./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1983280921 <...> Warning: Permanently added '10.128.1.63' (ED25519) to the list of known hosts. execve("./syz-executor1983280921", ["./syz-executor1983280921"], 0x7ffe3112c6d0 /* 10 vars */) = 0 brk(NULL) = 0x555567c1f000 brk(0x555567c1fd00) = 0x555567c1fd00 arch_prctl(ARCH_SET_FS, 0x555567c1f380) = 0 set_tid_address(0x555567c1f650) = 290 set_robust_list(0x555567c1f660, 24) = 0 rseq(0x555567c1fca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1983280921", 4096) = 28 getrandom("\xb2\x31\xda\xa4\x4b\x2b\xb4\xee", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x555567c1fd00 brk(0x555567c40d00) = 0x555567c40d00 brk(0x555567c41000) = 0x555567c41000 mprotect(0x7fc9c64aa000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 mkdir("./syzkaller.6JWMYM", 0700) = 0 chmod("./syzkaller.6JWMYM", 0777) = 0 chdir("./syzkaller.6JWMYM") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555567c1f650) = 292 ./strace-static-x86_64: Process 292 attached [pid 292] set_robust_list(0x555567c1f660, 24) = 0 [pid 292] chdir("./0") = 0 [pid 292] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 292] setpgid(0, 0) = 0 [pid 292] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "1000", 4) = 4 [pid 292] close(3) = 0 [ 49.037377][ T28] audit: type=1400 audit(1753028623.974:64): avc: denied { execmem } for pid=290 comm="syz-executor198" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [pid 292] symlink("/dev/binderfs", "./binderfs"executing program ) = 0 [pid 292] write(1, "executing program\n", 18) = 18 [pid 292] memfd_create("syzkaller", 0) = 3 [pid 292] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc9bdff7000 [pid 292] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 292] munmap(0x7fc9bdff7000, 138412032) = 0 [pid 292] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 292] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 292] close(3) = 0 [pid 292] close(4) = 0 [pid 292] mkdir("./file1", 0777) = 0 [ 49.060681][ T28] audit: type=1400 audit(1753028623.974:65): avc: denied { read write } for pid=290 comm="syz-executor198" name="loop0" dev="devtmpfs" ino=118 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 49.075060][ T292] loop0: detected capacity change from 0 to 1024 [ 49.093244][ T28] audit: type=1400 audit(1753028623.974:66): avc: denied { open } for pid=290 comm="syz-executor198" path="/dev/loop0" dev="devtmpfs" ino=118 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 49.103496][ T292] ======================================================= [ 49.103496][ T292] WARNING: The mand mount option has been deprecated and [ 49.103496][ T292] and is ignored by this kernel. Remove the mand [ 49.103496][ T292] option from the mount to silence this warning. [ 49.103496][ T292] ======================================================= [pid 292] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [ 49.168805][ T28] audit: type=1400 audit(1753028623.974:67): avc: denied { ioctl } for pid=290 comm="syz-executor198" path="/dev/loop0" dev="devtmpfs" ino=118 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 49.195772][ T28] