2_dirent_scan+0x535/0x650 [ 159.058166][ T4012] ? gfs2_dirent_search+0xb10/0xb10 [ 159.063364][ T4012] gfs2_dirent_search+0x2ea/0xb10 [ 159.068385][ T4012] ? gfs2_dirent_search+0xb10/0xb10 [ 159.073580][ T4012] ? gfs2_dir_search+0x2a0/0x2a0 [ 159.078511][ T4012] ? gfs2_permission+0x3bf/0x430 [ 159.083451][ T4012] gfs2_dir_search+0x8c/0x2a0 [ 159.088125][ T4012] ? do_filldir_main+0x530/0x530 [ 159.093055][ T4012] ? inode_go_held+0xe4/0x1f0 [ 159.097734][ T4012] ? gfs2_glock_wait+0x213/0x2a0 [ 159.102665][ T4012] gfs2_lookupi+0x465/0x650 [ 159.107167][ T4012] ? gfs2_lookup_simple+0x170/0x170 [ 159.112363][ T4012] ? __gfs2_lookup+0x8c/0x260 [ 159.117128][ T4012] __gfs2_lookup+0x8c/0x260 [ 159.123451][ T4012] ? gfs2_atomic_open+0x230/0x230 [ 159.128473][ T4012] ? __d_lookup+0x6a4/0x770 [ 159.132968][ T4012] ? d_hash_and_lookup+0x1c0/0x1c0 [ 159.138073][ T4012] gfs2_atomic_open+0xa4/0x230 [ 159.142833][ T4012] path_openat+0xf39/0x2df0 [ 159.148374][ T4012] ? gfs2_rename2+0x3000/0x3000 [ 159.153232][ T4012] ? do_filp_open+0x4f0/0x4f0 [ 159.157912][ T4012] do_filp_open+0x264/0x4f0 [ 159.162421][ T4012] ? vfs_tmpfile+0x490/0x490 [ 159.167010][ T4012] ? do_raw_spin_unlock+0x134/0x8a0 [ 159.172210][ T4012] ? _raw_spin_unlock+0x24/0x40 [ 159.177069][ T4012] ? alloc_fd+0x5a7/0x640 [ 159.181399][ T4012] do_sys_openat2+0x124/0x4e0 [ 159.186080][ T4012] ? print_irqtrace_events+0x220/0x220 [ 159.191529][ T4012] ? ptrace_stop+0x74d/0x970 [ 159.196127][ T4012] ? do_sys_open+0x220/0x220 [ 159.200710][ T4012] ? lockdep_hardirqs_on+0x8d/0x130 [ 159.205905][ T4012] ? _raw_spin_unlock_irq+0x2a/0x40 [ 159.211095][ T4012] ? ptrace_notify+0x245/0x340 [ 159.215851][ T4012] __x64_sys_openat+0x243/0x290 [ 159.220696][ T4012] ? __ia32_sys_open+0x270/0x270 [ 159.225633][ T4012] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 159.231620][ T4012] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 159.237593][ T4012] do_syscall_64+0x3d/0xb0 [ 159.242000][ T4012] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 159.247879][ T4012] RIP: 0033:0x7fc8868064d9 [ 159.252285][ T4012] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 159.271879][ T4012] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 159.280281][ T4012] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 159.288240][ T4012] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 159.296200][ T4012] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4013] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4012] <... openat resumed>) = -1 EIO (Input/output error) [pid 4012] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4012] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4011] exit_group(0 [pid 4013] <... futex resumed>) = ? [pid 4012] <... futex resumed>) = ? [pid 4011] <... exit_group resumed>) = ? [pid 4012] +++ exited with 0 +++ [pid 4013] +++ exited with 0 +++ [pid 4011] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4011, si_uid=0, si_status=0, si_utime=2, si_stime=25} --- umount2("./124", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./124", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./124/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./124/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./124/binderfs") = 0 [ 159.304159][ T4012] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 159.312116][ T4012] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 159.320093][ T4012] umount2("./124/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./124/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./124/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./124/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./124/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./124/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./124") = 0 mkdir("./125", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4014 ./strace-static-x86_64: Process 4014 attached [pid 4014] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4014] chdir("./125") = 0 [pid 4014] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4014] setpgid(0, 0) = 0 [pid 4014] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4014] write(3, "1000", 4) = 4 [pid 4014] close(3) = 0 [pid 4014] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4014] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4014] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4014] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4014] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4015], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4015 [pid 4014] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4014] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4015 attached [pid 4015] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4015] memfd_create("syzkaller", 0) = 3 [pid 4015] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4015] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4015] munmap(0x7fc87e392000, 16777216) = 0 [pid 4015] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4015] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4015] close(3) = 0 [pid 4015] mkdir("./file0", 0777) = 0 [ 159.641750][ T4015] loop0: detected capacity change from 0 to 32768 [ 159.653188][ T4015] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 159.661405][ T4015] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 159.671166][ T4015] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 159.679747][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 159.687162][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4015] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4015] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4015] chdir("./file0") = 0 [pid 4015] ioctl(4, LOOP_CLR_FD) = 0 [pid 4015] close(4) = 0 [pid 4015] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4014] <... futex resumed>) = 0 [pid 4014] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4014] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4015] <... futex resumed>) = 1 [pid 4015] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4015] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4014] <... futex resumed>) = 0 [pid 4014] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4014] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4015] <... futex resumed>) = 1 [ 159.725794][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 159.734006][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 159.739369][ T4015] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 159.753917][ T4015] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 159.762438][ T4015] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 159.762438][ T4015] inode = 12 2341 [pid 4015] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4014] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4014] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4014] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4014] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4014] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4016], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4016 [pid 4014] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4016 attached [pid 4016] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4016] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4016] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 159.762438][ T4015] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 159.781959][ T4015] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 159.791573][ T4015] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4015 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 159.802000][ T4015] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 159.810673][ T4015] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 159.818017][ T4015] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 159.827008][ T4015] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 159.833719][ T4015] gfs2: fsid=syz:syz.0: File system withdrawn [ 159.840186][ T4015] CPU: 1 PID: 4015 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 159.850613][ T4015] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 159.860678][ T4015] Call Trace: [ 159.863988][ T4015] [ 159.866913][ T4015] dump_stack_lvl+0x1b1/0x28e [ 159.871596][ T4015] ? nf_tcp_handle_invalid+0x62e/0x62e [ 159.877064][ T4015] ? panic+0x710/0x710 [ 159.881141][ T4015] ? kobject_uevent_env+0x46b/0x8e0 [ 159.886330][ T4015] ? do_raw_spin_unlock+0x134/0x8a0 [ 159.891541][ T4015] gfs2_withdraw+0xf33/0x1540 [ 159.896359][ T4015] ? gfs2_lm+0x220/0x220 [ 159.900609][ T4015] ? gfs2_dirent_scan+0xb6/0x650 [ 159.905546][ T4015] ? panic+0x710/0x710 [ 159.909609][ T4015] ? gfs2_permission+0x2ff/0x430 [ 159.914556][ T4015] ? gfs2_consist_inode_i+0xf3/0x110 [ 159.919863][ T4015] gfs2_dirent_scan+0x535/0x650 [pid 4016] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4014] exit_group(0 [pid 4016] <... futex resumed>) = ? [pid 4014] <... exit_group resumed>) = ? [pid 4016] +++ exited with 0 +++ [ 159.924731][ T4015] ? gfs2_dirent_search+0xb10/0xb10 [ 159.929937][ T4015] gfs2_dirent_search+0x2ea/0xb10 [ 159.934975][ T4015] ? gfs2_dirent_search+0xb10/0xb10 [ 159.940180][ T4015] ? gfs2_dir_search+0x2a0/0x2a0 [ 159.945222][ T4015] ? gfs2_permission+0x3bf/0x430 [ 159.950162][ T4015] gfs2_dir_search+0x8c/0x2a0 [ 159.954880][ T4015] ? do_filldir_main+0x530/0x530 [ 159.959821][ T4015] ? inode_go_held+0xe4/0x1f0 [ 159.964512][ T4015] ? gfs2_glock_wait+0x213/0x2a0 [ 159.969452][ T4015] gfs2_lookupi+0x465/0x650 [ 159.973952][ T4015] ? gfs2_lookup_simple+0x170/0x170 [ 159.979146][ T4015] ? __gfs2_lookup+0x8c/0x260 [ 159.983824][ T4015] __gfs2_lookup+0x8c/0x260 [ 159.988341][ T4015] ? gfs2_atomic_open+0x230/0x230 [ 159.993362][ T4015] ? __d_lookup+0x6a4/0x770 [ 159.997952][ T4015] ? d_hash_and_lookup+0x1c0/0x1c0 [ 160.003066][ T4015] gfs2_atomic_open+0xa4/0x230 [ 160.007829][ T4015] path_openat+0xf39/0x2df0 [ 160.012419][ T4015] ? gfs2_rename2+0x3000/0x3000 [ 160.017290][ T4015] ? do_filp_open+0x4f0/0x4f0 [ 160.021971][ T4015] do_filp_open+0x264/0x4f0 [ 160.026463][ T4015] ? vfs_tmpfile+0x490/0x490 [ 160.031067][ T4015] ? do_raw_spin_unlock+0x134/0x8a0 [ 160.036281][ T4015] ? _raw_spin_unlock+0x24/0x40 [ 160.041142][ T4015] ? alloc_fd+0x5a7/0x640 [ 160.045471][ T4015] do_sys_openat2+0x124/0x4e0 [ 160.050147][ T4015] ? print_irqtrace_events+0x220/0x220 [ 160.055620][ T4015] ? ptrace_stop+0x74d/0x970 [ 160.060217][ T4015] ? do_sys_open+0x220/0x220 [ 160.064797][ T4015] ? lockdep_hardirqs_on+0x8d/0x130 [ 160.069987][ T4015] ? _raw_spin_unlock_irq+0x2a/0x40 [ 160.075178][ T4015] ? ptrace_notify+0x245/0x340 [ 160.079930][ T4015] __x64_sys_openat+0x243/0x290 [ 160.084777][ T4015] ? __ia32_sys_open+0x270/0x270 [ 160.089709][ T4015] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 160.095693][ T4015] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 160.101686][ T4015] do_syscall_64+0x3d/0xb0 [ 160.106099][ T4015] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 160.112011][ T4015] RIP: 0033:0x7fc8868064d9 [ 160.116450][ T4015] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 160.136059][ T4015] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 160.144472][ T4015] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 160.152437][ T4015] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 160.160406][ T4015] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 160.168382][ T4015] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 4015] <... openat resumed>) = ? [pid 4015] +++ exited with 0 +++ [pid 4014] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4014, si_uid=0, si_status=0, si_utime=0, si_stime=32} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./125", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./125", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./125/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./125/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./125/binderfs") = 0 [ 160.176354][ T4015] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 160.184329][ T4015] umount2("./125/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./125/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./125/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./125/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./125/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./125/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./125") = 0 mkdir("./126", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4017 ./strace-static-x86_64: Process 4017 attached [pid 4017] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4017] chdir("./126") = 0 [pid 4017] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4017] setpgid(0, 0) = 0 [pid 4017] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4017] write(3, "1000", 4) = 4 [pid 4017] close(3) = 0 [pid 4017] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4017] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4017] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4017] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4017] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4018], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4018 [pid 4017] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4017] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4018 attached [pid 4018] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4018] memfd_create("syzkaller", 0) = 3 [pid 4018] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4018] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4018] munmap(0x7fc87e392000, 16777216) = 0 [pid 4018] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4018] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4018] close(3) = 0 [pid 4018] mkdir("./file0", 0777) = 0 [ 160.480250][ T4018] loop0: detected capacity change from 0 to 32768 [ 160.492108][ T4018] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 160.500455][ T4018] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 160.510204][ T4018] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 160.518973][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 160.526175][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4018] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4018] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4018] chdir("./file0") = 0 [pid 4018] ioctl(4, LOOP_CLR_FD) = 0 [pid 4018] close(4) = 0 [pid 4018] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4017] <... futex resumed>) = 0 [pid 4018] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 4017] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4018] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4017] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4018] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4017] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 4018] <... futex resumed>) = 0 [pid 4017] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4018] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4017] <... futex resumed>) = 0 [ 160.559702][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 160.567852][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 160.573153][ T4018] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 160.604032][ T4018] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 160.612694][ T4018] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 160.612694][ T4018] inode = 12 2341 [ 160.612694][ T4018] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 160.631626][ T4018] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 160.641019][ T4018] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4018 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 4017] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 4017] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4017] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4017] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4017] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4019], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4019 [pid 4017] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4019 attached [pid 4019] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4019] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4019] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 160.651388][ T4018] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 160.659909][ T4018] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 160.667771][ T4018] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 160.676964][ T4018] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 160.685990][ T4018] gfs2: fsid=syz:syz.0: File system withdrawn [ 160.692412][ T4018] CPU: 1 PID: 4018 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 160.702943][ T4018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 160.713018][ T4018] Call Trace: [ 160.716310][ T4018] [ 160.719243][ T4018] dump_stack_lvl+0x1b1/0x28e [ 160.723934][ T4018] ? nf_tcp_handle_invalid+0x62e/0x62e [ 160.729422][ T4018] ? panic+0x710/0x710 [ 160.733501][ T4018] ? kobject_uevent_env+0x46b/0x8e0 [ 160.738703][ T4018] ? do_raw_spin_unlock+0x134/0x8a0 [ 160.743916][ T4018] gfs2_withdraw+0xf33/0x1540 [ 160.748618][ T4018] ? gfs2_lm+0x220/0x220 [pid 4019] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4017] exit_group(0 [pid 4019] <... futex resumed>) = ? [pid 4017] <... exit_group resumed>) = ? [pid 4019] +++ exited with 0 +++ [ 160.752876][ T4018] ? gfs2_dirent_scan+0xb6/0x650 [ 160.758289][ T4018] ? panic+0x710/0x710 [ 160.762364][ T4018] ? gfs2_permission+0x2ff/0x430 [ 160.767296][ T4018] ? gfs2_consist_inode_i+0xf3/0x110 [ 160.772589][ T4018] gfs2_dirent_scan+0x535/0x650 [ 160.777475][ T4018] ? gfs2_dirent_search+0xb10/0xb10 [ 160.782753][ T4018] gfs2_dirent_search+0x2ea/0xb10 [ 160.787788][ T4018] ? gfs2_dirent_search+0xb10/0xb10 [ 160.793013][ T4018] ? gfs2_dir_search+0x2a0/0x2a0 [ 160.797958][ T4018] ? gfs2_permission+0x3bf/0x430 [ 160.802917][ T4018] gfs2_dir_search+0x8c/0x2a0 [ 160.807598][ T4018] ? do_filldir_main+0x530/0x530 [ 160.812529][ T4018] ? inode_go_held+0xe4/0x1f0 [ 160.817208][ T4018] ? gfs2_glock_wait+0x213/0x2a0 [ 160.822140][ T4018] gfs2_lookupi+0x465/0x650 [ 160.826641][ T4018] ? gfs2_lookup_simple+0x170/0x170 [ 160.831834][ T4018] ? __gfs2_lookup+0x8c/0x260 [ 160.836505][ T4018] __gfs2_lookup+0x8c/0x260 [ 160.841014][ T4018] ? gfs2_atomic_open+0x230/0x230 [ 160.846073][ T4018] ? __d_lookup+0x6a4/0x770 [ 160.850583][ T4018] ? d_hash_and_lookup+0x1c0/0x1c0 [ 160.855705][ T4018] gfs2_atomic_open+0xa4/0x230 [ 160.860489][ T4018] path_openat+0xf39/0x2df0 [ 160.865007][ T4018] ? gfs2_rename2+0x3000/0x3000 [ 160.869862][ T4018] ? do_filp_open+0x4f0/0x4f0 [ 160.874555][ T4018] do_filp_open+0x264/0x4f0 [ 160.879143][ T4018] ? vfs_tmpfile+0x490/0x490 [ 160.883735][ T4018] ? do_raw_spin_unlock+0x134/0x8a0 [ 160.888935][ T4018] ? _raw_spin_unlock+0x24/0x40 [ 160.893782][ T4018] ? alloc_fd+0x5a7/0x640 [ 160.898109][ T4018] do_sys_openat2+0x124/0x4e0 [ 160.902777][ T4018] ? print_irqtrace_events+0x220/0x220 [ 160.908226][ T4018] ? ptrace_stop+0x74d/0x970 [ 160.912826][ T4018] ? do_sys_open+0x220/0x220 [ 160.917506][ T4018] ? lockdep_hardirqs_on+0x8d/0x130 [ 160.922704][ T4018] ? _raw_spin_unlock_irq+0x2a/0x40 [ 160.927911][ T4018] ? ptrace_notify+0x245/0x340 [ 160.932667][ T4018] __x64_sys_openat+0x243/0x290 [ 160.937524][ T4018] ? __ia32_sys_open+0x270/0x270 [ 160.942457][ T4018] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 160.948441][ T4018] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 160.954418][ T4018] do_syscall_64+0x3d/0xb0 [ 160.958827][ T4018] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 160.964723][ T4018] RIP: 0033:0x7fc8868064d9 [ 160.969145][ T4018] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 160.990573][ T4018] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 4018] <... openat resumed>) = ? [pid 4018] +++ exited with 0 +++ [pid 4017] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4017, si_uid=0, si_status=0, si_utime=2, si_stime=31} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./126", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./126", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./126/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./126/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./126/binderfs") = 0 [ 160.998983][ T4018] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 161.006954][ T4018] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 161.014921][ T4018] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 161.022887][ T4018] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 161.030862][ T4018] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 161.038854][ T4018] umount2("./126/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./126/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./126/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./126/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./126/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./126/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./126") = 0 mkdir("./127", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4020 ./strace-static-x86_64: Process 4020 attached [pid 4020] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4020] chdir("./127") = 0 [pid 4020] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4020] setpgid(0, 0) = 0 [pid 4020] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4020] write(3, "1000", 4) = 4 [pid 4020] close(3) = 0 [pid 4020] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4020] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4020] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4020] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4020] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4021], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4021 ./strace-static-x86_64: Process 4021 attached [pid 4020] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4020] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4021] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4021] memfd_create("syzkaller", 0) = 3 [pid 4021] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4021] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4021] munmap(0x7fc87e392000, 16777216) = 0 [pid 4021] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4021] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4021] close(3) = 0 [pid 4021] mkdir("./file0", 0777) = 0 [ 161.344305][ T4021] loop0: detected capacity change from 0 to 32768 [ 161.354939][ T4021] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 161.363166][ T4021] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 161.373082][ T4021] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 161.381835][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 161.390027][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4021] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4021] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4021] chdir("./file0") = 0 [pid 4021] ioctl(4, LOOP_CLR_FD) = 0 [pid 4021] close(4) = 0 [pid 4021] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4020] <... futex resumed>) = 0 [pid 4020] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4020] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4021] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4021] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4020] <... futex resumed>) = 0 [pid 4020] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4020] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 161.423499][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 161.432360][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 161.437611][ T4021] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 161.458476][ T4021] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4021] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4020] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4020] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 161.467895][ T4021] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 161.467895][ T4021] inode = 12 2341 [ 161.467895][ T4021] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 161.487158][ T4021] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 161.496506][ T4021] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4021 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 161.507145][ T4021] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 161.516037][ T4021] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 4020] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4020] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4020] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4022], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4022 [pid 4020] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4022 attached [pid 4022] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4022] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4022] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 161.523661][ T4021] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 161.533011][ T4021] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 161.541713][ T4021] gfs2: fsid=syz:syz.0: File system withdrawn [ 161.548003][ T4021] CPU: 1 PID: 4021 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 161.558445][ T4021] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 161.568585][ T4021] Call Trace: [ 161.571877][ T4021] [ 161.574809][ T4021] dump_stack_lvl+0x1b1/0x28e [ 161.579510][ T4021] ? nf_tcp_handle_invalid+0x62e/0x62e [ 161.584990][ T4021] ? panic+0x710/0x710 [ 161.589067][ T4021] ? kobject_uevent_env+0x46b/0x8e0 [ 161.594283][ T4021] ? do_raw_spin_unlock+0x134/0x8a0 [ 161.599494][ T4021] gfs2_withdraw+0xf33/0x1540 [ 161.604211][ T4021] ? gfs2_lm+0x220/0x220 [ 161.608463][ T4021] ? gfs2_dirent_scan+0xb6/0x650 [ 161.613418][ T4021] ? panic+0x710/0x710 [ 161.617489][ T4021] ? gfs2_permission+0x2ff/0x430 [pid 4022] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4020] exit_group(0 [pid 4022] <... futex resumed>) = ? [pid 4020] <... exit_group resumed>) = ? [pid 4022] +++ exited with 0 +++ [ 161.622460][ T4021] ? gfs2_consist_inode_i+0xf3/0x110 [ 161.627770][ T4021] gfs2_dirent_scan+0x535/0x650 [ 161.632631][ T4021] ? gfs2_dirent_search+0xb10/0xb10 [ 161.637827][ T4021] gfs2_dirent_search+0x2ea/0xb10 [ 161.642850][ T4021] ? gfs2_dirent_search+0xb10/0xb10 [ 161.648057][ T4021] ? gfs2_dir_search+0x2a0/0x2a0 [ 161.653006][ T4021] ? gfs2_permission+0x3bf/0x430 [ 161.657957][ T4021] gfs2_dir_search+0x8c/0x2a0 [ 161.662646][ T4021] ? do_filldir_main+0x530/0x530 [ 161.667584][ T4021] ? inode_go_held+0xe4/0x1f0 [ 161.672292][ T4021] ? gfs2_glock_wait+0x213/0x2a0 [ 161.677245][ T4021] gfs2_lookupi+0x465/0x650 [ 161.681746][ T4021] ? gfs2_lookup_simple+0x170/0x170 [ 161.686950][ T4021] ? __gfs2_lookup+0x8c/0x260 [ 161.691642][ T4021] __gfs2_lookup+0x8c/0x260 [ 161.696153][ T4021] ? gfs2_atomic_open+0x230/0x230 [ 161.701184][ T4021] ? __d_lookup+0x6a4/0x770 [ 161.705689][ T4021] ? d_hash_and_lookup+0x1c0/0x1c0 [ 161.710802][ T4021] gfs2_atomic_open+0xa4/0x230 [ 161.715579][ T4021] path_openat+0xf39/0x2df0 [ 161.720094][ T4021] ? gfs2_rename2+0x3000/0x3000 [ 161.724961][ T4021] ? do_filp_open+0x4f0/0x4f0 [ 161.729641][ T4021] do_filp_open+0x264/0x4f0 [ 161.734140][ T4021] ? vfs_tmpfile+0x490/0x490 [ 161.738730][ T4021] ? do_raw_spin_unlock+0x134/0x8a0 [ 161.743943][ T4021] ? _raw_spin_unlock+0x24/0x40 [ 161.748805][ T4021] ? alloc_fd+0x5a7/0x640 [ 161.753141][ T4021] do_sys_openat2+0x124/0x4e0 [ 161.757823][ T4021] ? print_irqtrace_events+0x220/0x220 [ 161.763296][ T4021] ? ptrace_stop+0x74d/0x970 [ 161.767901][ T4021] ? do_sys_open+0x220/0x220 [ 161.772487][ T4021] ? lockdep_hardirqs_on+0x8d/0x130 [ 161.777678][ T4021] ? _raw_spin_unlock_irq+0x2a/0x40 [ 161.782877][ T4021] ? ptrace_notify+0x245/0x340 [ 161.787643][ T4021] __x64_sys_openat+0x243/0x290 [ 161.792501][ T4021] ? __ia32_sys_open+0x270/0x270 [ 161.797444][ T4021] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 161.803428][ T4021] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 161.809430][ T4021] do_syscall_64+0x3d/0xb0 [ 161.813837][ T4021] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 161.819719][ T4021] RIP: 0033:0x7fc8868064d9 [ 161.824223][ T4021] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 161.843867][ T4021] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 161.852278][ T4021] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 161.860243][ T4021] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 4021] <... openat resumed>) = ? [pid 4021] +++ exited with 0 +++ [pid 4020] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4020, si_uid=0, si_status=0, si_utime=0, si_stime=29} --- umount2("./127", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./127", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./127/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./127/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./127/binderfs") = 0 [ 161.868213][ T4021] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 161.876191][ T4021] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 161.884189][ T4021] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 161.892173][ T4021] umount2("./127/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./127/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./127/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./127/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./127/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./127/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./127") = 0 mkdir("./128", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4023 ./strace-static-x86_64: Process 4023 attached [pid 4023] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4023] chdir("./128") = 0 [pid 4023] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4023] setpgid(0, 0) = 0 [pid 4023] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4023] write(3, "1000", 4) = 4 [pid 4023] close(3) = 0 [pid 4023] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4023] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4023] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4023] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4023] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4024 attached , parent_tid=[4024], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4024 [pid 4024] set_robust_list(0x7fc8867b29e0, 24 [pid 4023] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4023] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4024] <... set_robust_list resumed>) = 0 [pid 4024] memfd_create("syzkaller", 0) = 3 [pid 4024] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4024] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4024] munmap(0x7fc87e392000, 16777216) = 0 [pid 4024] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4024] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4024] close(3) = 0 [pid 4024] mkdir("./file0", 0777) = 0 [ 162.196785][ T4024] loop0: detected capacity change from 0 to 32768 [ 162.208598][ T4024] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 162.217085][ T4024] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 162.226762][ T4024] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 162.235729][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 162.242799][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4024] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4024] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4024] chdir("./file0") = 0 [pid 4024] ioctl(4, LOOP_CLR_FD) = 0 [pid 4024] close(4) = 0 [pid 4024] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4023] <... futex resumed>) = 0 [pid 4023] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4023] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4024] <... futex resumed>) = 1 [pid 4024] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4024] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4023] <... futex resumed>) = 0 [pid 4023] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4023] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4024] <... futex resumed>) = 1 [ 162.275734][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 162.283280][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 162.288533][ T4024] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 162.316839][ T4024] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 162.325742][ T4024] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 162.325742][ T4024] inode = 12 2341 [ 162.325742][ T4024] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 162.345168][ T4024] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 162.354563][ T4024] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4024 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 4024] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4023] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4023] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4023] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4023] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4023] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4025], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4025 [pid 4023] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4025 attached [pid 4025] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4025] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4025] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 162.364817][ T4024] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 162.373854][ T4024] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 162.381228][ T4024] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 162.390016][ T4024] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 162.397969][ T4024] gfs2: fsid=syz:syz.0: File system withdrawn [ 162.404234][ T4024] CPU: 0 PID: 4024 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 162.414642][ T4024] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 162.424698][ T4024] Call Trace: [ 162.427978][ T4024] [ 162.430915][ T4024] dump_stack_lvl+0x1b1/0x28e [ 162.435590][ T4024] ? nf_tcp_handle_invalid+0x62e/0x62e [ 162.441044][ T4024] ? panic+0x710/0x710 [ 162.445107][ T4024] ? kobject_uevent_env+0x46b/0x8e0 [ 162.450310][ T4024] ? do_raw_spin_unlock+0x134/0x8a0 [ 162.455521][ T4024] gfs2_withdraw+0xf33/0x1540 [ 162.460221][ T4024] ? gfs2_lm+0x220/0x220 [pid 4025] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4023] exit_group(0 [pid 4025] <... futex resumed>) = ? [pid 4023] <... exit_group resumed>) = ? [pid 4025] +++ exited with 0 +++ [ 162.464479][ T4024] ? gfs2_dirent_scan+0xb6/0x650 [ 162.469429][ T4024] ? panic+0x710/0x710 [ 162.473486][ T4024] ? gfs2_permission+0x2ff/0x430 [ 162.478432][ T4024] ? gfs2_consist_inode_i+0xf3/0x110 [ 162.483729][ T4024] gfs2_dirent_scan+0x535/0x650 [ 162.488588][ T4024] ? gfs2_dirent_search+0xb10/0xb10 [ 162.493799][ T4024] gfs2_dirent_search+0x2ea/0xb10 [ 162.498834][ T4024] ? gfs2_dirent_search+0xb10/0xb10 [ 162.504049][ T4024] ? gfs2_dir_search+0x2a0/0x2a0 [ 162.509008][ T4024] ? gfs2_permission+0x3bf/0x430 [ 162.513980][ T4024] gfs2_dir_search+0x8c/0x2a0 [ 162.518669][ T4024] ? do_filldir_main+0x530/0x530 [ 162.523622][ T4024] ? inode_go_held+0xe4/0x1f0 [ 162.528301][ T4024] ? gfs2_glock_wait+0x213/0x2a0 [ 162.533250][ T4024] gfs2_lookupi+0x465/0x650 [ 162.537752][ T4024] ? gfs2_lookup_simple+0x170/0x170 [ 162.542943][ T4024] ? __gfs2_lookup+0x8c/0x260 [ 162.547643][ T4024] __gfs2_lookup+0x8c/0x260 [ 162.552159][ T4024] ? gfs2_atomic_open+0x230/0x230 [ 162.557190][ T4024] ? __d_lookup+0x6a4/0x770 [ 162.561704][ T4024] ? d_hash_and_lookup+0x1c0/0x1c0 [ 162.566808][ T4024] gfs2_atomic_open+0xa4/0x230 [ 162.571571][ T4024] path_openat+0xf39/0x2df0 [ 162.576068][ T4024] ? gfs2_rename2+0x3000/0x3000 [ 162.580935][ T4024] ? do_filp_open+0x4f0/0x4f0 [ 162.585616][ T4024] do_filp_open+0x264/0x4f0 [ 162.590112][ T4024] ? vfs_tmpfile+0x490/0x490 [ 162.594704][ T4024] ? do_raw_spin_unlock+0x134/0x8a0 [ 162.599909][ T4024] ? _raw_spin_unlock+0x24/0x40 [ 162.604772][ T4024] ? alloc_fd+0x5a7/0x640 [ 162.609098][ T4024] do_sys_openat2+0x124/0x4e0 [ 162.613775][ T4024] ? print_irqtrace_events+0x220/0x220 [ 162.619247][ T4024] ? ptrace_stop+0x74d/0x970 [ 162.623846][ T4024] ? do_sys_open+0x220/0x220 [ 162.628426][ T4024] ? lockdep_hardirqs_on+0x8d/0x130 [ 162.633614][ T4024] ? _raw_spin_unlock_irq+0x2a/0x40 [ 162.638811][ T4024] ? ptrace_notify+0x245/0x340 [ 162.643566][ T4024] __x64_sys_openat+0x243/0x290 [ 162.648409][ T4024] ? __ia32_sys_open+0x270/0x270 [ 162.653337][ T4024] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 162.659311][ T4024] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 162.665281][ T4024] do_syscall_64+0x3d/0xb0 [ 162.669684][ T4024] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.675575][ T4024] RIP: 0033:0x7fc8868064d9 [ 162.679989][ T4024] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 162.699587][ T4024] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 162.707989][ T4024] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 4024] <... openat resumed>) = ? [pid 4024] +++ exited with 0 +++ [pid 4023] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4023, si_uid=0, si_status=0, si_utime=2, si_stime=30} --- umount2("./128", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./128", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./128/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./128/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./128/binderfs") = 0 [ 162.715958][ T4024] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 162.723919][ T4024] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 162.732401][ T4024] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 162.740360][ T4024] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 162.748352][ T4024] umount2("./128/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./128/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./128/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./128/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./128/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./128/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./128") = 0 mkdir("./129", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4026 ./strace-static-x86_64: Process 4026 attached [pid 4026] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4026] chdir("./129") = 0 [pid 4026] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4026] setpgid(0, 0) = 0 [pid 4026] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4026] write(3, "1000", 4) = 4 [pid 4026] close(3) = 0 [pid 4026] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4026] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4026] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4026] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4026] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4027 attached , parent_tid=[4027], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4027 [pid 4027] set_robust_list(0x7fc8867b29e0, 24 [pid 4026] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4027] <... set_robust_list resumed>) = 0 [pid 4026] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4027] memfd_create("syzkaller", 0) = 3 [pid 4027] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4027] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4027] munmap(0x7fc87e392000, 16777216) = 0 [pid 4027] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4027] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4027] close(3) = 0 [pid 4027] mkdir("./file0", 0777) = 0 [ 163.049779][ T4027] loop0: detected capacity change from 0 to 32768 [ 163.060235][ T4027] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 163.068738][ T4027] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 163.078002][ T4027] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 163.087009][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 163.094023][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4027] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4027] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4027] chdir("./file0") = 0 [pid 4027] ioctl(4, LOOP_CLR_FD) = 0 [pid 4027] close(4) = 0 [pid 4027] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4027] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4026] <... futex resumed>) = 0 [pid 4026] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4026] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4027] <... futex resumed>) = 0 [pid 4027] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4027] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4026] <... futex resumed>) = 0 [pid 4026] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4026] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4027] <... futex resumed>) = 1 [ 163.130462][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 163.139205][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 163.144976][ T4027] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 163.167125][ T4027] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4027] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4026] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4026] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4026] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4026] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4026] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4028], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4028 [pid 4026] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4028 attached [pid 4028] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4028] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4028] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 163.175816][ T4027] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 163.175816][ T4027] inode = 12 2341 [ 163.175816][ T4027] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 163.194941][ T4027] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 163.204503][ T4027] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4027 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 163.214577][ T4027] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 163.223083][ T4027] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 163.231301][ T4027] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 163.240515][ T4027] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 163.247056][ T4027] gfs2: fsid=syz:syz.0: File system withdrawn [ 163.253188][ T4027] CPU: 1 PID: 4027 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 163.263617][ T4027] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 163.273676][ T4027] Call Trace: [ 163.276945][ T4027] [ 163.279875][ T4027] dump_stack_lvl+0x1b1/0x28e [ 163.284566][ T4027] ? nf_tcp_handle_invalid+0x62e/0x62e [ 163.290041][ T4027] ? panic+0x710/0x710 [ 163.294114][ T4027] ? kobject_uevent_env+0x46b/0x8e0 [ 163.299300][ T4027] ? do_raw_spin_unlock+0x134/0x8a0 [ 163.304509][ T4027] gfs2_withdraw+0xf33/0x1540 [ 163.309220][ T4027] ? gfs2_lm+0x220/0x220 [ 163.313464][ T4027] ? gfs2_dirent_scan+0xb6/0x650 [ 163.318406][ T4027] ? panic+0x710/0x710 [ 163.322484][ T4027] ? gfs2_permission+0x2ff/0x430 [pid 4028] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4026] exit_group(0 [pid 4028] <... futex resumed>) = ? [pid 4026] <... exit_group resumed>) = ? [pid 4028] +++ exited with 0 +++ [ 163.327430][ T4027] ? gfs2_consist_inode_i+0xf3/0x110 [ 163.332715][ T4027] gfs2_dirent_scan+0x535/0x650 [ 163.337577][ T4027] ? gfs2_dirent_search+0xb10/0xb10 [ 163.342768][ T4027] gfs2_dirent_search+0x2ea/0xb10 [ 163.347793][ T4027] ? gfs2_dirent_search+0xb10/0xb10 [ 163.352993][ T4027] ? gfs2_dir_search+0x2a0/0x2a0 [ 163.358090][ T4027] ? gfs2_permission+0x3bf/0x430 [ 163.363040][ T4027] gfs2_dir_search+0x8c/0x2a0 [ 163.367715][ T4027] ? do_filldir_main+0x530/0x530 [ 163.372645][ T4027] ? inode_go_held+0xe4/0x1f0 [ 163.377405][ T4027] ? gfs2_glock_wait+0x213/0x2a0 [ 163.382351][ T4027] gfs2_lookupi+0x465/0x650 [ 163.386850][ T4027] ? gfs2_lookup_simple+0x170/0x170 [ 163.392649][ T4027] ? __gfs2_lookup+0x8c/0x260 [ 163.397336][ T4027] __gfs2_lookup+0x8c/0x260 [ 163.401846][ T4027] ? gfs2_atomic_open+0x230/0x230 [ 163.406874][ T4027] ? __d_lookup+0x6a4/0x770 [ 163.411378][ T4027] ? d_hash_and_lookup+0x1c0/0x1c0 [ 163.416494][ T4027] gfs2_atomic_open+0xa4/0x230 [ 163.421297][ T4027] path_openat+0xf39/0x2df0 [ 163.425799][ T4027] ? gfs2_rename2+0x3000/0x3000 [ 163.430650][ T4027] ? do_filp_open+0x4f0/0x4f0 [ 163.435325][ T4027] do_filp_open+0x264/0x4f0 [ 163.439830][ T4027] ? vfs_tmpfile+0x490/0x490 [ 163.444430][ T4027] ? do_raw_spin_unlock+0x134/0x8a0 [ 163.449644][ T4027] ? _raw_spin_unlock+0x24/0x40 [ 163.454503][ T4027] ? alloc_fd+0x5a7/0x640 [ 163.458828][ T4027] do_sys_openat2+0x124/0x4e0 [ 163.463502][ T4027] ? print_irqtrace_events+0x220/0x220 [ 163.468980][ T4027] ? ptrace_stop+0x74d/0x970 [ 163.473575][ T4027] ? do_sys_open+0x220/0x220 [ 163.478185][ T4027] ? lockdep_hardirqs_on+0x8d/0x130 [ 163.483375][ T4027] ? _raw_spin_unlock_irq+0x2a/0x40 [ 163.488569][ T4027] ? ptrace_notify+0x245/0x340 [ 163.493326][ T4027] __x64_sys_openat+0x243/0x290 [ 163.498243][ T4027] ? __ia32_sys_open+0x270/0x270 [ 163.503188][ T4027] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 163.509172][ T4027] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 163.515150][ T4027] do_syscall_64+0x3d/0xb0 [ 163.519558][ T4027] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 163.525449][ T4027] RIP: 0033:0x7fc8868064d9 [ 163.529865][ T4027] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 163.549481][ T4027] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 163.557885][ T4027] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 163.565846][ T4027] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 163.573817][ T4027] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4027] <... openat resumed>) = ? [pid 4027] +++ exited with 0 +++ [pid 4026] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4026, si_uid=0, si_status=0, si_utime=0, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./129", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./129", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./129/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./129/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./129/binderfs") = 0 [ 163.581796][ T4027] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 163.589758][ T4027] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 163.597754][ T4027] umount2("./129/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./129/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./129/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./129/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./129/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./129/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./129") = 0 mkdir("./130", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4029 ./strace-static-x86_64: Process 4029 attached [pid 4029] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4029] chdir("./130") = 0 [pid 4029] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4029] setpgid(0, 0) = 0 [pid 4029] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4029] write(3, "1000", 4) = 4 [pid 4029] close(3) = 0 [pid 4029] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4029] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4029] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4029] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4029] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4030], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4030 [pid 4029] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4029] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4030 attached [pid 4030] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4030] memfd_create("syzkaller", 0) = 3 [pid 4030] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4030] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4030] munmap(0x7fc87e392000, 16777216) = 0 [pid 4030] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4030] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4030] close(3) = 0 [pid 4030] mkdir("./file0", 0777) = 0 [ 163.886842][ T4030] loop0: detected capacity change from 0 to 32768 [ 163.899015][ T4030] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 163.907328][ T4030] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 163.916387][ T4030] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 163.925143][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 163.932119][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4030] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4030] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4030] chdir("./file0") = 0 [pid 4030] ioctl(4, LOOP_CLR_FD) = 0 [pid 4030] close(4) = 0 [pid 4030] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4029] <... futex resumed>) = 0 [pid 4029] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4029] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4030] <... futex resumed>) = 1 [pid 4030] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4030] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4029] <... futex resumed>) = 0 [pid 4030] <... futex resumed>) = 1 [pid 4029] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4030] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4029] <... futex resumed>) = 0 [ 163.971020][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 163.979775][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 163.985238][ T4030] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 164.000727][ T4030] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 164.009636][ T4030] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 164.009636][ T4030] inode = 12 2341 [pid 4029] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 4029] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4029] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4029] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4029] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4031], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4031 [pid 4029] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4031 attached [pid 4031] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4031] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4031] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 164.009636][ T4030] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 164.028680][ T4030] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 164.038224][ T4030] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4030 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 164.048593][ T4030] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 164.057685][ T4030] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 164.066111][ T4030] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 164.075317][ T4030] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 164.083313][ T4030] gfs2: fsid=syz:syz.0: File system withdrawn [ 164.091603][ T4030] CPU: 0 PID: 4030 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 164.102016][ T4030] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 164.112437][ T4030] Call Trace: [ 164.115709][ T4030] [ 164.118633][ T4030] dump_stack_lvl+0x1b1/0x28e [ 164.123330][ T4030] ? nf_tcp_handle_invalid+0x62e/0x62e [ 164.128804][ T4030] ? panic+0x710/0x710 [ 164.132890][ T4030] ? kobject_uevent_env+0x46b/0x8e0 [ 164.138101][ T4030] ? do_raw_spin_unlock+0x134/0x8a0 [ 164.143293][ T4030] gfs2_withdraw+0xf33/0x1540 [ 164.147991][ T4030] ? gfs2_lm+0x220/0x220 [ 164.152234][ T4030] ? gfs2_dirent_scan+0xb6/0x650 [ 164.157173][ T4030] ? panic+0x710/0x710 [ 164.161307][ T4030] ? gfs2_permission+0x2ff/0x430 [ 164.166258][ T4030] ? gfs2_consist_inode_i+0xf3/0x110 [pid 4031] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4029] exit_group(0 [pid 4031] <... futex resumed>) = ? [pid 4029] <... exit_group resumed>) = ? [pid 4031] +++ exited with 0 +++ [ 164.171551][ T4030] gfs2_dirent_scan+0x535/0x650 [ 164.176508][ T4030] ? gfs2_dirent_search+0xb10/0xb10 [ 164.181703][ T4030] gfs2_dirent_search+0x2ea/0xb10 [ 164.186735][ T4030] ? gfs2_dirent_search+0xb10/0xb10 [ 164.191946][ T4030] ? gfs2_dir_search+0x2a0/0x2a0 [ 164.196890][ T4030] ? gfs2_permission+0x3bf/0x430 [ 164.201870][ T4030] gfs2_dir_search+0x8c/0x2a0 [ 164.206575][ T4030] ? do_filldir_main+0x530/0x530 [ 164.211525][ T4030] ? inode_go_held+0xe4/0x1f0 [ 164.216223][ T4030] ? gfs2_glock_wait+0x213/0x2a0 [ 164.221160][ T4030] gfs2_lookupi+0x465/0x650 [ 164.225673][ T4030] ? gfs2_lookup_simple+0x170/0x170 [ 164.230872][ T4030] ? __gfs2_lookup+0x8c/0x260 [ 164.235540][ T4030] __gfs2_lookup+0x8c/0x260 [ 164.240032][ T4030] ? gfs2_atomic_open+0x230/0x230 [ 164.245059][ T4030] ? __d_lookup+0x6a4/0x770 [ 164.249550][ T4030] ? d_hash_and_lookup+0x1c0/0x1c0 [ 164.254653][ T4030] gfs2_atomic_open+0xa4/0x230 [ 164.259423][ T4030] path_openat+0xf39/0x2df0 [ 164.263937][ T4030] ? gfs2_rename2+0x3000/0x3000 [ 164.268789][ T4030] ? do_filp_open+0x4f0/0x4f0 [ 164.273554][ T4030] do_filp_open+0x264/0x4f0 [ 164.278051][ T4030] ? vfs_tmpfile+0x490/0x490 [ 164.282642][ T4030] ? do_raw_spin_unlock+0x134/0x8a0 [ 164.287836][ T4030] ? _raw_spin_unlock+0x24/0x40 [ 164.292690][ T4030] ? alloc_fd+0x5a7/0x640 [ 164.297024][ T4030] do_sys_openat2+0x124/0x4e0 [ 164.301707][ T4030] ? print_irqtrace_events+0x220/0x220 [ 164.307154][ T4030] ? ptrace_stop+0x74d/0x970 [ 164.311748][ T4030] ? do_sys_open+0x220/0x220 [ 164.316346][ T4030] ? lockdep_hardirqs_on+0x8d/0x130 [ 164.321550][ T4030] ? _raw_spin_unlock_irq+0x2a/0x40 [ 164.326774][ T4030] ? ptrace_notify+0x245/0x340 [ 164.331545][ T4030] __x64_sys_openat+0x243/0x290 [ 164.336397][ T4030] ? __ia32_sys_open+0x270/0x270 [ 164.341435][ T4030] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 164.347427][ T4030] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 164.353512][ T4030] do_syscall_64+0x3d/0xb0 [ 164.358021][ T4030] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 164.363930][ T4030] RIP: 0033:0x7fc8868064d9 [ 164.368367][ T4030] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 164.388000][ T4030] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 164.396436][ T4030] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 164.404417][ T4030] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 164.412399][ T4030] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4030] <... openat resumed>) = ? [pid 4030] +++ exited with 0 +++ [pid 4029] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4029, si_uid=0, si_status=0, si_utime=0, si_stime=32} --- umount2("./130", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./130", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./130/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./130/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./130/binderfs") = 0 [ 164.420377][ T4030] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 164.428362][ T4030] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 164.436357][ T4030] umount2("./130/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./130/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./130/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./130/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./130/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./130/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./130") = 0 mkdir("./131", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4032 ./strace-static-x86_64: Process 4032 attached [pid 4032] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4032] chdir("./131") = 0 [pid 4032] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4032] setpgid(0, 0) = 0 [pid 4032] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4032] write(3, "1000", 4) = 4 [pid 4032] close(3) = 0 [pid 4032] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4032] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4032] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4032] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4032] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4033], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4033 [pid 4032] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4032] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4033 attached [pid 4033] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4033] memfd_create("syzkaller", 0) = 3 [pid 4033] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4033] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4033] munmap(0x7fc87e392000, 16777216) = 0 [pid 4033] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4033] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4033] close(3) = 0 [pid 4033] mkdir("./file0", 0777) = 0 [ 164.726640][ T4033] loop0: detected capacity change from 0 to 32768 [ 164.736598][ T4033] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 164.745251][ T4033] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 164.754639][ T4033] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 164.763809][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 164.770666][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4033] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4033] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4033] chdir("./file0") = 0 [pid 4033] ioctl(4, LOOP_CLR_FD) = 0 [pid 4033] close(4) = 0 [pid 4033] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4033] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4032] <... futex resumed>) = 0 [pid 4032] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4032] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4033] <... futex resumed>) = 0 [pid 4033] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4033] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4032] <... futex resumed>) = 0 [pid 4032] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4032] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4033] <... futex resumed>) = 1 [ 164.807844][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 164.816748][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 164.822105][ T4033] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 164.845348][ T4033] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4033] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4032] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4032] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4032] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4032] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4032] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4034], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4034 [pid 4032] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4034 attached [pid 4034] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4034] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4034] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 164.854291][ T4033] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 164.854291][ T4033] inode = 12 2341 [ 164.854291][ T4033] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 164.874276][ T4033] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 164.883690][ T4033] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4033 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 164.894243][ T4033] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 164.902996][ T4033] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 164.910542][ T4033] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 164.919319][ T4033] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 164.927427][ T4033] gfs2: fsid=syz:syz.0: File system withdrawn [ 164.933862][ T4033] CPU: 0 PID: 4033 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 164.944276][ T4033] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 164.954329][ T4033] Call Trace: [ 164.957623][ T4033] [ 164.960559][ T4033] dump_stack_lvl+0x1b1/0x28e [ 164.965232][ T4033] ? nf_tcp_handle_invalid+0x62e/0x62e [ 164.970686][ T4033] ? panic+0x710/0x710 [ 164.974745][ T4033] ? kobject_uevent_env+0x46b/0x8e0 [ 164.980195][ T4033] ? do_raw_spin_unlock+0x134/0x8a0 [ 164.985406][ T4033] gfs2_withdraw+0xf33/0x1540 [ 164.990116][ T4033] ? gfs2_lm+0x220/0x220 [ 164.994369][ T4033] ? gfs2_dirent_scan+0xb6/0x650 [ 164.999311][ T4033] ? panic+0x710/0x710 [ 165.003372][ T4033] ? gfs2_permission+0x2ff/0x430 [pid 4034] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4032] exit_group(0 [pid 4034] <... futex resumed>) = ? [pid 4032] <... exit_group resumed>) = ? [pid 4034] +++ exited with 0 +++ [ 165.008331][ T4033] ? gfs2_consist_inode_i+0xf3/0x110 [ 165.013642][ T4033] gfs2_dirent_scan+0x535/0x650 [ 165.018535][ T4033] ? gfs2_dirent_search+0xb10/0xb10 [ 165.023741][ T4033] gfs2_dirent_search+0x2ea/0xb10 [ 165.028773][ T4033] ? gfs2_dirent_search+0xb10/0xb10 [ 165.033981][ T4033] ? gfs2_dir_search+0x2a0/0x2a0 [ 165.038921][ T4033] ? gfs2_permission+0x3bf/0x430 [ 165.043894][ T4033] gfs2_dir_search+0x8c/0x2a0 [ 165.048577][ T4033] ? do_filldir_main+0x530/0x530 [ 165.053550][ T4033] ? inode_go_held+0xe4/0x1f0 [ 165.058230][ T4033] ? gfs2_glock_wait+0x213/0x2a0 [ 165.063174][ T4033] gfs2_lookupi+0x465/0x650 [ 165.067671][ T4033] ? gfs2_lookup_simple+0x170/0x170 [ 165.072872][ T4033] ? __gfs2_lookup+0x8c/0x260 [ 165.077559][ T4033] __gfs2_lookup+0x8c/0x260 [ 165.082072][ T4033] ? gfs2_atomic_open+0x230/0x230 [ 165.087099][ T4033] ? __d_lookup+0x6a4/0x770 [ 165.091603][ T4033] ? d_hash_and_lookup+0x1c0/0x1c0 [ 165.096717][ T4033] gfs2_atomic_open+0xa4/0x230 [ 165.101491][ T4033] path_openat+0xf39/0x2df0 [ 165.105988][ T4033] ? gfs2_rename2+0x3000/0x3000 [ 165.110852][ T4033] ? do_filp_open+0x4f0/0x4f0 [ 165.115537][ T4033] do_filp_open+0x264/0x4f0 [ 165.120042][ T4033] ? vfs_tmpfile+0x490/0x490 [ 165.124642][ T4033] ? do_raw_spin_unlock+0x134/0x8a0 [ 165.129852][ T4033] ? _raw_spin_unlock+0x24/0x40 [ 165.134714][ T4033] ? alloc_fd+0x5a7/0x640 [ 165.139041][ T4033] do_sys_openat2+0x124/0x4e0 [ 165.143712][ T4033] ? print_irqtrace_events+0x220/0x220 [ 165.149166][ T4033] ? ptrace_stop+0x74d/0x970 [ 165.153756][ T4033] ? do_sys_open+0x220/0x220 [ 165.158350][ T4033] ? lockdep_hardirqs_on+0x8d/0x130 [ 165.163537][ T4033] ? _raw_spin_unlock_irq+0x2a/0x40 [ 165.168728][ T4033] ? ptrace_notify+0x245/0x340 [ 165.173477][ T4033] __x64_sys_openat+0x243/0x290 [ 165.178317][ T4033] ? __ia32_sys_open+0x270/0x270 [ 165.183260][ T4033] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 165.189249][ T4033] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 165.195216][ T4033] do_syscall_64+0x3d/0xb0 [ 165.199618][ T4033] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 165.205509][ T4033] RIP: 0033:0x7fc8868064d9 [ 165.209936][ T4033] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 165.229620][ T4033] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 165.238030][ T4033] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 165.246001][ T4033] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 4033] <... openat resumed>) = ? [pid 4033] +++ exited with 0 +++ [pid 4032] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4032, si_uid=0, si_status=0, si_utime=1, si_stime=31} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./131", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./131", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./131/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./131/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./131/binderfs") = 0 [ 165.253964][ T4033] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 165.261933][ T4033] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 165.269938][ T4033] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 165.277922][ T4033] umount2("./131/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./131/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./131/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./131/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./131/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./131/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./131") = 0 mkdir("./132", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4035 ./strace-static-x86_64: Process 4035 attached [pid 4035] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4035] chdir("./132") = 0 [pid 4035] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4035] setpgid(0, 0) = 0 [pid 4035] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4035] write(3, "1000", 4) = 4 [pid 4035] close(3) = 0 [pid 4035] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4035] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4035] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4035] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4035] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4036], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4036 [pid 4035] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4035] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4036 attached [pid 4036] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4036] memfd_create("syzkaller", 0) = 3 [pid 4036] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4036] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4036] munmap(0x7fc87e392000, 16777216) = 0 [pid 4036] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4036] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4036] close(3) = 0 [pid 4036] mkdir("./file0", 0777) = 0 [ 165.586905][ T4036] loop0: detected capacity change from 0 to 32768 [ 165.598323][ T4036] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 165.606844][ T4036] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 165.616798][ T4036] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 165.625618][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 165.632990][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4036] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4036] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4036] chdir("./file0") = 0 [pid 4036] ioctl(4, LOOP_CLR_FD) = 0 [pid 4036] close(4) = 0 [pid 4036] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4035] <... futex resumed>) = 0 [pid 4035] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4035] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4036] <... futex resumed>) = 1 [pid 4036] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4036] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4035] <... futex resumed>) = 0 [pid 4035] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4035] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4036] <... futex resumed>) = 1 [ 165.667825][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 165.676014][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 165.681389][ T4036] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 165.695903][ T4036] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 165.704908][ T4036] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 165.704908][ T4036] inode = 12 2341 [pid 4036] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4035] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4035] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4035] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4035] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4035] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4037], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4037 [pid 4035] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4037 attached [pid 4037] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4037] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4037] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 165.704908][ T4036] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 165.724137][ T4036] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 165.733527][ T4036] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4036 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 165.743958][ T4036] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 165.752913][ T4036] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 165.760358][ T4036] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 165.769456][ T4036] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 165.776532][ T4036] gfs2: fsid=syz:syz.0: File system withdrawn [ 165.782818][ T4036] CPU: 0 PID: 4036 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 165.793329][ T4036] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 165.803385][ T4036] Call Trace: [ 165.806656][ T4036] [ 165.809580][ T4036] dump_stack_lvl+0x1b1/0x28e [ 165.814255][ T4036] ? nf_tcp_handle_invalid+0x62e/0x62e [ 165.819708][ T4036] ? panic+0x710/0x710 [ 165.823767][ T4036] ? kobject_uevent_env+0x46b/0x8e0 [ 165.828966][ T4036] ? do_raw_spin_unlock+0x134/0x8a0 [ 165.834175][ T4036] gfs2_withdraw+0xf33/0x1540 [ 165.838889][ T4036] ? gfs2_lm+0x220/0x220 [ 165.843148][ T4036] ? gfs2_dirent_scan+0xb6/0x650 [ 165.848105][ T4036] ? panic+0x710/0x710 [ 165.852167][ T4036] ? gfs2_permission+0x2ff/0x430 [ 165.857119][ T4036] ? gfs2_consist_inode_i+0xf3/0x110 [ 165.862420][ T4036] gfs2_dirent_scan+0x535/0x650 [ 165.867283][ T4036] ? gfs2_dirent_search+0xb10/0xb10 [ 165.872493][ T4036] gfs2_dirent_search+0x2ea/0xb10 [ 165.877511][ T4036] ? gfs2_dirent_search+0xb10/0xb10 [ 165.882715][ T4036] ? gfs2_dir_search+0x2a0/0x2a0 [ 165.887663][ T4036] ? gfs2_permission+0x3bf/0x430 [ 165.892602][ T4036] gfs2_dir_search+0x8c/0x2a0 [ 165.897281][ T4036] ? do_filldir_main+0x530/0x530 [ 165.902215][ T4036] ? inode_go_held+0xe4/0x1f0 [ 165.906888][ T4036] ? gfs2_glock_wait+0x213/0x2a0 [ 165.911823][ T4036] gfs2_lookupi+0x465/0x650 [ 165.916332][ T4036] ? gfs2_lookup_simple+0x170/0x170 [ 165.921526][ T4036] ? __gfs2_lookup+0x8c/0x260 [ 165.926204][ T4036] __gfs2_lookup+0x8c/0x260 [ 165.930703][ T4036] ? gfs2_atomic_open+0x230/0x230 [ 165.935726][ T4036] ? __d_lookup+0x6a4/0x770 [ 165.940221][ T4036] ? d_hash_and_lookup+0x1c0/0x1c0 [ 165.945325][ T4036] gfs2_atomic_open+0xa4/0x230 [ 165.950090][ T4036] path_openat+0xf39/0x2df0 [ 165.954633][ T4036] ? gfs2_rename2+0x3000/0x3000 [ 165.959491][ T4036] ? do_filp_open+0x4f0/0x4f0 [ 165.964173][ T4036] do_filp_open+0x264/0x4f0 [ 165.968670][ T4036] ? vfs_tmpfile+0x490/0x490 [ 165.973260][ T4036] ? do_raw_spin_unlock+0x134/0x8a0 [ 165.978459][ T4036] ? _raw_spin_unlock+0x24/0x40 [ 165.983308][ T4036] ? alloc_fd+0x5a7/0x640 [ 165.987639][ T4036] do_sys_openat2+0x124/0x4e0 [ 165.992309][ T4036] ? print_irqtrace_events+0x220/0x220 [ 165.997758][ T4036] ? ptrace_stop+0x74d/0x970 [ 166.002343][ T4036] ? do_sys_open+0x220/0x220 [ 166.006932][ T4036] ? lockdep_hardirqs_on+0x8d/0x130 [ 166.012124][ T4036] ? _raw_spin_unlock_irq+0x2a/0x40 [ 166.017318][ T4036] ? ptrace_notify+0x245/0x340 [ 166.022079][ T4036] __x64_sys_openat+0x243/0x290 [ 166.026939][ T4036] ? __ia32_sys_open+0x270/0x270 [ 166.031875][ T4036] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 166.037853][ T4036] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 166.043847][ T4036] do_syscall_64+0x3d/0xb0 [ 166.048257][ T4036] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 166.054144][ T4036] RIP: 0033:0x7fc8868064d9 [ 166.058553][ T4036] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 166.078154][ T4036] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 166.086559][ T4036] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 166.094520][ T4036] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 166.102509][ T4036] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 166.110469][ T4036] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 4037] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4036] <... openat resumed>) = -1 EIO (Input/output error) [pid 4036] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4035] exit_group(0 [pid 4037] <... futex resumed>) = ? [pid 4035] <... exit_group resumed>) = ? [pid 4037] +++ exited with 0 +++ [pid 4036] +++ exited with 0 +++ [pid 4035] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4035, si_uid=0, si_status=0, si_utime=1, si_stime=32} --- umount2("./132", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./132", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./132/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./132/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./132/binderfs") = 0 [ 166.118431][ T4036] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 166.126407][ T4036] umount2("./132/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./132/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./132/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./132/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./132/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./132/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./132") = 0 mkdir("./133", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4038 ./strace-static-x86_64: Process 4038 attached [pid 4038] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4038] chdir("./133") = 0 [pid 4038] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4038] setpgid(0, 0) = 0 [pid 4038] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4038] write(3, "1000", 4) = 4 [pid 4038] close(3) = 0 [pid 4038] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4038] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4038] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4038] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4038] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4039 attached , parent_tid=[4039], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4039 [pid 4039] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4039] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4038] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4039] <... futex resumed>) = 0 [pid 4038] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4039] memfd_create("syzkaller", 0) = 3 [pid 4039] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4039] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4039] munmap(0x7fc87e392000, 16777216) = 0 [pid 4039] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4039] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4039] close(3) = 0 [pid 4039] mkdir("./file0", 0777) = 0 [ 166.438031][ T4039] loop0: detected capacity change from 0 to 32768 [ 166.448004][ T4039] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 166.456212][ T4039] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 166.465440][ T4039] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 166.474329][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 166.481240][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4039] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4039] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4039] chdir("./file0") = 0 [pid 4039] ioctl(4, LOOP_CLR_FD) = 0 [pid 4039] close(4) = 0 [pid 4039] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4038] <... futex resumed>) = 0 [pid 4039] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4038] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4039] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 4038] <... futex resumed>) = 0 [pid 4039] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 4038] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4039] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4039] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4039] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4038] <... futex resumed>) = 0 [pid 4038] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4038] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4039] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 166.516387][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 166.524599][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 166.529952][ T4039] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 166.552366][ T4039] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4039] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4038] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4038] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 4038] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4038] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4038] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4038] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4040], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4040 [pid 4038] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4040 attached [pid 4040] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 166.561038][ T4039] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 166.561038][ T4039] inode = 12 2341 [ 166.561038][ T4039] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 166.579808][ T4039] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 166.589230][ T4039] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4039 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 166.599574][ T4039] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 166.604899][ T4040] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 166.608486][ T4039] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 166.618064][ T4040] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 166.624011][ T4039] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 166.624025][ T4039] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 166.624195][ T4039] gfs2: fsid=syz:syz.0: File system withdrawn [ 166.635774][ T4040] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4039 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 166.641987][ T4039] CPU: 0 PID: 4039 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 166.642008][ T4039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 166.642017][ T4039] Call Trace: [ 166.642024][ T4039] [ 166.642032][ T4039] dump_stack_lvl+0x1b1/0x28e [ 166.649539][ T4040] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4040 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 166.654480][ T4039] ? nf_tcp_handle_invalid+0x62e/0x62e [ 166.654504][ T4039] ? panic+0x710/0x710 [ 166.654524][ T4039] ? kobject_uevent_env+0x46b/0x8e0 [ 166.654543][ T4039] ? do_raw_spin_unlock+0x134/0x8a0 [ 166.665498][ T4040] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 166.674894][ T4039] gfs2_withdraw+0xf33/0x1540 [ 166.674937][ T4039] ? gfs2_lm+0x220/0x220 [ 166.674953][ T4039] ? gfs2_dirent_scan+0xb6/0x650 [ 166.747884][ T4039] ? panic+0x710/0x710 [ 166.751949][ T4039] ? gfs2_permission+0x2ff/0x430 [ 166.756906][ T4039] ? gfs2_consist_inode_i+0xf3/0x110 [ 166.762205][ T4039] gfs2_dirent_scan+0x535/0x650 [ 166.767057][ T4039] ? gfs2_dirent_search+0xb10/0xb10 [ 166.772860][ T4039] gfs2_dirent_search+0x2ea/0xb10 [ 166.777876][ T4039] ? gfs2_dirent_search+0xb10/0xb10 [ 166.783071][ T4039] ? gfs2_dir_search+0x2a0/0x2a0 [ 166.788003][ T4039] ? gfs2_permission+0x3bf/0x430 [ 166.792970][ T4039] gfs2_dir_search+0x8c/0x2a0 [ 166.797673][ T4039] ? do_filldir_main+0x530/0x530 [ 166.802620][ T4039] ? inode_go_held+0xe4/0x1f0 [ 166.807294][ T4039] ? gfs2_glock_wait+0x213/0x2a0 [ 166.812236][ T4039] gfs2_lookupi+0x465/0x650 [pid 4040] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 4038] exit_group(0) = ? [ 166.816769][ T4039] ? gfs2_lookup_simple+0x170/0x170 [ 166.821971][ T4039] ? __gfs2_lookup+0x8c/0x260 [ 166.826665][ T4039] __gfs2_lookup+0x8c/0x260 [ 166.831185][ T4039] ? gfs2_atomic_open+0x230/0x230 [ 166.836205][ T4039] ? __d_lookup+0x6a4/0x770 [ 166.840711][ T4039] ? d_hash_and_lookup+0x1c0/0x1c0 [ 166.845827][ T4039] gfs2_atomic_open+0xa4/0x230 [ 166.850584][ T4039] path_openat+0xf39/0x2df0 [ 166.855085][ T4039] ? gfs2_rename2+0x3000/0x3000 [ 166.859960][ T4039] ? do_filp_open+0x4f0/0x4f0 [ 166.864652][ T4039] do_filp_open+0x264/0x4f0 [ 166.869146][ T4039] ? vfs_tmpfile+0x490/0x490 [ 166.873759][ T4039] ? do_raw_spin_unlock+0x134/0x8a0 [ 166.878981][ T4039] ? _raw_spin_unlock+0x24/0x40 [ 166.883829][ T4039] ? alloc_fd+0x5a7/0x640 [ 166.888154][ T4039] do_sys_openat2+0x124/0x4e0 [ 166.892827][ T4039] ? print_irqtrace_events+0x220/0x220 [ 166.898275][ T4039] ? ptrace_stop+0x74d/0x970 [ 166.902866][ T4039] ? do_sys_open+0x220/0x220 [ 166.907459][ T4039] ? lockdep_hardirqs_on+0x8d/0x130 [ 166.912649][ T4039] ? _raw_spin_unlock_irq+0x2a/0x40 [ 166.917849][ T4039] ? ptrace_notify+0x245/0x340 [ 166.922617][ T4039] __x64_sys_openat+0x243/0x290 [ 166.927476][ T4039] ? __ia32_sys_open+0x270/0x270 [ 166.932420][ T4039] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 166.938401][ T4039] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 166.944387][ T4039] do_syscall_64+0x3d/0xb0 [ 166.948791][ T4039] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 166.954673][ T4039] RIP: 0033:0x7fc8868064d9 [ 166.959081][ T4039] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 166.978781][ T4039] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 166.987202][ T4039] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 166.995165][ T4039] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 167.003134][ T4039] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4040] <... openat resumed>) = ? [pid 4039] <... openat resumed>) = ? [pid 4039] +++ exited with 0 +++ [pid 4040] +++ exited with 0 +++ [pid 4038] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4038, si_uid=0, si_status=0, si_utime=0, si_stime=42} --- umount2("./133", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./133", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./133/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./133/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./133/binderfs") = 0 [ 167.011116][ T4039] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 167.019088][ T4039] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 167.027065][ T4039] umount2("./133/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./133/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./133/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./133/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./133/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./133/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./133") = 0 mkdir("./134", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4041 ./strace-static-x86_64: Process 4041 attached [pid 4041] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4041] chdir("./134") = 0 [pid 4041] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4041] setpgid(0, 0) = 0 [pid 4041] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4041] write(3, "1000", 4) = 4 [pid 4041] close(3) = 0 [pid 4041] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4041] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4041] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4041] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4041] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4042], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4042 [pid 4041] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4041] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4042 attached [pid 4042] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4042] memfd_create("syzkaller", 0) = 3 [pid 4042] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4042] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4042] munmap(0x7fc87e392000, 16777216) = 0 [pid 4042] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4042] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4042] close(3) = 0 [pid 4042] mkdir("./file0", 0777) = 0 [ 167.323876][ T4042] loop0: detected capacity change from 0 to 32768 [ 167.334450][ T4042] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 167.342710][ T4042] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 167.352168][ T4042] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 167.361227][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 167.368011][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4042] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4042] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4042] chdir("./file0") = 0 [pid 4042] ioctl(4, LOOP_CLR_FD) = 0 [pid 4042] close(4) = 0 [pid 4042] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4041] <... futex resumed>) = 0 [pid 4041] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4041] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4042] <... futex resumed>) = 1 [pid 4042] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4042] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4041] <... futex resumed>) = 0 [pid 4041] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4041] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4042] <... futex resumed>) = 1 [ 167.401504][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 167.409644][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 167.415254][ T4042] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 167.431610][ T4042] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 167.440581][ T4042] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 167.440581][ T4042] inode = 12 2341 [pid 4042] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4041] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4041] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 4041] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4041] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4041] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4041] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4043], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4043 [pid 4041] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4043 attached [pid 4043] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 167.440581][ T4042] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 167.459436][ T4042] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 167.468885][ T4042] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4042 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 167.479138][ T4042] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 167.484564][ T4043] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 167.496040][ T4042] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 167.496560][ T4043] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 167.512560][ T4042] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 167.512907][ T4043] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4042 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 167.531354][ T4042] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 167.533108][ T4042] gfs2: fsid=syz:syz.0: File system withdrawn [ 167.538379][ T4043] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4043 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 167.553943][ T4042] CPU: 1 PID: 4042 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 167.553966][ T4042] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 167.553977][ T4042] Call Trace: [ 167.553984][ T4042] [ 167.553992][ T4042] dump_stack_lvl+0x1b1/0x28e [ 167.564967][ T4043] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 167.574425][ T4042] ? nf_tcp_handle_invalid+0x62e/0x62e [ 167.574455][ T4042] ? panic+0x710/0x710 [ 167.574476][ T4042] ? kobject_uevent_env+0x46b/0x8e0 [ 167.574495][ T4042] ? do_raw_spin_unlock+0x134/0x8a0 [ 167.574524][ T4042] gfs2_withdraw+0xf33/0x1540 [ 167.574559][ T4042] ? gfs2_lm+0x220/0x220 [ 167.574575][ T4042] ? gfs2_dirent_scan+0xb6/0x650 [ 167.627491][ T4042] ? panic+0x710/0x710 [ 167.631571][ T4042] ? gfs2_permission+0x2ff/0x430 [ 167.636505][ T4042] ? gfs2_consist_inode_i+0xf3/0x110 [ 167.641793][ T4042] gfs2_dirent_scan+0x535/0x650 [ 167.646685][ T4042] ? gfs2_dirent_search+0xb10/0xb10 [ 167.651880][ T4042] gfs2_dirent_search+0x2ea/0xb10 [ 167.656900][ T4042] ? gfs2_dirent_search+0xb10/0xb10 [ 167.662091][ T4042] ? gfs2_dir_search+0x2a0/0x2a0 [ 167.667028][ T4042] ? gfs2_permission+0x3bf/0x430 [ 167.671977][ T4042] gfs2_dir_search+0x8c/0x2a0 [ 167.676655][ T4042] ? do_filldir_main+0x530/0x530 [ 167.681598][ T4042] ? inode_go_held+0xe4/0x1f0 [ 167.686274][ T4042] ? gfs2_glock_wait+0x213/0x2a0 [ 167.691218][ T4042] gfs2_lookupi+0x465/0x650 [ 167.695740][ T4042] ? gfs2_lookup_simple+0x170/0x170 [pid 4043] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 4041] exit_group(0) = ? [ 167.700944][ T4042] ? __gfs2_lookup+0x8c/0x260 [ 167.705653][ T4042] __gfs2_lookup+0x8c/0x260 [ 167.710159][ T4042] ? gfs2_atomic_open+0x230/0x230 [ 167.715188][ T4042] ? __d_lookup+0x6a4/0x770 [ 167.719692][ T4042] ? d_hash_and_lookup+0x1c0/0x1c0 [ 167.724804][ T4042] gfs2_atomic_open+0xa4/0x230 [ 167.729582][ T4042] path_openat+0xf39/0x2df0 [ 167.734083][ T4042] ? gfs2_rename2+0x3000/0x3000 [ 167.738934][ T4042] ? do_filp_open+0x4f0/0x4f0 [ 167.743617][ T4042] do_filp_open+0x264/0x4f0 [ 167.748118][ T4042] ? vfs_tmpfile+0x490/0x490 [ 167.752719][ T4042] ? do_raw_spin_unlock+0x134/0x8a0 [ 167.757922][ T4042] ? _raw_spin_unlock+0x24/0x40 [ 167.762768][ T4042] ? alloc_fd+0x5a7/0x640 [ 167.767120][ T4042] do_sys_openat2+0x124/0x4e0 [ 167.771787][ T4042] ? print_irqtrace_events+0x220/0x220 [ 167.777232][ T4042] ? ptrace_stop+0x74d/0x970 [ 167.781823][ T4042] ? do_sys_open+0x220/0x220 [ 167.786403][ T4042] ? lockdep_hardirqs_on+0x8d/0x130 [ 167.791599][ T4042] ? _raw_spin_unlock_irq+0x2a/0x40 [ 167.796796][ T4042] ? ptrace_notify+0x245/0x340 [ 167.801556][ T4042] __x64_sys_openat+0x243/0x290 [ 167.806407][ T4042] ? __ia32_sys_open+0x270/0x270 [ 167.811339][ T4042] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 167.817325][ T4042] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 167.823314][ T4042] do_syscall_64+0x3d/0xb0 [ 167.829254][ T4042] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 167.835152][ T4042] RIP: 0033:0x7fc8868064d9 [ 167.839573][ T4042] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 167.859169][ T4042] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 167.869497][ T4042] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 167.877478][ T4042] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 167.885438][ T4042] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 167.893428][ T4042] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 4043] <... openat resumed>) = ? [pid 4042] <... openat resumed>) = ? [pid 4043] +++ exited with 0 +++ [pid 4042] +++ exited with 0 +++ [pid 4041] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4041, si_uid=0, si_status=0, si_utime=1, si_stime=39} --- umount2("./134", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./134", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./134/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./134/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./134/binderfs") = 0 [ 167.901409][ T4042] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 167.909406][ T4042] umount2("./134/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./134/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./134/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./134/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./134/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./134/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./134") = 0 mkdir("./135", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4044 ./strace-static-x86_64: Process 4044 attached [pid 4044] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4044] chdir("./135") = 0 [pid 4044] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4044] setpgid(0, 0) = 0 [pid 4044] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4044] write(3, "1000", 4) = 4 [pid 4044] close(3) = 0 [pid 4044] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4044] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4044] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4044] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4044] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4045], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4045 [pid 4044] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4044] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4045 attached [pid 4045] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4045] memfd_create("syzkaller", 0) = 3 [pid 4045] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4045] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4045] munmap(0x7fc87e392000, 16777216) = 0 [pid 4045] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4045] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4045] close(3) = 0 [pid 4045] mkdir("./file0", 0777) = 0 [ 168.196712][ T4045] loop0: detected capacity change from 0 to 32768 [ 168.207650][ T4045] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 168.215958][ T4045] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 168.227937][ T4045] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 168.236628][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 168.243636][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4045] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4045] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4045] chdir("./file0") = 0 [pid 4045] ioctl(4, LOOP_CLR_FD) = 0 [pid 4045] close(4) = 0 [pid 4045] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4044] <... futex resumed>) = 0 [pid 4044] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4044] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4045] <... futex resumed>) = 1 [pid 4045] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4045] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4044] <... futex resumed>) = 0 [pid 4044] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4044] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4045] <... futex resumed>) = 1 [ 168.283422][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 168.292133][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 168.297399][ T4045] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 168.317584][ T4045] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 168.326563][ T4045] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 4045] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4044] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4044] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4044] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4044] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4044] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4046], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4046 [pid 4044] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4046 attached [pid 4046] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4046] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4046] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 168.326563][ T4045] inode = 12 2341 [ 168.326563][ T4045] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 168.345718][ T4045] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 168.355113][ T4045] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4045 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 168.365433][ T4045] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 168.374257][ T4045] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 168.382301][ T4045] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 168.391460][ T4045] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 168.399240][ T4045] gfs2: fsid=syz:syz.0: File system withdrawn [ 168.405823][ T4045] CPU: 0 PID: 4045 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 168.416230][ T4045] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 168.426272][ T4045] Call Trace: [ 168.429540][ T4045] [ 168.432479][ T4045] dump_stack_lvl+0x1b1/0x28e [ 168.437160][ T4045] ? nf_tcp_handle_invalid+0x62e/0x62e [ 168.442604][ T4045] ? panic+0x710/0x710 [ 168.446659][ T4045] ? kobject_uevent_env+0x46b/0x8e0 [ 168.451842][ T4045] ? do_raw_spin_unlock+0x134/0x8a0 [ 168.457031][ T4045] gfs2_withdraw+0xf33/0x1540 [ 168.461708][ T4045] ? gfs2_lm+0x220/0x220 [ 168.465934][ T4045] ? gfs2_dirent_scan+0xb6/0x650 [ 168.470864][ T4045] ? panic+0x710/0x710 [ 168.474918][ T4045] ? gfs2_permission+0x2ff/0x430 [ 168.479846][ T4045] ? gfs2_consist_inode_i+0xf3/0x110 [ 168.485116][ T4045] gfs2_dirent_scan+0x535/0x650 [ 168.489954][ T4045] ? gfs2_dirent_search+0xb10/0xb10 [ 168.495141][ T4045] gfs2_dirent_search+0x2ea/0xb10 [ 168.500161][ T4045] ? gfs2_dirent_search+0xb10/0xb10 [ 168.505350][ T4045] ? gfs2_dir_search+0x2a0/0x2a0 [ 168.510280][ T4045] ? gfs2_permission+0x3bf/0x430 [ 168.515233][ T4045] gfs2_dir_search+0x8c/0x2a0 [ 168.519915][ T4045] ? do_filldir_main+0x530/0x530 [ 168.524850][ T4045] ? inode_go_held+0xe4/0x1f0 [ 168.529527][ T4045] ? gfs2_glock_wait+0x213/0x2a0 [ 168.534462][ T4045] gfs2_lookupi+0x465/0x650 [ 168.538970][ T4045] ? gfs2_lookup_simple+0x170/0x170 [ 168.544167][ T4045] ? __gfs2_lookup+0x8c/0x260 [ 168.548844][ T4045] __gfs2_lookup+0x8c/0x260 [ 168.553341][ T4045] ? gfs2_atomic_open+0x230/0x230 [ 168.558361][ T4045] ? __d_lookup+0x6a4/0x770 [ 168.562855][ T4045] ? d_hash_and_lookup+0x1c0/0x1c0 [ 168.567959][ T4045] gfs2_atomic_open+0xa4/0x230 [ 168.572721][ T4045] path_openat+0xf39/0x2df0 [ 168.577222][ T4045] ? gfs2_rename2+0x3000/0x3000 [ 168.582083][ T4045] ? do_filp_open+0x4f0/0x4f0 [ 168.586767][ T4045] do_filp_open+0x264/0x4f0 [ 168.591264][ T4045] ? vfs_tmpfile+0x490/0x490 [ 168.595861][ T4045] ? do_raw_spin_unlock+0x134/0x8a0 [ 168.601073][ T4045] ? _raw_spin_unlock+0x24/0x40 [ 168.605964][ T4045] ? alloc_fd+0x5a7/0x640 [ 168.610308][ T4045] do_sys_openat2+0x124/0x4e0 [ 168.615002][ T4045] ? print_irqtrace_events+0x220/0x220 [ 168.620464][ T4045] ? ptrace_stop+0x74d/0x970 [ 168.625052][ T4045] ? do_sys_open+0x220/0x220 [ 168.629636][ T4045] ? lockdep_hardirqs_on+0x8d/0x130 [ 168.634847][ T4045] ? _raw_spin_unlock_irq+0x2a/0x40 [ 168.640057][ T4045] ? ptrace_notify+0x245/0x340 [ 168.644830][ T4045] __x64_sys_openat+0x243/0x290 [ 168.649695][ T4045] ? __ia32_sys_open+0x270/0x270 [ 168.654663][ T4045] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 168.660642][ T4045] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 168.666615][ T4045] do_syscall_64+0x3d/0xb0 [ 168.671024][ T4045] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 168.676906][ T4045] RIP: 0033:0x7fc8868064d9 [ 168.681312][ T4045] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 168.700908][ T4045] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 168.709313][ T4045] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 168.717277][ T4045] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 168.725242][ T4045] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4046] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4045] <... openat resumed>) = -1 EIO (Input/output error) [pid 4045] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4045] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4044] exit_group(0 [pid 4046] <... futex resumed>) = ? [pid 4044] <... exit_group resumed>) = ? [pid 4046] +++ exited with 0 +++ [pid 4045] <... futex resumed>) = ? [pid 4045] +++ exited with 0 +++ [pid 4044] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4044, si_uid=0, si_status=0, si_utime=1, si_stime=29} --- umount2("./135", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./135", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./135/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./135/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./135/binderfs") = 0 [ 168.733203][ T4045] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 168.741163][ T4045] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 168.749141][ T4045] umount2("./135/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./135/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./135/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./135/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./135/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./135/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./135") = 0 mkdir("./136", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4047 ./strace-static-x86_64: Process 4047 attached [pid 4047] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4047] chdir("./136") = 0 [pid 4047] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4047] setpgid(0, 0) = 0 [pid 4047] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4047] write(3, "1000", 4) = 4 [pid 4047] close(3) = 0 [pid 4047] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4047] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4047] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4047] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4047] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4048], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4048 [pid 4047] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4047] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4048 attached [pid 4048] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4048] memfd_create("syzkaller", 0) = 3 [pid 4048] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4048] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4048] munmap(0x7fc87e392000, 16777216) = 0 [pid 4048] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4048] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4048] close(3) = 0 [pid 4048] mkdir("./file0", 0777) = 0 [ 169.035229][ T4048] loop0: detected capacity change from 0 to 32768 [ 169.045304][ T4048] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 169.053628][ T4048] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 169.062521][ T4048] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 169.071862][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 169.078631][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4048] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4048] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4048] chdir("./file0") = 0 [pid 4048] ioctl(4, LOOP_CLR_FD) = 0 [pid 4048] close(4) = 0 [pid 4048] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4047] <... futex resumed>) = 0 [pid 4047] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4047] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4048] <... futex resumed>) = 1 [pid 4048] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4048] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4047] <... futex resumed>) = 0 [pid 4047] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4048] <... futex resumed>) = 1 [pid 4047] <... futex resumed>) = 0 [pid 4048] openat(AT_FDCWD, "./file0", O_RDONLY [ 169.112026][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 169.119551][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 169.124869][ T4048] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 169.146881][ T4048] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4047] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 4047] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4047] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4047] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4047] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4049], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4049 [ 169.155415][ T4048] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 169.155415][ T4048] inode = 12 2341 [ 169.155415][ T4048] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 169.174846][ T4048] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 169.184127][ T4048] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4048 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 169.194333][ T4048] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 169.202959][ T4048] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 4047] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4049 attached [pid 4049] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4049] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4049] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 169.211213][ T4048] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 169.220647][ T4048] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 169.227191][ T4048] gfs2: fsid=syz:syz.0: File system withdrawn [ 169.233334][ T4048] CPU: 1 PID: 4048 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 169.243762][ T4048] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 169.253823][ T4048] Call Trace: [ 169.259103][ T4048] [ 169.262045][ T4048] dump_stack_lvl+0x1b1/0x28e [ 169.266726][ T4048] ? nf_tcp_handle_invalid+0x62e/0x62e [ 169.272173][ T4048] ? panic+0x710/0x710 [ 169.276241][ T4048] ? kobject_uevent_env+0x46b/0x8e0 [ 169.281475][ T4048] ? do_raw_spin_unlock+0x134/0x8a0 [ 169.286682][ T4048] gfs2_withdraw+0xf33/0x1540 [ 169.291385][ T4048] ? gfs2_lm+0x220/0x220 [ 169.295628][ T4048] ? gfs2_dirent_scan+0xb6/0x650 [ 169.300582][ T4048] ? panic+0x710/0x710 [ 169.304668][ T4048] ? gfs2_permission+0x2ff/0x430 [ 169.309614][ T4048] ? gfs2_consist_inode_i+0xf3/0x110 [ 169.314904][ T4048] gfs2_dirent_scan+0x535/0x650 [ 169.319749][ T4048] ? gfs2_dirent_search+0xb10/0xb10 [ 169.324950][ T4048] gfs2_dirent_search+0x2ea/0xb10 [ 169.329985][ T4048] ? gfs2_dirent_search+0xb10/0xb10 [ 169.335180][ T4048] ? gfs2_dir_search+0x2a0/0x2a0 [ 169.340114][ T4048] ? gfs2_permission+0x3bf/0x430 [ 169.345052][ T4048] gfs2_dir_search+0x8c/0x2a0 [ 169.349726][ T4048] ? do_filldir_main+0x530/0x530 [ 169.354661][ T4048] ? inode_go_held+0xe4/0x1f0 [ 169.359335][ T4048] ? gfs2_glock_wait+0x213/0x2a0 [ 169.364266][ T4048] gfs2_lookupi+0x465/0x650 [ 169.368767][ T4048] ? gfs2_lookup_simple+0x170/0x170 [ 169.373960][ T4048] ? __gfs2_lookup+0x8c/0x260 [ 169.378645][ T4048] __gfs2_lookup+0x8c/0x260 [ 169.383231][ T4048] ? gfs2_atomic_open+0x230/0x230 [ 169.388253][ T4048] ? __d_lookup+0x6a4/0x770 [ 169.392748][ T4048] ? d_hash_and_lookup+0x1c0/0x1c0 [ 169.397856][ T4048] gfs2_atomic_open+0xa4/0x230 [ 169.402617][ T4048] path_openat+0xf39/0x2df0 [ 169.407118][ T4048] ? gfs2_rename2+0x3000/0x3000 [ 169.411978][ T4048] ? do_filp_open+0x4f0/0x4f0 [ 169.416693][ T4048] do_filp_open+0x264/0x4f0 [ 169.421200][ T4048] ? vfs_tmpfile+0x490/0x490 [ 169.425791][ T4048] ? do_raw_spin_unlock+0x134/0x8a0 [ 169.430994][ T4048] ? _raw_spin_unlock+0x24/0x40 [ 169.436883][ T4048] ? alloc_fd+0x5a7/0x640 [ 169.441217][ T4048] do_sys_openat2+0x124/0x4e0 [ 169.445913][ T4048] ? print_irqtrace_events+0x220/0x220 [ 169.451362][ T4048] ? ptrace_stop+0x74d/0x970 [ 169.455952][ T4048] ? do_sys_open+0x220/0x220 [ 169.460541][ T4048] ? lockdep_hardirqs_on+0x8d/0x130 [ 169.465736][ T4048] ? _raw_spin_unlock_irq+0x2a/0x40 [ 169.470929][ T4048] ? ptrace_notify+0x245/0x340 [ 169.475708][ T4048] __x64_sys_openat+0x243/0x290 [ 169.480572][ T4048] ? __ia32_sys_open+0x270/0x270 [ 169.485504][ T4048] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 169.491481][ T4048] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 169.497457][ T4048] do_syscall_64+0x3d/0xb0 [ 169.501868][ T4048] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 169.507753][ T4048] RIP: 0033:0x7fc8868064d9 [ 169.512160][ T4048] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 169.531759][ T4048] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 169.540179][ T4048] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 169.548144][ T4048] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 169.556106][ T4048] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4049] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4048] <... openat resumed>) = -1 EIO (Input/output error) [pid 4048] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4048] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4047] exit_group(0 [pid 4049] <... futex resumed>) = ? [pid 4048] <... futex resumed>) = ? [pid 4047] <... exit_group resumed>) = ? [pid 4049] +++ exited with 0 +++ [pid 4048] +++ exited with 0 +++ [pid 4047] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4047, si_uid=0, si_status=0, si_utime=0, si_stime=33} --- umount2("./136", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./136", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./136/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./136/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./136/binderfs") = 0 [ 169.564066][ T4048] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 169.572026][ T4048] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 169.580000][ T4048] umount2("./136/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./136/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./136/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./136/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./136/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./136/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./136") = 0 mkdir("./137", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4050 ./strace-static-x86_64: Process 4050 attached [pid 4050] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4050] chdir("./137") = 0 [pid 4050] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4050] setpgid(0, 0) = 0 [pid 4050] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4050] write(3, "1000", 4) = 4 [pid 4050] close(3) = 0 [pid 4050] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4050] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4050] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4050] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4050] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4051], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4051 [pid 4050] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4050] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4051 attached [pid 4051] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4051] memfd_create("syzkaller", 0) = 3 [pid 4051] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4051] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4051] munmap(0x7fc87e392000, 16777216) = 0 [pid 4051] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4051] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4051] close(3) = 0 [pid 4051] mkdir("./file0", 0777) = 0 [ 169.867659][ T4051] loop0: detected capacity change from 0 to 32768 [ 169.878482][ T4051] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 169.886944][ T4051] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 169.896926][ T4051] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 169.905795][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 169.912947][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4051] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4051] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4051] chdir("./file0") = 0 [pid 4051] ioctl(4, LOOP_CLR_FD) = 0 [pid 4051] close(4) = 0 [pid 4051] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4050] <... futex resumed>) = 0 [pid 4050] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4050] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4051] <... futex resumed>) = 1 [pid 4051] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4051] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4050] <... futex resumed>) = 0 [pid 4050] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4050] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4051] <... futex resumed>) = 1 [ 169.950179][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 169.958668][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 169.964019][ T4051] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 169.988355][ T4051] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4051] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4050] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4050] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4050] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4050] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4050] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4052], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4052 [pid 4050] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4052 attached [pid 4052] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 169.997447][ T4051] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 169.997447][ T4051] inode = 12 2341 [ 169.997447][ T4051] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 170.016583][ T4051] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 170.026238][ T4051] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4051 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 170.036761][ T4051] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 170.044312][ T4052] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 170.046205][ T4051] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 170.054160][ T4052] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 170.061259][ T4051] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 170.070460][ T4052] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4051 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 170.079013][ T4051] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 170.089103][ T4052] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4052 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 170.097270][ T4051] gfs2: fsid=syz:syz.0: File system withdrawn [ 170.105715][ T4052] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 170.111827][ T4051] CPU: 1 PID: 4051 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 170.130264][ T4051] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 170.140323][ T4051] Call Trace: [ 170.143599][ T4051] [ 170.146522][ T4051] dump_stack_lvl+0x1b1/0x28e [ 170.151197][ T4051] ? nf_tcp_handle_invalid+0x62e/0x62e [ 170.156647][ T4051] ? panic+0x710/0x710 [ 170.160710][ T4051] ? kobject_uevent_env+0x46b/0x8e0 [ 170.165901][ T4051] ? do_raw_spin_unlock+0x134/0x8a0 [ 170.171100][ T4051] gfs2_withdraw+0xf33/0x1540 [ 170.175783][ T4051] ? gfs2_lm+0x220/0x220 [ 170.180022][ T4051] ? gfs2_dirent_scan+0xb6/0x650 [ 170.184959][ T4051] ? panic+0x710/0x710 [ 170.189043][ T4051] ? gfs2_permission+0x2ff/0x430 [ 170.193981][ T4051] ? gfs2_consist_inode_i+0xf3/0x110 [ 170.199269][ T4051] gfs2_dirent_scan+0x535/0x650 [ 170.204130][ T4051] ? gfs2_dirent_search+0xb10/0xb10 [ 170.209415][ T4051] gfs2_dirent_search+0x2ea/0xb10 [ 170.214439][ T4051] ? gfs2_dirent_search+0xb10/0xb10 [ 170.219636][ T4051] ? gfs2_dir_search+0x2a0/0x2a0 [ 170.224568][ T4051] ? gfs2_permission+0x3bf/0x430 [ 170.229507][ T4051] gfs2_dir_search+0x8c/0x2a0 [ 170.234528][ T4051] ? do_filldir_main+0x530/0x530 [ 170.239473][ T4051] ? inode_go_held+0xe4/0x1f0 [ 170.244234][ T4051] ? gfs2_glock_wait+0x213/0x2a0 [ 170.249167][ T4051] gfs2_lookupi+0x465/0x650 [ 170.253673][ T4051] ? gfs2_lookup_simple+0x170/0x170 [ 170.258865][ T4051] ? __gfs2_lookup+0x8c/0x260 [ 170.263542][ T4051] __gfs2_lookup+0x8c/0x260 [ 170.268041][ T4051] ? gfs2_atomic_open+0x230/0x230 [ 170.273063][ T4051] ? __d_lookup+0x6a4/0x770 [ 170.277557][ T4051] ? d_hash_and_lookup+0x1c0/0x1c0 [ 170.282662][ T4051] gfs2_atomic_open+0xa4/0x230 [ 170.287430][ T4051] path_openat+0xf39/0x2df0 [ 170.291935][ T4051] ? gfs2_rename2+0x3000/0x3000 [ 170.296793][ T4051] ? do_filp_open+0x4f0/0x4f0 [ 170.301476][ T4051] do_filp_open+0x264/0x4f0 [ 170.305975][ T4051] ? vfs_tmpfile+0x490/0x490 [ 170.310569][ T4051] ? do_raw_spin_unlock+0x134/0x8a0 [ 170.315766][ T4051] ? _raw_spin_unlock+0x24/0x40 [ 170.320616][ T4051] ? alloc_fd+0x5a7/0x640 [ 170.324951][ T4051] do_sys_openat2+0x124/0x4e0 [ 170.329641][ T4051] ? print_irqtrace_events+0x220/0x220 [ 170.335092][ T4051] ? ptrace_stop+0x74d/0x970 [ 170.339719][ T4051] ? do_sys_open+0x220/0x220 [ 170.344304][ T4051] ? lockdep_hardirqs_on+0x8d/0x130 [ 170.349500][ T4051] ? _raw_spin_unlock_irq+0x2a/0x40 [ 170.354697][ T4051] ? ptrace_notify+0x245/0x340 [ 170.359455][ T4051] __x64_sys_openat+0x243/0x290 [ 170.364304][ T4051] ? __ia32_sys_open+0x270/0x270 [ 170.369239][ T4051] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 170.375222][ T4051] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 170.381201][ T4051] do_syscall_64+0x3d/0xb0 [ 170.385610][ T4051] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 170.391494][ T4051] RIP: 0033:0x7fc8868064d9 [ 170.395901][ T4051] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 170.415502][ T4051] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 170.423908][ T4051] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 170.431871][ T4051] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 170.439834][ T4051] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4052] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 4051] <... openat resumed>) = -1 EIO (Input/output error) [pid 4051] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4051] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4052] <... openat resumed>) = -1 EIO (Input/output error) [pid 4052] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4052] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4050] exit_group(0 [pid 4052] <... futex resumed>) = ? [pid 4050] <... exit_group resumed>) = ? [pid 4052] +++ exited with 0 +++ [pid 4051] <... futex resumed>) = ? [pid 4051] +++ exited with 0 +++ [pid 4050] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4050, si_uid=0, si_status=0, si_utime=0, si_stime=41} --- umount2("./137", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./137", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./137/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./137/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./137/binderfs") = 0 [ 170.447795][ T4051] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 170.455753][ T4051] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 170.463728][ T4051] umount2("./137/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./137/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./137/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./137/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./137/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./137/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./137") = 0 mkdir("./138", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4053 ./strace-static-x86_64: Process 4053 attached [pid 4053] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4053] chdir("./138") = 0 [pid 4053] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4053] setpgid(0, 0) = 0 [pid 4053] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4053] write(3, "1000", 4) = 4 [pid 4053] close(3) = 0 [pid 4053] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4053] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4053] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4053] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4053] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4054 attached , parent_tid=[4054], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4054 [pid 4054] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4054] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4053] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4054] <... futex resumed>) = 0 [pid 4053] <... futex resumed>) = 1 [pid 4053] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4054] memfd_create("syzkaller", 0) = 3 [pid 4054] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4054] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4054] munmap(0x7fc87e392000, 16777216) = 0 [pid 4054] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4054] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4054] close(3) = 0 [pid 4054] mkdir("./file0", 0777) = 0 [ 170.761654][ T4054] loop0: detected capacity change from 0 to 32768 [ 170.772071][ T4054] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 170.780304][ T4054] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 170.789898][ T4054] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 170.799204][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 170.806332][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4054] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4054] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4054] chdir("./file0") = 0 [pid 4054] ioctl(4, LOOP_CLR_FD) = 0 [pid 4054] close(4) = 0 [pid 4054] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4053] <... futex resumed>) = 0 [pid 4053] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4053] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4054] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4054] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4053] <... futex resumed>) = 0 [pid 4053] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4053] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 170.838785][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 170.846334][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 170.851881][ T4054] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 170.887067][ T4054] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 170.895797][ T4054] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 170.895797][ T4054] inode = 12 2341 [ 170.895797][ T4054] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 170.916444][ T4054] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 170.926042][ T4054] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4054 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 4054] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4053] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4053] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4053] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4053] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4053] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4055], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4055 [pid 4053] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4055 attached [pid 4055] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4055] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4055] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 170.936282][ T4054] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 170.945126][ T4054] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 170.952693][ T4054] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 170.961713][ T4054] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 170.969947][ T4054] gfs2: fsid=syz:syz.0: File system withdrawn [ 170.976358][ T4054] CPU: 0 PID: 4054 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 170.988507][ T4054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 170.998558][ T4054] Call Trace: [ 171.001834][ T4054] [ 171.004779][ T4054] dump_stack_lvl+0x1b1/0x28e [ 171.009465][ T4054] ? nf_tcp_handle_invalid+0x62e/0x62e [ 171.014921][ T4054] ? panic+0x710/0x710 [ 171.018990][ T4054] ? kobject_uevent_env+0x46b/0x8e0 [ 171.024193][ T4054] ? do_raw_spin_unlock+0x134/0x8a0 [ 171.029396][ T4054] gfs2_withdraw+0xf33/0x1540 [pid 4055] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4053] exit_group(0 [pid 4055] <... futex resumed>) = ? [pid 4053] <... exit_group resumed>) = ? [pid 4055] +++ exited with 0 +++ [ 171.034090][ T4054] ? gfs2_lm+0x220/0x220 [ 171.038335][ T4054] ? gfs2_dirent_scan+0xb6/0x650 [ 171.043270][ T4054] ? panic+0x710/0x710 [ 171.047328][ T4054] ? gfs2_permission+0x2ff/0x430 [ 171.052257][ T4054] ? gfs2_consist_inode_i+0xf3/0x110 [ 171.057533][ T4054] gfs2_dirent_scan+0x535/0x650 [ 171.062391][ T4054] ? gfs2_dirent_search+0xb10/0xb10 [ 171.067598][ T4054] gfs2_dirent_search+0x2ea/0xb10 [ 171.072618][ T4054] ? gfs2_dirent_search+0xb10/0xb10 [ 171.077821][ T4054] ? gfs2_dir_search+0x2a0/0x2a0 [ 171.082788][ T4054] ? gfs2_permission+0x3bf/0x430 [ 171.087739][ T4054] gfs2_dir_search+0x8c/0x2a0 [ 171.092410][ T4054] ? do_filldir_main+0x530/0x530 [ 171.097425][ T4054] ? inode_go_held+0xe4/0x1f0 [ 171.102092][ T4054] ? gfs2_glock_wait+0x213/0x2a0 [ 171.107017][ T4054] gfs2_lookupi+0x465/0x650 [ 171.111519][ T4054] ? gfs2_lookup_simple+0x170/0x170 [ 171.116707][ T4054] ? __gfs2_lookup+0x8c/0x260 [ 171.121378][ T4054] __gfs2_lookup+0x8c/0x260 [ 171.125894][ T4054] ? gfs2_atomic_open+0x230/0x230 [ 171.130928][ T4054] ? __d_lookup+0x6a4/0x770 [ 171.135427][ T4054] ? d_hash_and_lookup+0x1c0/0x1c0 [ 171.140543][ T4054] gfs2_atomic_open+0xa4/0x230 [ 171.145309][ T4054] path_openat+0xf39/0x2df0 [ 171.149812][ T4054] ? gfs2_rename2+0x3000/0x3000 [ 171.154686][ T4054] ? do_filp_open+0x4f0/0x4f0 [ 171.159383][ T4054] do_filp_open+0x264/0x4f0 [ 171.163906][ T4054] ? vfs_tmpfile+0x490/0x490 [ 171.168522][ T4054] ? do_raw_spin_unlock+0x134/0x8a0 [ 171.173734][ T4054] ? _raw_spin_unlock+0x24/0x40 [ 171.178580][ T4054] ? alloc_fd+0x5a7/0x640 [ 171.182907][ T4054] do_sys_openat2+0x124/0x4e0 [ 171.187582][ T4054] ? print_irqtrace_events+0x220/0x220 [ 171.193028][ T4054] ? ptrace_stop+0x74d/0x970 [ 171.197623][ T4054] ? do_sys_open+0x220/0x220 [ 171.202218][ T4054] ? lockdep_hardirqs_on+0x8d/0x130 [ 171.207418][ T4054] ? _raw_spin_unlock_irq+0x2a/0x40 [ 171.212629][ T4054] ? ptrace_notify+0x245/0x340 [ 171.217397][ T4054] __x64_sys_openat+0x243/0x290 [ 171.222253][ T4054] ? __ia32_sys_open+0x270/0x270 [ 171.227199][ T4054] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 171.233173][ T4054] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 171.239152][ T4054] do_syscall_64+0x3d/0xb0 [ 171.243563][ T4054] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 171.249447][ T4054] RIP: 0033:0x7fc8868064d9 [ 171.253853][ T4054] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 171.273477][ T4054] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 4054] <... openat resumed>) = ? [pid 4054] +++ exited with 0 +++ [pid 4053] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4053, si_uid=0, si_status=0, si_utime=3, si_stime=26} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./138", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./138", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./138/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./138/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./138/binderfs") = 0 [ 171.281903][ T4054] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 171.289877][ T4054] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 171.297858][ T4054] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 171.305817][ T4054] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 171.313784][ T4054] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 171.321758][ T4054] umount2("./138/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./138/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./138/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./138/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./138/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./138/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./138") = 0 mkdir("./139", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4056 ./strace-static-x86_64: Process 4056 attached [pid 4056] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4056] chdir("./139") = 0 [pid 4056] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4056] setpgid(0, 0) = 0 [pid 4056] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4056] write(3, "1000", 4) = 4 [pid 4056] close(3) = 0 [pid 4056] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4056] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4056] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4056] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4056] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4057], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4057 [pid 4056] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4056] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4057 attached [pid 4057] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4057] memfd_create("syzkaller", 0) = 3 [pid 4057] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4057] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4057] munmap(0x7fc87e392000, 16777216) = 0 [pid 4057] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4057] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4057] close(3) = 0 [pid 4057] mkdir("./file0", 0777) = 0 [ 171.607156][ T4057] loop0: detected capacity change from 0 to 32768 [ 171.618146][ T4057] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 171.626628][ T4057] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 171.636710][ T4057] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 171.645546][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 171.652667][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4057] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4057] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4057] chdir("./file0") = 0 [pid 4057] ioctl(4, LOOP_CLR_FD) = 0 [pid 4057] close(4) = 0 [pid 4057] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4056] <... futex resumed>) = 0 [pid 4056] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4056] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4057] <... futex resumed>) = 1 [pid 4057] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4057] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4056] <... futex resumed>) = 0 [pid 4056] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4056] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4057] <... futex resumed>) = 1 [ 171.685044][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 171.693824][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 171.699059][ T4057] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 171.722362][ T4057] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4057] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4056] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4056] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4056] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4056] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4056] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4058], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4058 [pid 4056] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4058 attached [pid 4058] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4058] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4058] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 171.731272][ T4057] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 171.731272][ T4057] inode = 12 2341 [ 171.731272][ T4057] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 171.750551][ T4057] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 171.759640][ T4057] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4057 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 171.770213][ T4057] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 171.778669][ T4057] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 171.786449][ T4057] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 171.795771][ T4057] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 171.803853][ T4057] gfs2: fsid=syz:syz.0: File system withdrawn [ 171.809947][ T4057] CPU: 0 PID: 4057 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 171.820368][ T4057] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 171.830422][ T4057] Call Trace: [ 171.833702][ T4057] [ 171.836643][ T4057] dump_stack_lvl+0x1b1/0x28e [ 171.841329][ T4057] ? nf_tcp_handle_invalid+0x62e/0x62e [ 171.846778][ T4057] ? panic+0x710/0x710 [ 171.850840][ T4057] ? kobject_uevent_env+0x46b/0x8e0 [ 171.856036][ T4057] ? do_raw_spin_unlock+0x134/0x8a0 [ 171.861248][ T4057] gfs2_withdraw+0xf33/0x1540 [ 171.865940][ T4057] ? gfs2_lm+0x220/0x220 [ 171.870197][ T4057] ? gfs2_dirent_scan+0xb6/0x650 [ 171.875145][ T4057] ? panic+0x710/0x710 [ 171.879201][ T4057] ? gfs2_permission+0x2ff/0x430 [pid 4058] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4056] exit_group(0 [pid 4058] <... futex resumed>) = ? [pid 4056] <... exit_group resumed>) = ? [pid 4058] +++ exited with 0 +++ [ 171.884147][ T4057] ? gfs2_consist_inode_i+0xf3/0x110 [ 171.889442][ T4057] gfs2_dirent_scan+0x535/0x650 [ 171.894300][ T4057] ? gfs2_dirent_search+0xb10/0xb10 [ 171.899525][ T4057] gfs2_dirent_search+0x2ea/0xb10 [ 171.904577][ T4057] ? gfs2_dirent_search+0xb10/0xb10 [ 171.909770][ T4057] ? gfs2_dir_search+0x2a0/0x2a0 [ 171.914711][ T4057] ? gfs2_permission+0x3bf/0x430 [ 171.919696][ T4057] gfs2_dir_search+0x8c/0x2a0 [ 171.924414][ T4057] ? do_filldir_main+0x530/0x530 [ 171.929362][ T4057] ? inode_go_held+0xe4/0x1f0 [ 171.934046][ T4057] ? gfs2_glock_wait+0x213/0x2a0 [ 171.938991][ T4057] gfs2_lookupi+0x465/0x650 [ 171.943505][ T4057] ? gfs2_lookup_simple+0x170/0x170 [ 171.948712][ T4057] ? __gfs2_lookup+0x8c/0x260 [ 171.953381][ T4057] __gfs2_lookup+0x8c/0x260 [ 171.957879][ T4057] ? gfs2_atomic_open+0x230/0x230 [ 171.962912][ T4057] ? __d_lookup+0x6a4/0x770 [ 171.968720][ T4057] ? d_hash_and_lookup+0x1c0/0x1c0 [ 171.973839][ T4057] gfs2_atomic_open+0xa4/0x230 [ 171.978630][ T4057] path_openat+0xf39/0x2df0 [ 171.983129][ T4057] ? gfs2_rename2+0x3000/0x3000 [ 171.987980][ T4057] ? do_filp_open+0x4f0/0x4f0 [ 171.992653][ T4057] do_filp_open+0x264/0x4f0 [ 171.997159][ T4057] ? vfs_tmpfile+0x490/0x490 [ 172.001757][ T4057] ? do_raw_spin_unlock+0x134/0x8a0 [ 172.006962][ T4057] ? _raw_spin_unlock+0x24/0x40 [ 172.011819][ T4057] ? alloc_fd+0x5a7/0x640 [ 172.016241][ T4057] do_sys_openat2+0x124/0x4e0 [ 172.020944][ T4057] ? print_irqtrace_events+0x220/0x220 [ 172.026409][ T4057] ? ptrace_stop+0x74d/0x970 [ 172.031009][ T4057] ? do_sys_open+0x220/0x220 [ 172.035593][ T4057] ? lockdep_hardirqs_on+0x8d/0x130 [ 172.040805][ T4057] ? _raw_spin_unlock_irq+0x2a/0x40 [ 172.046008][ T4057] ? ptrace_notify+0x245/0x340 [ 172.050779][ T4057] __x64_sys_openat+0x243/0x290 [ 172.055640][ T4057] ? __ia32_sys_open+0x270/0x270 [ 172.060598][ T4057] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 172.066583][ T4057] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 172.072584][ T4057] do_syscall_64+0x3d/0xb0 [ 172.077249][ T4057] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 172.083144][ T4057] RIP: 0033:0x7fc8868064d9 [ 172.087573][ T4057] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 172.107260][ T4057] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 172.115671][ T4057] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 172.123636][ T4057] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 4057] <... openat resumed>) = ? [pid 4057] +++ exited with 0 +++ [pid 4056] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4056, si_uid=0, si_status=0, si_utime=0, si_stime=30} --- umount2("./139", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./139", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./139/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./139/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./139/binderfs") = 0 [ 172.131601][ T4057] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 172.139571][ T4057] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 172.147547][ T4057] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 172.155523][ T4057] umount2("./139/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./139/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./139/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./139/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./139/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./139/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./139") = 0 mkdir("./140", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4059 ./strace-static-x86_64: Process 4059 attached [pid 4059] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4059] chdir("./140") = 0 [pid 4059] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4059] setpgid(0, 0) = 0 [pid 4059] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4059] write(3, "1000", 4) = 4 [pid 4059] close(3) = 0 [pid 4059] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4059] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4059] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4059] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4059] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4060], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4060 [pid 4059] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4059] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4060 attached [pid 4060] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4060] memfd_create("syzkaller", 0) = 3 [pid 4060] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4060] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4060] munmap(0x7fc87e392000, 16777216) = 0 [pid 4060] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4060] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4060] close(3) = 0 [pid 4060] mkdir("./file0", 0777) = 0 [ 172.452302][ T4060] loop0: detected capacity change from 0 to 32768 [ 172.462474][ T4060] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 172.470815][ T4060] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 172.480826][ T4060] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 172.489610][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 172.497388][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4060] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4060] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4060] chdir("./file0") = 0 [pid 4060] ioctl(4, LOOP_CLR_FD) = 0 [pid 4060] close(4) = 0 [pid 4060] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4059] <... futex resumed>) = 0 [pid 4060] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4059] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4059] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4060] <... futex resumed>) = 0 [pid 4060] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4060] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4059] <... futex resumed>) = 0 [pid 4059] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4059] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4060] <... futex resumed>) = 1 [ 172.530591][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 172.538141][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 172.543541][ T4060] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 172.567674][ T4060] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4060] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4059] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 172.576250][ T4060] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 172.576250][ T4060] inode = 12 2341 [ 172.576250][ T4060] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 172.595306][ T4060] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 172.604402][ T4060] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4060 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 172.614513][ T4060] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 172.623080][ T4060] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 4059] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4059] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4059] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4059] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4061], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4061 [pid 4059] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4061 attached [pid 4061] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4061] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4061] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 172.631879][ T4060] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 172.641064][ T4060] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 172.649875][ T4060] gfs2: fsid=syz:syz.0: File system withdrawn [ 172.656453][ T4060] CPU: 0 PID: 4060 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 172.666878][ T4060] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 172.676923][ T4060] Call Trace: [ 172.680194][ T4060] [ 172.683118][ T4060] dump_stack_lvl+0x1b1/0x28e [ 172.687794][ T4060] ? nf_tcp_handle_invalid+0x62e/0x62e [ 172.693262][ T4060] ? panic+0x710/0x710 [ 172.697322][ T4060] ? kobject_uevent_env+0x46b/0x8e0 [ 172.702510][ T4060] ? do_raw_spin_unlock+0x134/0x8a0 [ 172.707704][ T4060] gfs2_withdraw+0xf33/0x1540 [ 172.712394][ T4060] ? gfs2_lm+0x220/0x220 [ 172.716625][ T4060] ? gfs2_dirent_scan+0xb6/0x650 [ 172.721557][ T4060] ? panic+0x710/0x710 [ 172.725615][ T4060] ? gfs2_permission+0x2ff/0x430 [pid 4061] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4059] exit_group(0) = ? [pid 4061] <... futex resumed>) = ? [pid 4061] +++ exited with 0 +++ [ 172.730562][ T4060] ? gfs2_consist_inode_i+0xf3/0x110 [ 172.735848][ T4060] gfs2_dirent_scan+0x535/0x650 [ 172.740720][ T4060] ? gfs2_dirent_search+0xb10/0xb10 [ 172.745924][ T4060] gfs2_dirent_search+0x2ea/0xb10 [ 172.750960][ T4060] ? gfs2_dirent_search+0xb10/0xb10 [ 172.756170][ T4060] ? gfs2_dir_search+0x2a0/0x2a0 [ 172.761213][ T4060] ? gfs2_permission+0x3bf/0x430 [ 172.766156][ T4060] gfs2_dir_search+0x8c/0x2a0 [ 172.770835][ T4060] ? do_filldir_main+0x530/0x530 [ 172.775775][ T4060] ? inode_go_held+0xe4/0x1f0 [ 172.780496][ T4060] ? gfs2_glock_wait+0x213/0x2a0 [ 172.785425][ T4060] gfs2_lookupi+0x465/0x650 [ 172.789924][ T4060] ? gfs2_lookup_simple+0x170/0x170 [ 172.795113][ T4060] ? __gfs2_lookup+0x8c/0x260 [ 172.799798][ T4060] __gfs2_lookup+0x8c/0x260 [ 172.804293][ T4060] ? gfs2_atomic_open+0x230/0x230 [ 172.809307][ T4060] ? __d_lookup+0x6a4/0x770 [ 172.813799][ T4060] ? d_hash_and_lookup+0x1c0/0x1c0 [ 172.818916][ T4060] gfs2_atomic_open+0xa4/0x230 [ 172.823691][ T4060] path_openat+0xf39/0x2df0 [ 172.828205][ T4060] ? gfs2_rename2+0x3000/0x3000 [ 172.833068][ T4060] ? do_filp_open+0x4f0/0x4f0 [ 172.837759][ T4060] do_filp_open+0x264/0x4f0 [ 172.842259][ T4060] ? vfs_tmpfile+0x490/0x490 [ 172.846842][ T4060] ? do_raw_spin_unlock+0x134/0x8a0 [ 172.852031][ T4060] ? _raw_spin_unlock+0x24/0x40 [ 172.856866][ T4060] ? alloc_fd+0x5a7/0x640 [ 172.861193][ T4060] do_sys_openat2+0x124/0x4e0 [ 172.865858][ T4060] ? print_irqtrace_events+0x220/0x220 [ 172.871297][ T4060] ? ptrace_stop+0x74d/0x970 [ 172.875891][ T4060] ? do_sys_open+0x220/0x220 [ 172.880470][ T4060] ? lockdep_hardirqs_on+0x8d/0x130 [ 172.885651][ T4060] ? _raw_spin_unlock_irq+0x2a/0x40 [ 172.890836][ T4060] ? ptrace_notify+0x245/0x340 [ 172.895581][ T4060] __x64_sys_openat+0x243/0x290 [ 172.900420][ T4060] ? __ia32_sys_open+0x270/0x270 [ 172.905341][ T4060] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 172.911307][ T4060] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 172.917273][ T4060] do_syscall_64+0x3d/0xb0 [ 172.921681][ T4060] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 172.927581][ T4060] RIP: 0033:0x7fc8868064d9 [ 172.931998][ T4060] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 172.951943][ T4060] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 172.960343][ T4060] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 172.968299][ T4060] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 4060] <... openat resumed>) = ? [pid 4060] +++ exited with 0 +++ [pid 4059] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4059, si_uid=0, si_status=0, si_utime=4, si_stime=27} --- umount2("./140", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./140", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./140/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./140/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./140/binderfs") = 0 [ 172.976255][ T4060] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 172.984212][ T4060] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 172.992164][ T4060] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 173.000129][ T4060] umount2("./140/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./140/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./140/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./140/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./140/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./140/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./140") = 0 mkdir("./141", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4062 ./strace-static-x86_64: Process 4062 attached [pid 4062] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4062] chdir("./141") = 0 [pid 4062] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4062] setpgid(0, 0) = 0 [pid 4062] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4062] write(3, "1000", 4) = 4 [pid 4062] close(3) = 0 [pid 4062] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4062] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4062] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4062] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4062] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4063 attached [pid 4063] set_robust_list(0x7fc8867b29e0, 24 [pid 4062] <... clone resumed>, parent_tid=[4063], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4063 [pid 4062] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4063] <... set_robust_list resumed>) = 0 [pid 4062] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4063] memfd_create("syzkaller", 0) = 3 [pid 4063] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4063] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4063] munmap(0x7fc87e392000, 16777216) = 0 [pid 4063] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4063] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4063] close(3) = 0 [pid 4063] mkdir("./file0", 0777) = 0 [ 173.293902][ T4063] loop0: detected capacity change from 0 to 32768 [ 173.305518][ T4063] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 173.313764][ T4063] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 173.323537][ T4063] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 173.332286][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 173.339050][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4063] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4063] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4063] chdir("./file0") = 0 [pid 4063] ioctl(4, LOOP_CLR_FD) = 0 [pid 4063] close(4) = 0 [pid 4063] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4062] <... futex resumed>) = 0 [pid 4062] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4062] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4063] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4063] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4062] <... futex resumed>) = 0 [pid 4062] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4062] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 173.371526][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 173.379740][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 173.385172][ T4063] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 173.406846][ T4063] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4063] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4062] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 173.415825][ T4063] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 173.415825][ T4063] inode = 12 2341 [ 173.415825][ T4063] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 173.434758][ T4063] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 173.444489][ T4063] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4063 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 173.454837][ T4063] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 173.463658][ T4063] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 4062] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4062] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4062] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4062] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4064], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4064 [pid 4062] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4064 attached [pid 4064] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4064] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4064] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 173.471132][ T4063] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 173.480345][ T4063] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 173.487527][ T4063] gfs2: fsid=syz:syz.0: File system withdrawn [ 173.493768][ T4063] CPU: 0 PID: 4063 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 173.504202][ T4063] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 173.514282][ T4063] Call Trace: [ 173.517569][ T4063] [ 173.520502][ T4063] dump_stack_lvl+0x1b1/0x28e [ 173.525199][ T4063] ? nf_tcp_handle_invalid+0x62e/0x62e [ 173.530686][ T4063] ? panic+0x710/0x710 [ 173.534769][ T4063] ? kobject_uevent_env+0x46b/0x8e0 [ 173.539961][ T4063] ? do_raw_spin_unlock+0x134/0x8a0 [ 173.545171][ T4063] gfs2_withdraw+0xf33/0x1540 [ 173.549869][ T4063] ? gfs2_lm+0x220/0x220 [ 173.554102][ T4063] ? gfs2_dirent_scan+0xb6/0x650 [ 173.559043][ T4063] ? panic+0x710/0x710 [ 173.563132][ T4063] ? gfs2_permission+0x2ff/0x430 [pid 4064] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4062] exit_group(0 [pid 4064] <... futex resumed>) = ? [pid 4062] <... exit_group resumed>) = ? [pid 4064] +++ exited with 0 +++ [ 173.568082][ T4063] ? gfs2_consist_inode_i+0xf3/0x110 [ 173.573359][ T4063] gfs2_dirent_scan+0x535/0x650 [ 173.578207][ T4063] ? gfs2_dirent_search+0xb10/0xb10 [ 173.583408][ T4063] gfs2_dirent_search+0x2ea/0xb10 [ 173.588437][ T4063] ? gfs2_dirent_search+0xb10/0xb10 [ 173.593656][ T4063] ? gfs2_dir_search+0x2a0/0x2a0 [ 173.598616][ T4063] ? gfs2_permission+0x3bf/0x430 [ 173.603579][ T4063] gfs2_dir_search+0x8c/0x2a0 [ 173.608253][ T4063] ? do_filldir_main+0x530/0x530 [ 173.613193][ T4063] ? inode_go_held+0xe4/0x1f0 [ 173.617865][ T4063] ? gfs2_glock_wait+0x213/0x2a0 [ 173.622811][ T4063] gfs2_lookupi+0x465/0x650 [ 173.627330][ T4063] ? gfs2_lookup_simple+0x170/0x170 [ 173.632543][ T4063] ? __gfs2_lookup+0x8c/0x260 [ 173.637220][ T4063] __gfs2_lookup+0x8c/0x260 [ 173.641718][ T4063] ? gfs2_atomic_open+0x230/0x230 [ 173.646750][ T4063] ? __d_lookup+0x6a4/0x770 [ 173.651257][ T4063] ? d_hash_and_lookup+0x1c0/0x1c0 [ 173.656369][ T4063] gfs2_atomic_open+0xa4/0x230 [ 173.661143][ T4063] path_openat+0xf39/0x2df0 [ 173.665640][ T4063] ? gfs2_rename2+0x3000/0x3000 [ 173.670511][ T4063] ? do_filp_open+0x4f0/0x4f0 [ 173.675190][ T4063] do_filp_open+0x264/0x4f0 [ 173.679707][ T4063] ? vfs_tmpfile+0x490/0x490 [ 173.684307][ T4063] ? do_raw_spin_unlock+0x134/0x8a0 [ 173.689505][ T4063] ? _raw_spin_unlock+0x24/0x40 [ 173.694347][ T4063] ? alloc_fd+0x5a7/0x640 [ 173.698680][ T4063] do_sys_openat2+0x124/0x4e0 [ 173.703367][ T4063] ? print_irqtrace_events+0x220/0x220 [ 173.708842][ T4063] ? ptrace_stop+0x74d/0x970 [ 173.713462][ T4063] ? do_sys_open+0x220/0x220 [ 173.718138][ T4063] ? lockdep_hardirqs_on+0x8d/0x130 [ 173.723341][ T4063] ? _raw_spin_unlock_irq+0x2a/0x40 [ 173.729320][ T4063] ? ptrace_notify+0x245/0x340 [ 173.734087][ T4063] __x64_sys_openat+0x243/0x290 [ 173.738952][ T4063] ? __ia32_sys_open+0x270/0x270 [ 173.743895][ T4063] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 173.749885][ T4063] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 173.755857][ T4063] do_syscall_64+0x3d/0xb0 [ 173.760279][ T4063] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 173.766177][ T4063] RIP: 0033:0x7fc8868064d9 [ 173.770580][ T4063] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 173.790184][ T4063] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 173.798602][ T4063] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 173.806574][ T4063] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 173.814546][ T4063] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4063] <... openat resumed>) = ? [pid 4063] +++ exited with 0 +++ [pid 4062] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4062, si_uid=0, si_status=0, si_utime=2, si_stime=30} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./141", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./141", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./141/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./141/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./141/binderfs") = 0 [ 173.822523][ T4063] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 173.830498][ T4063] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 173.838469][ T4063] umount2("./141/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./141/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./141/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./141/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./141/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./141/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./141") = 0 mkdir("./142", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4065 ./strace-static-x86_64: Process 4065 attached [pid 4065] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4065] chdir("./142") = 0 [pid 4065] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4065] setpgid(0, 0) = 0 [pid 4065] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4065] write(3, "1000", 4) = 4 [pid 4065] close(3) = 0 [pid 4065] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4065] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4065] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4065] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4065] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4066], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4066 [pid 4065] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4065] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4066 attached [pid 4066] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4066] memfd_create("syzkaller", 0) = 3 [pid 4066] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4066] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4066] munmap(0x7fc87e392000, 16777216) = 0 [pid 4066] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4066] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4066] close(3) = 0 [pid 4066] mkdir("./file0", 0777) = 0 [ 174.117798][ T4066] loop0: detected capacity change from 0 to 32768 [ 174.128490][ T4066] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 174.137062][ T4066] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 174.146952][ T4066] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 174.155805][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 174.163127][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4066] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4066] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4066] chdir("./file0") = 0 [pid 4066] ioctl(4, LOOP_CLR_FD) = 0 [pid 4066] close(4) = 0 [pid 4066] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4065] <... futex resumed>) = 0 [pid 4065] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4065] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4066] <... futex resumed>) = 1 [pid 4066] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4066] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4065] <... futex resumed>) = 0 [pid 4065] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4065] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4066] <... futex resumed>) = 1 [ 174.203783][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 174.212609][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 174.217854][ T4066] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 174.235667][ T4066] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 174.244846][ T4066] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 4066] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4065] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4065] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 4065] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 4065] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4065] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4065] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4065] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4067], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4067 [pid 4065] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4067 attached [pid 4067] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 174.244846][ T4066] inode = 12 2341 [ 174.244846][ T4066] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 174.263795][ T4066] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 174.273169][ T4066] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4066 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 174.283838][ T4066] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 174.288695][ T4067] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 174.292834][ T4066] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 174.307951][ T4066] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 174.308598][ T4067] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 174.316747][ T4066] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 174.318631][ T4066] gfs2: fsid=syz:syz.0: File system withdrawn [ 174.332707][ T4067] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4066 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 174.348451][ T4066] CPU: 1 PID: 4066 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 174.348475][ T4066] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 174.348485][ T4066] Call Trace: [ 174.348491][ T4066] [ 174.348498][ T4066] dump_stack_lvl+0x1b1/0x28e [ 174.359855][ T4067] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4067 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 174.368951][ T4066] ? nf_tcp_handle_invalid+0x62e/0x62e [ 174.368974][ T4066] ? panic+0x710/0x710 [ 174.368993][ T4066] ? kobject_uevent_env+0x46b/0x8e0 [ 174.369014][ T4066] ? do_raw_spin_unlock+0x134/0x8a0 [ 174.369043][ T4066] gfs2_withdraw+0xf33/0x1540 [ 174.369077][ T4066] ? gfs2_lm+0x220/0x220 [ 174.373152][ T4067] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 174.375256][ T4066] ? gfs2_dirent_scan+0xb6/0x650 [ 174.375284][ T4066] ? panic+0x710/0x710 [ 174.436070][ T4066] ? gfs2_permission+0x2ff/0x430 [ 174.441026][ T4066] ? gfs2_consist_inode_i+0xf3/0x110 [ 174.446321][ T4066] gfs2_dirent_scan+0x535/0x650 [ 174.451197][ T4066] ? gfs2_dirent_search+0xb10/0xb10 [ 174.456412][ T4066] gfs2_dirent_search+0x2ea/0xb10 [ 174.461459][ T4066] ? gfs2_dirent_search+0xb10/0xb10 [ 174.466654][ T4066] ? gfs2_dir_search+0x2a0/0x2a0 [ 174.471589][ T4066] ? gfs2_permission+0x3bf/0x430 [ 174.476552][ T4066] gfs2_dir_search+0x8c/0x2a0 [ 174.481246][ T4066] ? do_filldir_main+0x530/0x530 [ 174.486174][ T4066] ? inode_go_held+0xe4/0x1f0 [ 174.490841][ T4066] ? gfs2_glock_wait+0x213/0x2a0 [ 174.495779][ T4066] gfs2_lookupi+0x465/0x650 [pid 4067] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 4065] exit_group(0) = ? [ 174.500294][ T4066] ? gfs2_lookup_simple+0x170/0x170 [ 174.505498][ T4066] ? __gfs2_lookup+0x8c/0x260 [ 174.510205][ T4066] __gfs2_lookup+0x8c/0x260 [ 174.514734][ T4066] ? gfs2_atomic_open+0x230/0x230 [ 174.519761][ T4066] ? __d_lookup+0x6a4/0x770 [ 174.524267][ T4066] ? d_hash_and_lookup+0x1c0/0x1c0 [ 174.529381][ T4066] gfs2_atomic_open+0xa4/0x230 [ 174.534159][ T4066] path_openat+0xf39/0x2df0 [ 174.538658][ T4066] ? gfs2_rename2+0x3000/0x3000 [ 174.543507][ T4066] ? do_filp_open+0x4f0/0x4f0 [ 174.548184][ T4066] do_filp_open+0x264/0x4f0 [ 174.552692][ T4066] ? vfs_tmpfile+0x490/0x490 [ 174.557289][ T4066] ? do_raw_spin_unlock+0x134/0x8a0 [ 174.562494][ T4066] ? _raw_spin_unlock+0x24/0x40 [ 174.567356][ T4066] ? alloc_fd+0x5a7/0x640 [ 174.571681][ T4066] do_sys_openat2+0x124/0x4e0 [ 174.576350][ T4066] ? print_irqtrace_events+0x220/0x220 [ 174.581807][ T4066] ? ptrace_stop+0x74d/0x970 [ 174.586390][ T4066] ? do_sys_open+0x220/0x220 [ 174.590971][ T4066] ? lockdep_hardirqs_on+0x8d/0x130 [ 174.596162][ T4066] ? _raw_spin_unlock_irq+0x2a/0x40 [ 174.601355][ T4066] ? ptrace_notify+0x245/0x340 [ 174.606106][ T4066] __x64_sys_openat+0x243/0x290 [ 174.610976][ T4066] ? __ia32_sys_open+0x270/0x270 [ 174.615916][ T4066] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 174.621906][ T4066] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 174.627875][ T4066] do_syscall_64+0x3d/0xb0 [ 174.632281][ T4066] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 174.638172][ T4066] RIP: 0033:0x7fc8868064d9 [ 174.642574][ T4066] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 174.662184][ T4066] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 174.670767][ T4066] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 174.678733][ T4066] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 174.686695][ T4066] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 174.694657][ T4066] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 4066] <... openat resumed>) = ? [pid 4067] <... openat resumed>) = ? [pid 4066] +++ exited with 0 +++ [pid 4067] +++ exited with 0 +++ [pid 4065] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4065, si_uid=0, si_status=0, si_utime=0, si_stime=42} --- umount2("./142", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./142", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./142/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./142/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./142/binderfs") = 0 [ 174.702638][ T4066] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 174.710627][ T4066] umount2("./142/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./142/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./142/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./142/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./142/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./142/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./142") = 0 mkdir("./143", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4068 ./strace-static-x86_64: Process 4068 attached [pid 4068] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4068] chdir("./143") = 0 [pid 4068] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4068] setpgid(0, 0) = 0 [pid 4068] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4068] write(3, "1000", 4) = 4 [pid 4068] close(3) = 0 [pid 4068] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4068] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4068] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4068] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4068] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4069], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4069 [pid 4068] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4068] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4069 attached [pid 4069] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4069] memfd_create("syzkaller", 0) = 3 [pid 4069] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4069] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4069] munmap(0x7fc87e392000, 16777216) = 0 [pid 4069] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4069] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4069] close(3) = 0 [pid 4069] mkdir("./file0", 0777) = 0 [ 175.002379][ T4069] loop0: detected capacity change from 0 to 32768 [ 175.012931][ T4069] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 175.021180][ T4069] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 175.031175][ T4069] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 175.039541][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 175.046449][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4069] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4069] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4069] chdir("./file0") = 0 [pid 4069] ioctl(4, LOOP_CLR_FD) = 0 [pid 4069] close(4) = 0 [pid 4069] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4068] <... futex resumed>) = 0 [pid 4069] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4068] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4069] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 4068] <... futex resumed>) = 0 [pid 4069] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 4068] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4069] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4069] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4069] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4068] <... futex resumed>) = 0 [pid 4068] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4069] <... futex resumed>) = 0 [pid 4068] <... futex resumed>) = 1 [pid 4069] openat(AT_FDCWD, "./file0", O_RDONLY [ 175.081469][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 175.090301][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 175.095562][ T4069] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 4068] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 4068] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 175.122575][ T4069] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 175.131026][ T4069] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 175.131026][ T4069] inode = 12 2341 [ 175.131026][ T4069] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 175.149967][ T4069] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 175.159258][ T4069] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4069 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 4068] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4068] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4068] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4070], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4070 [pid 4068] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4070 attached [pid 4070] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4070] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4070] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 175.169364][ T4069] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 175.178149][ T4069] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 175.185451][ T4069] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 175.194471][ T4069] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 175.202576][ T4069] gfs2: fsid=syz:syz.0: File system withdrawn [ 175.208662][ T4069] CPU: 0 PID: 4069 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 175.219077][ T4069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 175.229127][ T4069] Call Trace: [ 175.232402][ T4069] [ 175.235325][ T4069] dump_stack_lvl+0x1b1/0x28e [ 175.240011][ T4069] ? nf_tcp_handle_invalid+0x62e/0x62e [ 175.245488][ T4069] ? panic+0x710/0x710 [ 175.249573][ T4069] ? kobject_uevent_env+0x46b/0x8e0 [ 175.254780][ T4069] ? do_raw_spin_unlock+0x134/0x8a0 [ 175.259993][ T4069] gfs2_withdraw+0xf33/0x1540 [ 175.264730][ T4069] ? gfs2_lm+0x220/0x220 [pid 4070] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4068] exit_group(0 [pid 4070] <... futex resumed>) = ? [pid 4068] <... exit_group resumed>) = ? [pid 4070] +++ exited with 0 +++ [ 175.268962][ T4069] ? gfs2_dirent_scan+0xb6/0x650 [ 175.273892][ T4069] ? panic+0x710/0x710 [ 175.277960][ T4069] ? gfs2_permission+0x2ff/0x430 [ 175.282909][ T4069] ? gfs2_consist_inode_i+0xf3/0x110 [ 175.288202][ T4069] gfs2_dirent_scan+0x535/0x650 [ 175.293079][ T4069] ? gfs2_dirent_search+0xb10/0xb10 [ 175.298298][ T4069] gfs2_dirent_search+0x2ea/0xb10 [ 175.303335][ T4069] ? gfs2_dirent_search+0xb10/0xb10 [ 175.308565][ T4069] ? gfs2_dir_search+0x2a0/0x2a0 [ 175.313526][ T4069] ? gfs2_permission+0x3bf/0x430 [ 175.318467][ T4069] gfs2_dir_search+0x8c/0x2a0 [ 175.323142][ T4069] ? do_filldir_main+0x530/0x530 [ 175.328081][ T4069] ? inode_go_held+0xe4/0x1f0 [ 175.332759][ T4069] ? gfs2_glock_wait+0x213/0x2a0 [ 175.337706][ T4069] gfs2_lookupi+0x465/0x650 [ 175.342225][ T4069] ? gfs2_lookup_simple+0x170/0x170 [ 175.347489][ T4069] ? __gfs2_lookup+0x8c/0x260 [ 175.352178][ T4069] __gfs2_lookup+0x8c/0x260 [ 175.356676][ T4069] ? gfs2_atomic_open+0x230/0x230 [ 175.361703][ T4069] ? __d_lookup+0x6a4/0x770 [ 175.366197][ T4069] ? d_hash_and_lookup+0x1c0/0x1c0 [ 175.371329][ T4069] gfs2_atomic_open+0xa4/0x230 [ 175.376103][ T4069] path_openat+0xf39/0x2df0 [ 175.380618][ T4069] ? gfs2_rename2+0x3000/0x3000 [ 175.385492][ T4069] ? do_filp_open+0x4f0/0x4f0 [ 175.390186][ T4069] do_filp_open+0x264/0x4f0 [ 175.394693][ T4069] ? vfs_tmpfile+0x490/0x490 [ 175.399278][ T4069] ? do_raw_spin_unlock+0x134/0x8a0 [ 175.404469][ T4069] ? _raw_spin_unlock+0x24/0x40 [ 175.409318][ T4069] ? alloc_fd+0x5a7/0x640 [ 175.413674][ T4069] do_sys_openat2+0x124/0x4e0 [ 175.418357][ T4069] ? print_irqtrace_events+0x220/0x220 [ 175.423806][ T4069] ? ptrace_stop+0x74d/0x970 [ 175.428397][ T4069] ? do_sys_open+0x220/0x220 [ 175.432992][ T4069] ? lockdep_hardirqs_on+0x8d/0x130 [ 175.438206][ T4069] ? _raw_spin_unlock_irq+0x2a/0x40 [ 175.443487][ T4069] ? ptrace_notify+0x245/0x340 [ 175.448266][ T4069] __x64_sys_openat+0x243/0x290 [ 175.453137][ T4069] ? __ia32_sys_open+0x270/0x270 [ 175.458068][ T4069] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 175.464045][ T4069] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 175.470019][ T4069] do_syscall_64+0x3d/0xb0 [ 175.474456][ T4069] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 175.480356][ T4069] RIP: 0033:0x7fc8868064d9 [ 175.484762][ T4069] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 175.504358][ T4069] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 175.512776][ T4069] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 4069] <... openat resumed>) = ? [pid 4069] +++ exited with 0 +++ [pid 4068] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4068, si_uid=0, si_status=0, si_utime=2, si_stime=28} --- umount2("./143", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./143", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./143/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./143/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./143/binderfs") = 0 [ 175.520751][ T4069] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 175.528712][ T4069] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 175.536672][ T4069] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 175.544642][ T4069] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 175.552642][ T4069] umount2("./143/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./143/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./143/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./143/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./143/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./143/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./143") = 0 mkdir("./144", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4071 ./strace-static-x86_64: Process 4071 attached [pid 4071] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4071] chdir("./144") = 0 [pid 4071] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4071] setpgid(0, 0) = 0 [pid 4071] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4071] write(3, "1000", 4) = 4 [pid 4071] close(3) = 0 [pid 4071] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4071] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4071] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4071] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4071] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4072 attached [pid 4072] set_robust_list(0x7fc8867b29e0, 24 [pid 4071] <... clone resumed>, parent_tid=[4072], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4072 [pid 4071] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4072] <... set_robust_list resumed>) = 0 [pid 4071] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4072] memfd_create("syzkaller", 0) = 3 [pid 4072] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4072] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4072] munmap(0x7fc87e392000, 16777216) = 0 [pid 4072] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4072] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4072] close(3) = 0 [pid 4072] mkdir("./file0", 0777) = 0 [ 175.868430][ T4072] loop0: detected capacity change from 0 to 32768 [ 175.879283][ T4072] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 175.887546][ T4072] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 175.897725][ T4072] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 175.906280][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 175.913351][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4072] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4072] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4072] chdir("./file0") = 0 [pid 4072] ioctl(4, LOOP_CLR_FD) = 0 [pid 4072] close(4) = 0 [pid 4072] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4071] <... futex resumed>) = 0 [pid 4071] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4071] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4072] <... futex resumed>) = 1 [pid 4072] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4072] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4071] <... futex resumed>) = 0 [pid 4071] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4071] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4072] <... futex resumed>) = 1 [ 175.947336][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 33ms [ 175.956180][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 175.961584][ T4072] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 175.977444][ T4072] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 175.986211][ T4072] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 175.986211][ T4072] inode = 12 2341 [pid 4072] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4071] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4071] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4071] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4071] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4071] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4073], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4073 [pid 4071] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4073 attached [pid 4073] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4073] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4073] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 175.986211][ T4072] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 176.005161][ T4072] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 176.014793][ T4072] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4072 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 176.025759][ T4072] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 176.035624][ T4072] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 176.042973][ T4072] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 176.051829][ T4072] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 176.059708][ T4072] gfs2: fsid=syz:syz.0: File system withdrawn [ 176.067662][ T4072] CPU: 0 PID: 4072 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 176.078090][ T4072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 176.088159][ T4072] Call Trace: [ 176.091435][ T4072] [ 176.094363][ T4072] dump_stack_lvl+0x1b1/0x28e [ 176.099043][ T4072] ? nf_tcp_handle_invalid+0x62e/0x62e [ 176.104515][ T4072] ? panic+0x710/0x710 [ 176.108599][ T4072] ? kobject_uevent_env+0x46b/0x8e0 [ 176.113807][ T4072] ? do_raw_spin_unlock+0x134/0x8a0 [ 176.119012][ T4072] gfs2_withdraw+0xf33/0x1540 [ 176.123707][ T4072] ? gfs2_lm+0x220/0x220 [ 176.127945][ T4072] ? gfs2_dirent_scan+0xb6/0x650 [ 176.132900][ T4072] ? panic+0x710/0x710 [ 176.136978][ T4072] ? gfs2_permission+0x2ff/0x430 [ 176.141927][ T4072] ? gfs2_consist_inode_i+0xf3/0x110 [pid 4073] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4071] exit_group(0 [pid 4073] <... futex resumed>) = ? [pid 4071] <... exit_group resumed>) = ? [pid 4073] +++ exited with 0 +++ [ 176.147205][ T4072] gfs2_dirent_scan+0x535/0x650 [ 176.152053][ T4072] ? gfs2_dirent_search+0xb10/0xb10 [ 176.157264][ T4072] gfs2_dirent_search+0x2ea/0xb10 [ 176.162292][ T4072] ? gfs2_dirent_search+0xb10/0xb10 [ 176.167519][ T4072] ? gfs2_dir_search+0x2a0/0x2a0 [ 176.172474][ T4072] ? gfs2_permission+0x3bf/0x430 [ 176.177410][ T4072] gfs2_dir_search+0x8c/0x2a0 [ 176.182081][ T4072] ? do_filldir_main+0x530/0x530 [ 176.187009][ T4072] ? inode_go_held+0xe4/0x1f0 [ 176.191684][ T4072] ? gfs2_glock_wait+0x213/0x2a0 [ 176.196614][ T4072] gfs2_lookupi+0x465/0x650 [ 176.201133][ T4072] ? gfs2_lookup_simple+0x170/0x170 [ 176.206339][ T4072] ? __gfs2_lookup+0x8c/0x260 [ 176.211016][ T4072] __gfs2_lookup+0x8c/0x260 [ 176.215513][ T4072] ? gfs2_atomic_open+0x230/0x230 [ 176.220543][ T4072] ? __d_lookup+0x6a4/0x770 [ 176.225033][ T4072] ? d_hash_and_lookup+0x1c0/0x1c0 [ 176.230138][ T4072] gfs2_atomic_open+0xa4/0x230 [ 176.234902][ T4072] path_openat+0xf39/0x2df0 [ 176.239413][ T4072] ? gfs2_rename2+0x3000/0x3000 [ 176.244278][ T4072] ? do_filp_open+0x4f0/0x4f0 [ 176.248981][ T4072] do_filp_open+0x264/0x4f0 [ 176.253484][ T4072] ? vfs_tmpfile+0x490/0x490 [ 176.258068][ T4072] ? do_raw_spin_unlock+0x134/0x8a0 [ 176.263264][ T4072] ? _raw_spin_unlock+0x24/0x40 [ 176.268106][ T4072] ? alloc_fd+0x5a7/0x640 [ 176.272454][ T4072] do_sys_openat2+0x124/0x4e0 [ 176.277139][ T4072] ? print_irqtrace_events+0x220/0x220 [ 176.282586][ T4072] ? ptrace_stop+0x74d/0x970 [ 176.287168][ T4072] ? do_sys_open+0x220/0x220 [ 176.291761][ T4072] ? lockdep_hardirqs_on+0x8d/0x130 [ 176.296966][ T4072] ? _raw_spin_unlock_irq+0x2a/0x40 [ 176.302157][ T4072] ? ptrace_notify+0x245/0x340 [ 176.306919][ T4072] __x64_sys_openat+0x243/0x290 [ 176.311783][ T4072] ? __ia32_sys_open+0x270/0x270 [ 176.316712][ T4072] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 176.322686][ T4072] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 176.328660][ T4072] do_syscall_64+0x3d/0xb0 [ 176.333107][ T4072] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 176.339009][ T4072] RIP: 0033:0x7fc8868064d9 [ 176.343411][ T4072] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 176.363020][ T4072] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 176.371456][ T4072] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 176.379430][ T4072] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 176.387394][ T4072] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4072] <... openat resumed>) = ? [pid 4072] +++ exited with 0 +++ [pid 4071] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4071, si_uid=0, si_status=0, si_utime=3, si_stime=30} --- umount2("./144", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./144", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./144/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./144/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./144/binderfs") = 0 [ 176.395355][ T4072] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 176.403316][ T4072] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 176.411309][ T4072] umount2("./144/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./144/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./144/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./144/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./144/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./144/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./144") = 0 mkdir("./145", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4074 ./strace-static-x86_64: Process 4074 attached [pid 4074] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4074] chdir("./145") = 0 [pid 4074] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4074] setpgid(0, 0) = 0 [pid 4074] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4074] write(3, "1000", 4) = 4 [pid 4074] close(3) = 0 [pid 4074] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4074] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4074] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4074] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4074] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4075], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4075 [pid 4074] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4074] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4075 attached [pid 4075] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4075] memfd_create("syzkaller", 0) = 3 [pid 4075] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4075] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4075] munmap(0x7fc87e392000, 16777216) = 0 [pid 4075] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4075] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4075] close(3) = 0 [pid 4075] mkdir("./file0", 0777) = 0 [ 176.696653][ T4075] loop0: detected capacity change from 0 to 32768 [ 176.707424][ T4075] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 176.715663][ T4075] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 176.725334][ T4075] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 176.734153][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 176.741557][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4075] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4075] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4075] chdir("./file0") = 0 [pid 4075] ioctl(4, LOOP_CLR_FD) = 0 [pid 4075] close(4) = 0 [pid 4075] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4074] <... futex resumed>) = 0 [pid 4074] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4074] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4075] <... futex resumed>) = 1 [pid 4075] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4075] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4074] <... futex resumed>) = 0 [pid 4074] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4074] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4075] <... futex resumed>) = 1 [ 176.778493][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 176.786149][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 176.791575][ T4075] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 176.808312][ T4075] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 176.816852][ T4075] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 176.816852][ T4075] inode = 12 2341 [pid 4075] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4074] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4074] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4074] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4074] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4074] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4076], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4076 [pid 4074] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 176.816852][ T4075] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 176.835631][ T4075] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 176.845087][ T4075] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4075 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 176.855439][ T4075] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 176.864401][ T4075] gfs2: fsid=syz:syz.0: about to withdraw this file system ./strace-static-x86_64: Process 4076 attached [pid 4076] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4076] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4076] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 176.872166][ T4075] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 176.881803][ T4075] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 176.888694][ T4075] gfs2: fsid=syz:syz.0: File system withdrawn [ 176.895143][ T4075] CPU: 0 PID: 4075 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 176.905563][ T4075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 176.915605][ T4075] Call Trace: [ 176.918874][ T4075] [ 176.921794][ T4075] dump_stack_lvl+0x1b1/0x28e [ 176.926462][ T4075] ? nf_tcp_handle_invalid+0x62e/0x62e [ 176.931905][ T4075] ? panic+0x710/0x710 [ 176.935960][ T4075] ? kobject_uevent_env+0x46b/0x8e0 [ 176.946003][ T4075] ? do_raw_spin_unlock+0x134/0x8a0 [ 176.951194][ T4075] gfs2_withdraw+0xf33/0x1540 [ 176.955866][ T4075] ? gfs2_lm+0x220/0x220 [ 176.960092][ T4075] ? gfs2_dirent_scan+0xb6/0x650 [ 176.965014][ T4075] ? panic+0x710/0x710 [ 176.969067][ T4075] ? gfs2_permission+0x2ff/0x430 [ 176.973992][ T4075] ? gfs2_consist_inode_i+0xf3/0x110 [ 176.979284][ T4075] gfs2_dirent_scan+0x535/0x650 [ 176.984122][ T4075] ? gfs2_dirent_search+0xb10/0xb10 [ 176.989312][ T4075] gfs2_dirent_search+0x2ea/0xb10 [ 176.994375][ T4075] ? gfs2_dirent_search+0xb10/0xb10 [ 176.999566][ T4075] ? gfs2_dir_search+0x2a0/0x2a0 [ 177.004490][ T4075] ? gfs2_permission+0x3bf/0x430 [ 177.009415][ T4075] gfs2_dir_search+0x8c/0x2a0 [ 177.014079][ T4075] ? do_filldir_main+0x530/0x530 [ 177.018999][ T4075] ? inode_go_held+0xe4/0x1f0 [ 177.023662][ T4075] ? gfs2_glock_wait+0x213/0x2a0 [ 177.028589][ T4075] gfs2_lookupi+0x465/0x650 [ 177.033080][ T4075] ? gfs2_lookup_simple+0x170/0x170 [ 177.038263][ T4075] ? __gfs2_lookup+0x8c/0x260 [ 177.042929][ T4075] __gfs2_lookup+0x8c/0x260 [ 177.047419][ T4075] ? gfs2_atomic_open+0x230/0x230 [ 177.052429][ T4075] ? __d_lookup+0x6a4/0x770 [ 177.056916][ T4075] ? d_hash_and_lookup+0x1c0/0x1c0 [ 177.062012][ T4075] gfs2_atomic_open+0xa4/0x230 [ 177.066766][ T4075] path_openat+0xf39/0x2df0 [ 177.071258][ T4075] ? gfs2_rename2+0x3000/0x3000 [ 177.076101][ T4075] ? do_filp_open+0x4f0/0x4f0 [ 177.080774][ T4075] do_filp_open+0x264/0x4f0 [ 177.085261][ T4075] ? vfs_tmpfile+0x490/0x490 [ 177.089841][ T4075] ? do_raw_spin_unlock+0x134/0x8a0 [ 177.095027][ T4075] ? _raw_spin_unlock+0x24/0x40 [ 177.099863][ T4075] ? alloc_fd+0x5a7/0x640 [ 177.104184][ T4075] do_sys_openat2+0x124/0x4e0 [ 177.108847][ T4075] ? print_irqtrace_events+0x220/0x220 [ 177.114290][ T4075] ? ptrace_stop+0x74d/0x970 [ 177.118867][ T4075] ? do_sys_open+0x220/0x220 [ 177.123444][ T4075] ? lockdep_hardirqs_on+0x8d/0x130 [ 177.128628][ T4075] ? _raw_spin_unlock_irq+0x2a/0x40 [ 177.133814][ T4075] ? ptrace_notify+0x245/0x340 [ 177.138567][ T4075] __x64_sys_openat+0x243/0x290 [ 177.143406][ T4075] ? __ia32_sys_open+0x270/0x270 [ 177.148329][ T4075] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 177.154294][ T4075] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 177.160259][ T4075] do_syscall_64+0x3d/0xb0 [ 177.164676][ T4075] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 177.170555][ T4075] RIP: 0033:0x7fc8868064d9 [ 177.174953][ T4075] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 177.194541][ T4075] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 177.202939][ T4075] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 177.210893][ T4075] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 177.218852][ T4075] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [pid 4076] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4075] <... openat resumed>) = -1 EIO (Input/output error) [pid 4075] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4074] exit_group(0 [pid 4076] <... futex resumed>) = ? [pid 4074] <... exit_group resumed>) = ? [pid 4076] +++ exited with 0 +++ [pid 4075] <... futex resumed>) = ? [pid 4075] +++ exited with 0 +++ [pid 4074] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4074, si_uid=0, si_status=0, si_utime=1, si_stime=29} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./145", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./145", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./145/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./145/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./145/binderfs") = 0 [ 177.226806][ T4075] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 177.234759][ T4075] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 177.242726][ T4075] umount2("./145/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./145/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./145/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./145/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./145/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./145/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./145") = 0 mkdir("./146", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4077 ./strace-static-x86_64: Process 4077 attached [pid 4077] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4077] chdir("./146") = 0 [pid 4077] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4077] setpgid(0, 0) = 0 [pid 4077] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4077] write(3, "1000", 4) = 4 [pid 4077] close(3) = 0 [pid 4077] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4077] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4077] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4077] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4077] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4078], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4078 [pid 4077] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4077] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4078 attached [pid 4078] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4078] memfd_create("syzkaller", 0) = 3 [pid 4078] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4078] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4078] munmap(0x7fc87e392000, 16777216) = 0 [pid 4078] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4078] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4078] close(3) = 0 [pid 4078] mkdir("./file0", 0777) = 0 [ 177.525350][ T4078] loop0: detected capacity change from 0 to 32768 [ 177.536926][ T4078] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 177.545825][ T4078] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 177.555081][ T4078] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 177.563733][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 177.570983][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4078] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4078] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4078] chdir("./file0") = 0 [pid 4078] ioctl(4, LOOP_CLR_FD) = 0 [pid 4078] close(4) = 0 [pid 4078] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4078] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4077] <... futex resumed>) = 0 [pid 4077] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4078] <... futex resumed>) = 0 [pid 4077] <... futex resumed>) = 1 [pid 4078] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 4077] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4078] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4078] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4077] <... futex resumed>) = 0 [pid 4078] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4077] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4078] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 4077] <... futex resumed>) = 0 [pid 4077] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 177.606883][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 177.615747][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 177.621315][ T4078] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 177.647735][ T4078] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 177.656453][ T4078] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 177.656453][ T4078] inode = 12 2341 [ 177.656453][ T4078] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 177.675573][ T4078] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 177.684976][ T4078] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4078 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 4078] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4077] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4077] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4077] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4077] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4077] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4079], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4079 [pid 4077] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4079 attached [pid 4079] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4079] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4079] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 177.695087][ T4078] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 177.703626][ T4078] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 177.710960][ T4078] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 177.720312][ T4078] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 177.727032][ T4078] gfs2: fsid=syz:syz.0: File system withdrawn [ 177.733480][ T4078] CPU: 0 PID: 4078 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 177.743905][ T4078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 177.753953][ T4078] Call Trace: [ 177.757224][ T4078] [ 177.760162][ T4078] dump_stack_lvl+0x1b1/0x28e [ 177.764846][ T4078] ? nf_tcp_handle_invalid+0x62e/0x62e [ 177.770294][ T4078] ? panic+0x710/0x710 [ 177.774349][ T4078] ? kobject_uevent_env+0x46b/0x8e0 [ 177.779533][ T4078] ? do_raw_spin_unlock+0x134/0x8a0 [ 177.784722][ T4078] gfs2_withdraw+0xf33/0x1540 [ 177.789393][ T4078] ? gfs2_lm+0x220/0x220 [ 177.793622][ T4078] ? gfs2_dirent_scan+0xb6/0x650 [ 177.798634][ T4078] ? panic+0x710/0x710 [ 177.802688][ T4078] ? gfs2_permission+0x2ff/0x430 [ 177.807611][ T4078] ? gfs2_consist_inode_i+0xf3/0x110 [ 177.812880][ T4078] gfs2_dirent_scan+0x535/0x650 [ 177.817733][ T4078] ? gfs2_dirent_search+0xb10/0xb10 [ 177.822921][ T4078] gfs2_dirent_search+0x2ea/0xb10 [ 177.827932][ T4078] ? gfs2_dirent_search+0xb10/0xb10 [ 177.833117][ T4078] ? gfs2_dir_search+0x2a0/0x2a0 [ 177.838039][ T4078] ? gfs2_permission+0x3bf/0x430 [ 177.842974][ T4078] gfs2_dir_search+0x8c/0x2a0 [ 177.847658][ T4078] ? do_filldir_main+0x530/0x530 [ 177.852592][ T4078] ? inode_go_held+0xe4/0x1f0 [ 177.857272][ T4078] ? gfs2_glock_wait+0x213/0x2a0 [ 177.862205][ T4078] gfs2_lookupi+0x465/0x650 [ 177.866706][ T4078] ? gfs2_lookup_simple+0x170/0x170 [ 177.871898][ T4078] ? __gfs2_lookup+0x8c/0x260 [ 177.876598][ T4078] __gfs2_lookup+0x8c/0x260 [ 177.881106][ T4078] ? gfs2_atomic_open+0x230/0x230 [ 177.886126][ T4078] ? __d_lookup+0x6a4/0x770 [ 177.890619][ T4078] ? d_hash_and_lookup+0x1c0/0x1c0 [ 177.895721][ T4078] gfs2_atomic_open+0xa4/0x230 [ 177.900478][ T4078] path_openat+0xf39/0x2df0 [ 177.904984][ T4078] ? gfs2_rename2+0x3000/0x3000 [ 177.909847][ T4078] ? do_filp_open+0x4f0/0x4f0 [ 177.914530][ T4078] do_filp_open+0x264/0x4f0 [ 177.919025][ T4078] ? vfs_tmpfile+0x490/0x490 [ 177.923615][ T4078] ? do_raw_spin_unlock+0x134/0x8a0 [ 177.928836][ T4078] ? _raw_spin_unlock+0x24/0x40 [ 177.933680][ T4078] ? alloc_fd+0x5a7/0x640 [ 177.938008][ T4078] do_sys_openat2+0x124/0x4e0 [ 177.942714][ T4078] ? print_irqtrace_events+0x220/0x220 [ 177.948175][ T4078] ? ptrace_stop+0x74d/0x970 [ 177.952759][ T4078] ? do_sys_open+0x220/0x220 [ 177.957344][ T4078] ? lockdep_hardirqs_on+0x8d/0x130 [ 177.962535][ T4078] ? _raw_spin_unlock_irq+0x2a/0x40 [ 177.967727][ T4078] ? ptrace_notify+0x245/0x340 [ 177.972483][ T4078] __x64_sys_openat+0x243/0x290 [ 177.977333][ T4078] ? __ia32_sys_open+0x270/0x270 [ 177.982266][ T4078] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 177.988239][ T4078] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 177.994235][ T4078] do_syscall_64+0x3d/0xb0 [ 177.998646][ T4078] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 178.004530][ T4078] RIP: 0033:0x7fc8868064d9 [ 178.008935][ T4078] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 178.028532][ T4078] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 178.036936][ T4078] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 4079] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4078] <... openat resumed>) = -1 EIO (Input/output error) [pid 4078] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4077] exit_group(0 [pid 4079] <... futex resumed>) = ? [pid 4077] <... exit_group resumed>) = ? [pid 4079] +++ exited with 0 +++ [pid 4078] <... futex resumed>) = ? [pid 4078] +++ exited with 0 +++ [pid 4077] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4077, si_uid=0, si_status=0, si_utime=0, si_stime=31} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./146", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./146", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./146/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./146/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./146/binderfs") = 0 [ 178.044902][ T4078] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 178.052866][ T4078] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 178.060826][ T4078] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 178.068793][ T4078] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 178.076777][ T4078] umount2("./146/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./146/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./146/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./146/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./146/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./146/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./146") = 0 mkdir("./147", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4080 ./strace-static-x86_64: Process 4080 attached [pid 4080] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4080] chdir("./147") = 0 [pid 4080] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4080] setpgid(0, 0) = 0 [pid 4080] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4080] write(3, "1000", 4) = 4 [pid 4080] close(3) = 0 [pid 4080] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4080] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4080] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4080] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4080] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4081 attached , parent_tid=[4081], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4081 [pid 4081] set_robust_list(0x7fc8867b29e0, 24) = 0 [pid 4081] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4080] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4081] <... futex resumed>) = 0 [pid 4080] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4081] memfd_create("syzkaller", 0) = 3 [pid 4081] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4081] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4081] munmap(0x7fc87e392000, 16777216) = 0 [pid 4081] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4081] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4081] close(3) = 0 [pid 4081] mkdir("./file0", 0777) = 0 [ 178.370973][ T4081] loop0: detected capacity change from 0 to 32768 [ 178.382441][ T4081] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 178.390929][ T4081] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 178.401084][ T4081] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 178.409870][ T14] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 178.417338][ T14] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4081] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4081] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4081] chdir("./file0") = 0 [pid 4081] ioctl(4, LOOP_CLR_FD) = 0 [pid 4081] close(4) = 0 [pid 4081] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4080] <... futex resumed>) = 0 [pid 4081] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 4080] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4081] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4080] <... futex resumed>) = 0 [pid 4081] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4080] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4081] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4080] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 4080] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4081] <... futex resumed>) = 0 [ 178.454878][ T14] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 178.462522][ T14] gfs2: fsid=syz:syz.0: jid=0: Done [ 178.467858][ T4081] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 4080] <... futex resumed>) = 1 [pid 4081] openat(AT_FDCWD, "./file0", O_RDONLY [ 178.507213][ T4081] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 178.516239][ T4081] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 178.516239][ T4081] inode = 12 2341 [ 178.516239][ T4081] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 178.535026][ T4081] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 178.544851][ T4081] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4081 [syz-executor337] __gfs2_lookup+0x8c/0x260 [pid 4080] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 4080] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4080] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4080] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4080] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4082], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4082 [pid 4080] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4082 attached [pid 4082] set_robust_list(0x7fc87f3919e0, 24) = 0 [pid 4082] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH) = -1 EIO (Input/output error) [pid 4082] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 178.555300][ T4081] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 178.564297][ T4081] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 178.571591][ T4081] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 178.580431][ T4081] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 178.586999][ T4081] gfs2: fsid=syz:syz.0: File system withdrawn [ 178.593263][ T4081] CPU: 0 PID: 4081 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 178.603697][ T4081] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 178.613755][ T4081] Call Trace: [ 178.617023][ T4081] [ 178.619946][ T4081] dump_stack_lvl+0x1b1/0x28e [ 178.624630][ T4081] ? nf_tcp_handle_invalid+0x62e/0x62e [ 178.630094][ T4081] ? panic+0x710/0x710 [ 178.634172][ T4081] ? kobject_uevent_env+0x46b/0x8e0 [ 178.639360][ T4081] ? do_raw_spin_unlock+0x134/0x8a0 [ 178.644552][ T4081] gfs2_withdraw+0xf33/0x1540 [ 178.649230][ T4081] ? gfs2_lm+0x220/0x220 [pid 4082] futex(0x7fc88689d7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4080] exit_group(0 [pid 4082] <... futex resumed>) = ? [pid 4080] <... exit_group resumed>) = ? [pid 4082] +++ exited with 0 +++ [ 178.653467][ T4081] ? gfs2_dirent_scan+0xb6/0x650 [ 178.658409][ T4081] ? panic+0x710/0x710 [ 178.662489][ T4081] ? gfs2_permission+0x2ff/0x430 [ 178.667435][ T4081] ? gfs2_consist_inode_i+0xf3/0x110 [ 178.672710][ T4081] gfs2_dirent_scan+0x535/0x650 [ 178.677553][ T4081] ? gfs2_dirent_search+0xb10/0xb10 [ 178.682743][ T4081] gfs2_dirent_search+0x2ea/0xb10 [ 178.687769][ T4081] ? gfs2_dirent_search+0xb10/0xb10 [ 178.692990][ T4081] ? gfs2_dir_search+0x2a0/0x2a0 [ 178.697940][ T4081] ? gfs2_permission+0x3bf/0x430 [ 178.702883][ T4081] gfs2_dir_search+0x8c/0x2a0 [ 178.707567][ T4081] ? do_filldir_main+0x530/0x530 [ 178.712500][ T4081] ? inode_go_held+0xe4/0x1f0 [ 178.717177][ T4081] ? gfs2_glock_wait+0x213/0x2a0 [ 178.722125][ T4081] gfs2_lookupi+0x465/0x650 [ 178.726627][ T4081] ? gfs2_lookup_simple+0x170/0x170 [ 178.731821][ T4081] ? __gfs2_lookup+0x8c/0x260 [ 178.736497][ T4081] __gfs2_lookup+0x8c/0x260 [ 178.740996][ T4081] ? gfs2_atomic_open+0x230/0x230 [ 178.746046][ T4081] ? __d_lookup+0x6a4/0x770 [ 178.750541][ T4081] ? d_hash_and_lookup+0x1c0/0x1c0 [ 178.755647][ T4081] gfs2_atomic_open+0xa4/0x230 [ 178.760408][ T4081] path_openat+0xf39/0x2df0 [ 178.764932][ T4081] ? gfs2_rename2+0x3000/0x3000 [ 178.769789][ T4081] ? do_filp_open+0x4f0/0x4f0 [ 178.774487][ T4081] do_filp_open+0x264/0x4f0 [ 178.779009][ T4081] ? vfs_tmpfile+0x490/0x490 [ 178.783609][ T4081] ? do_raw_spin_unlock+0x134/0x8a0 [ 178.788811][ T4081] ? _raw_spin_unlock+0x24/0x40 [ 178.793670][ T4081] ? alloc_fd+0x5a7/0x640 [ 178.798011][ T4081] do_sys_openat2+0x124/0x4e0 [ 178.802692][ T4081] ? print_irqtrace_events+0x220/0x220 [ 178.808149][ T4081] ? ptrace_stop+0x74d/0x970 [ 178.812737][ T4081] ? do_sys_open+0x220/0x220 [ 178.817324][ T4081] ? lockdep_hardirqs_on+0x8d/0x130 [ 178.822519][ T4081] ? _raw_spin_unlock_irq+0x2a/0x40 [ 178.827718][ T4081] ? ptrace_notify+0x245/0x340 [ 178.832474][ T4081] __x64_sys_openat+0x243/0x290 [ 178.837324][ T4081] ? __ia32_sys_open+0x270/0x270 [ 178.842258][ T4081] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 178.848248][ T4081] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 178.854225][ T4081] do_syscall_64+0x3d/0xb0 [ 178.858637][ T4081] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 178.864525][ T4081] RIP: 0033:0x7fc8868064d9 [ 178.868935][ T4081] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 178.889837][ T4081] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 178.898245][ T4081] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [pid 4081] <... openat resumed>) = ? [pid 4081] +++ exited with 0 +++ [pid 4080] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4080, si_uid=0, si_status=0, si_utime=3, si_stime=24} --- umount2("./147", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./147", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x555556360620 /* 4 entries */, 32768) = 112 umount2("./147/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./147/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./147/binderfs") = 0 [ 178.906224][ T4081] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 178.914207][ T4081] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 178.922178][ T4081] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 178.930144][ T4081] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 178.938119][ T4081] umount2("./147/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./147/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./147/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./147/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./147/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555556368660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556368660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./147/file0") = 0 getdents64(3, 0x555556360620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./147") = 0 mkdir("./148", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555635f5d0) = 4083 ./strace-static-x86_64: Process 4083 attached [pid 4083] set_robust_list(0x55555635f5e0, 24) = 0 [pid 4083] chdir("./148") = 0 [pid 4083] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4083] setpgid(0, 0) = 0 [pid 4083] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4083] write(3, "1000", 4) = 4 [pid 4083] close(3) = 0 [pid 4083] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4083] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4083] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc886792000 [pid 4083] mprotect(0x7fc886793000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4083] clone(child_stack=0x7fc8867b23f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 4084 attached , parent_tid=[4084], tls=0x7fc8867b2700, child_tidptr=0x7fc8867b29d0) = 4084 [pid 4084] set_robust_list(0x7fc8867b29e0, 24 [pid 4083] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 4084] <... set_robust_list resumed>) = 0 [pid 4083] <... futex resumed>) = 0 [pid 4083] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4084] memfd_create("syzkaller", 0) = 3 [pid 4084] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc87e392000 [pid 4084] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4084] munmap(0x7fc87e392000, 16777216) = 0 [pid 4084] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4084] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4084] close(3) = 0 [pid 4084] mkdir("./file0", 0777) = 0 [ 179.229338][ T4084] loop0: detected capacity change from 0 to 32768 [ 179.240647][ T4084] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 179.249110][ T4084] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 179.258456][ T4084] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 179.267268][ T154] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 179.274286][ T154] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4084] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4084] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4084] chdir("./file0") = 0 [pid 4084] ioctl(4, LOOP_CLR_FD) = 0 [pid 4084] close(4) = 0 [pid 4084] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4084] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4083] <... futex resumed>) = 0 [pid 4083] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4083] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4084] <... futex resumed>) = 0 [pid 4084] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 4084] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4083] <... futex resumed>) = 0 [pid 4083] futex(0x7fc88689d7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4083] futex(0x7fc88689d7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4084] <... futex resumed>) = 1 [ 179.312036][ T154] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 179.321029][ T154] gfs2: fsid=syz:syz.0: jid=0: Done [ 179.326285][ T4084] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 179.348978][ T4084] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 4084] openat(AT_FDCWD, "./file0", O_RDONLY [pid 4083] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4083] futex(0x7fc88689d7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4083] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fc87f371000 [pid 4083] mprotect(0x7fc87f372000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4083] clone(child_stack=0x7fc87f3913f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4085], tls=0x7fc87f391700, child_tidptr=0x7fc87f3919d0) = 4085 [pid 4083] futex(0x7fc88689d7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 4085 attached [pid 4085] set_robust_list(0x7fc87f3919e0, 24) = 0 [ 179.358504][ T4084] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 179.358504][ T4084] inode = 12 2341 [ 179.358504][ T4084] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 179.377240][ T4084] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 179.386631][ T4084] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4084 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 179.396968][ T4084] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 179.405254][ T4085] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 179.406470][ T4084] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 179.420976][ T4084] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 179.429769][ T4084] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 179.436470][ T4084] gfs2: fsid=syz:syz.0: File system withdrawn [ 179.442606][ T4085] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 179.451759][ T4084] CPU: 1 PID: 4084 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 179.462175][ T4084] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 179.472222][ T4084] Call Trace: [ 179.475494][ T4084] [ 179.478418][ T4084] dump_stack_lvl+0x1b1/0x28e [ 179.483100][ T4084] ? nf_tcp_handle_invalid+0x62e/0x62e [ 179.488549][ T4084] ? panic+0x710/0x710 [ 179.492607][ T4084] ? kobject_uevent_env+0x46b/0x8e0 [ 179.497796][ T4084] ? do_raw_spin_unlock+0x134/0x8a0 [ 179.502995][ T4084] gfs2_withdraw+0xf33/0x1540 [ 179.507676][ T4084] ? gfs2_lm+0x220/0x220 [ 179.511909][ T4084] ? gfs2_dirent_scan+0xb6/0x650 [ 179.516840][ T4084] ? panic+0x710/0x710 [ 179.520900][ T4084] ? gfs2_permission+0x2ff/0x430 [ 179.525834][ T4084] ? gfs2_consist_inode_i+0xf3/0x110 [ 179.531112][ T4084] gfs2_dirent_scan+0x535/0x650 [ 179.535963][ T4084] ? gfs2_dirent_search+0xb10/0xb10 [ 179.541158][ T4084] gfs2_dirent_search+0x2ea/0xb10 [ 179.546180][ T4084] ? gfs2_dirent_search+0xb10/0xb10 [ 179.551374][ T4084] ? gfs2_dir_search+0x2a0/0x2a0 [ 179.556303][ T4084] ? gfs2_permission+0x3bf/0x430 [ 179.561240][ T4084] gfs2_dir_search+0x8c/0x2a0 [ 179.565914][ T4084] ? do_filldir_main+0x530/0x530 [ 179.570847][ T4084] ? inode_go_held+0xe4/0x1f0 [ 179.575537][ T4084] ? gfs2_glock_wait+0x213/0x2a0 [ 179.580479][ T4084] gfs2_lookupi+0x465/0x650 [ 179.584990][ T4084] ? gfs2_lookup_simple+0x170/0x170 [ 179.590196][ T4084] ? __gfs2_lookup+0x8c/0x260 [ 179.594926][ T4084] __gfs2_lookup+0x8c/0x260 [ 179.599434][ T4084] ? gfs2_atomic_open+0x230/0x230 [ 179.604458][ T4084] ? __d_lookup+0x6a4/0x770 [ 179.608970][ T4084] ? d_hash_and_lookup+0x1c0/0x1c0 [ 179.614084][ T4084] gfs2_atomic_open+0xa4/0x230 [ 179.618858][ T4084] path_openat+0xf39/0x2df0 [ 179.624236][ T4084] ? gfs2_rename2+0x3000/0x3000 [ 179.629107][ T4084] ? do_filp_open+0x4f0/0x4f0 [ 179.633797][ T4084] do_filp_open+0x264/0x4f0 [ 179.638302][ T4084] ? vfs_tmpfile+0x490/0x490 [ 179.642919][ T4084] ? do_raw_spin_unlock+0x134/0x8a0 [ 179.648116][ T4084] ? _raw_spin_unlock+0x24/0x40 [ 179.652965][ T4084] ? alloc_fd+0x5a7/0x640 [ 179.657299][ T4084] do_sys_openat2+0x124/0x4e0 [ 179.661972][ T4084] ? print_irqtrace_events+0x220/0x220 [ 179.667442][ T4084] ? ptrace_stop+0x74d/0x970 [ 179.672058][ T4084] ? do_sys_open+0x220/0x220 [ 179.676667][ T4084] ? lockdep_hardirqs_on+0x8d/0x130 [ 179.681869][ T4084] ? _raw_spin_unlock_irq+0x2a/0x40 [ 179.687071][ T4084] ? ptrace_notify+0x245/0x340 [ 179.691827][ T4084] __x64_sys_openat+0x243/0x290 [ 179.696678][ T4084] ? __ia32_sys_open+0x270/0x270 [ 179.701615][ T4084] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 179.707591][ T4084] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 179.713596][ T4084] do_syscall_64+0x3d/0xb0 [ 179.718098][ T4084] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 179.723988][ T4084] RIP: 0033:0x7fc8868064d9 [ 179.728409][ T4084] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 179.748269][ T4084] RSP: 002b:00007fc8867b2318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 4085] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 4084] <... openat resumed>) = -1 EIO (Input/output error) [pid 4084] futex(0x7fc88689d7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 179.756696][ T4084] RAX: ffffffffffffffda RBX: 00007fc88689d7a8 RCX: 00007fc8868064d9 [ 179.764659][ T4084] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 179.772623][ T4084] RBP: 00007fc88689d7a0 R08: 0000000000000000 R09: 0000000000000000 [ 179.780583][ T4084] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 179.788546][ T4084] R13: 00007ffe2e4164af R14: 00007fc8867b2400 R15: 0000000000022000 [ 179.796545][ T4084] [ 179.800356][ T4085] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4084 [syz-executor337] __gfs2_lookup+0x8c/0x260 [ 179.810595][ T4085] general protection fault, probably for non-canonical address 0xedd3ea0f5f858324: 0000 [#1] PREEMPT SMP KASAN [ 179.822323][ T4085] KASAN: maybe wild-memory-access in range [0x6e9f707afc2c1920-0x6e9f707afc2c1927] [ 179.831585][ T4085] CPU: 0 PID: 4085 Comm: syz-executor337 Not tainted 6.1.0-rc8-syzkaller-00154-g296a7b7eb792 #0 [ 179.841978][ T4085] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 179.852017][ T4085] RIP: 0010:gfs2_dump_glock+0xd7b/0x1b60 [ 179.857644][ T4085] Code: 05 3c be ac 0a 01 48 c7 c7 00 32 3c 8b be e4 02 00 00 48 c7 c2 40 32 3c 8b e8 a1 85 b5 fd 90 4d 8d 65 20 4d 89 e6 49 c1 ee 03 <43> 0f b6 04 3e 84 c0 0f 85 c6 07 00 00 41 0f b7 1c 24 89 de 81 e6 [ 179.877258][ T4085] RSP: 0018:ffffc900043beda0 EFLAGS: 00010206 [ 179.883315][ T4085] RAX: ffffffff83b5273f RBX: ffffc900043af750 RCX: ffff88802727ba80 [ 179.891286][ T4085] RDX: 0000000000000000 RSI: ffffffff8b4b3f80 RDI: ffffffff8b4b3f40 [ 179.899256][ T4085] RBP: ffffc900043bf088 R08: dffffc0000000000 R09: fffffbfff20b2e29 [ 179.907219][ T4085] R10: fffffbfff20b2e29 R11: 1ffffffff20b2e28 R12: 6e9f707afc2c1920 [ 179.915191][ T4085] R13: 6e9f707afc2c1900 R14: 0dd3ee0f5f858324 R15: dffffc0000000000 [ 179.923146][ T4085] FS: 00007fc87f391700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 [ 179.932058][ T4085] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 179.938623][ T4085] CR2: 00007fc886847bb0 CR3: 00000000277a7000 CR4: 00000000003506f0 [ 179.946585][ T4085] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 179.954547][ T4085] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 179.962517][ T4085] Call Trace: [ 179.965783][ T4085] [ 179.968723][ T4085] ? gfs2_glock_free+0xdc0/0xdc0 [ 179.973649][ T4085] ? llist_add_batch+0x154/0x1b0 [ 179.978575][ T4085] ? find_next_clump8+0x1b0/0x1b0 [ 179.983587][ T4085] ? preempt_schedule_common+0xb7/0xe0 [ 179.989030][ T4085] ? preempt_schedule+0xb6/0xc0 [ 179.993871][ T4085] ? gfs2_dirent_scan+0xb6/0x650 [ 179.998967][ T4085] ? panic+0x710/0x710 [ 180.003019][ T4085] ? gfs2_permission+0x2ff/0x430 [ 180.007954][ T4085] gfs2_consist_inode_i+0xf3/0x110 [ 180.013064][ T4085] gfs2_dirent_scan+0x535/0x650 [ 180.017901][ T4085] ? gfs2_dirent_search+0xb10/0xb10 [ 180.023081][ T4085] gfs2_dirent_search+0x2ea/0xb10 [ 180.028090][ T4085] ? gfs2_dirent_search+0xb10/0xb10 [ 180.033271][ T4085] ? gfs2_dir_search+0x2a0/0x2a0 [ 180.038192][ T4085] ? gfs2_permission+0x3bf/0x430 [ 180.043130][ T4085] gfs2_dir_search+0x8c/0x2a0 [ 180.047808][ T4085] ? do_filldir_main+0x530/0x530 [ 180.052727][ T4085] ? inode_go_held+0xe4/0x1f0 [ 180.057477][ T4085] ? gfs2_glock_wait+0x213/0x2a0 [ 180.062398][ T4085] gfs2_lookupi+0x465/0x650 [ 180.066885][ T4085] ? gfs2_lookup_simple+0x170/0x170 [ 180.072064][ T4085] ? __gfs2_lookup+0x8c/0x260 [ 180.076722][ T4085] ? d_alloc_parallel+0x1144/0x1240 [ 180.081906][ T4085] ? memset+0x1f/0x40 [ 180.085883][ T4085] __gfs2_lookup+0x8c/0x260 [ 180.090376][ T4085] ? gfs2_atomic_open+0x230/0x230 [ 180.095414][ T4085] ? d_hash_and_lookup+0x1c0/0x1c0 [ 180.100524][ T4085] ? __init_waitqueue_head+0xa6/0x140 [ 180.105900][ T4085] __lookup_slow+0x266/0x3a0 [ 180.110497][ T4085] ? lookup_one_len+0x690/0x690 [ 180.115337][ T4085] ? try_to_unlazy+0x687/0xb80 [ 180.120089][ T4085] ? crc32_le_base+0x589/0xd00 [ 180.124836][ T4085] ? __down_read_common+0x156/0x2a0 [ 180.130016][ T4085] lookup_slow+0x53/0x70 [ 180.134253][ T4085] link_path_walk+0xa06/0xf00 [ 180.138933][ T4085] ? handle_lookup_down+0x130/0x130 [ 180.144120][ T4085] path_lookupat+0xab/0x450 [ 180.148611][ T4085] do_o_path+0x84/0x240 [ 180.152767][ T4085] ? do_tmpfile+0x330/0x330 [ 180.157262][ T4085] path_openat+0x2812/0x2df0 [ 180.161846][ T4085] ? stack_trace_save+0x104/0x1e0 [ 180.166856][ T4085] ? stack_trace_snprint+0xf0/0xf0 [ 180.172131][ T4085] ? rcu_read_lock_sched_held+0x87/0x110 [ 180.177745][ T4085] ? __stack_depot_save+0x36/0x4a0 [ 180.182845][ T4085] ? mark_lock+0x9a/0x350 [ 180.187164][ T4085] ? do_filp_open+0x4f0/0x4f0 [ 180.191823][ T4085] ? rcu_read_lock_sched_held+0x87/0x110 [ 180.197437][ T4085] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 180.203410][ T4085] do_filp_open+0x264/0x4f0 [ 180.207910][ T4085] ? vfs_tmpfile+0x490/0x490 [ 180.212485][ T4085] ? do_raw_spin_unlock+0x134/0x8a0 [ 180.217670][ T4085] ? _raw_spin_unlock+0x24/0x40 [ 180.222504][ T4085] ? alloc_fd+0x5a7/0x640 [ 180.226822][ T4085] do_sys_openat2+0x124/0x4e0 [ 180.231503][ T4085] ? print_irqtrace_events+0x220/0x220 [ 180.236940][ T4085] ? ptrace_stop+0x74d/0x970 [ 180.241511][ T4085] ? do_sys_open+0x220/0x220 [ 180.246082][ T4085] ? lockdep_hardirqs_on+0x8d/0x130 [ 180.251263][ T4085] ? _raw_spin_unlock_irq+0x2a/0x40 [ 180.256450][ T4085] ? ptrace_notify+0x245/0x340 [ 180.261226][ T4085] __x64_sys_openat+0x243/0x290 [ 180.266066][ T4085] ? __ia32_sys_open+0x270/0x270 [ 180.270991][ T4085] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 180.276961][ T4085] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 180.282930][ T4085] do_syscall_64+0x3d/0xb0 [ 180.287335][ T4085] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 180.293218][ T4085] RIP: 0033:0x7fc8868064d9 [ 180.297627][ T4085] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 180.317217][ T4085] RSP: 002b:00007fc87f391318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 180.325703][ T4085] RAX: ffffffffffffffda RBX: 00007fc88689d7b8 RCX: 00007fc8868064d9 [ 180.333668][ T4085] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 180.342406][ T4085] RBP: 00007fc88689d7b0 R08: 00007fc87f391700 R09: 0000000000000000 [ 180.350371][ T4085] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 180.358339][ T4085] R13: 00007ffe2e4164af R14: 00007fc87f391400 R15: 0000000000022000 [ 180.366301][ T4085] [ 180.369306][ T4085] Modules linked in: [ 180.373526][ T4085] ---[ end trace 0000000000000000 ]--- [ 180.379211][ T4085] RIP: 0010:gfs2_dump_glock+0xd7b/0x1b60 [ 180.384923][ T4085] Code: 05 3c be ac 0a 01 48 c7 c7 00 32 3c 8b be e4 02 00 00 48 c7 c2 40 32 3c 8b e8 a1 85 b5 fd 90 4d 8d 65 20 4d 89 e6 49 c1 ee 03 <43> 0f b6 04 3e 84 c0 0f 85 c6 07 00 00 41 0f b7 1c 24 89 de 81 e6 [ 180.404792][ T4085] RSP: 0018:ffffc900043beda0 EFLAGS: 00010206 [ 180.411021][ T4085] RAX: ffffffff83b5273f RBX: ffffc900043af750 RCX: ffff88802727ba80 [ 180.418984][ T4085] RDX: 0000000000000000 RSI: ffffffff8b4b3f80 RDI: ffffffff8b4b3f40 [ 180.427224][ T4085] RBP: ffffc900043bf088 R08: dffffc0000000000 R09: fffffbfff20b2e29 [ 180.435380][ T4085] R10: fffffbfff20b2e29 R11: 1ffffffff20b2e28 R12: 6e9f707afc2c1920 [ 180.443512][ T4085] R13: 6e9f707afc2c1900 R14: 0dd3ee0f5f858324 R15: dffffc0000000000 [ 180.451719][ T4085] FS: 00007fc87f391700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 [pid 4084] futex(0x7fc88689d7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4083] exit_group(0) = ? [pid 4084] <... futex resumed>) = ? [pid 4084] +++ exited with 0 +++ [ 180.460801][ T4085] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 180.467375][ T4085] CR2: 00007fc886847bb0 CR3: 00000000277a7000 CR4: 00000000003506f0 [ 180.475539][ T4085] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 180.483656][ T4085] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 180.492565][ T4085] Kernel panic - not syncing: Fatal exception [ 180.498804][ T4085] Kernel Offset: disabled [ 180.503122][ T4085] Rebooting in 86400 seconds..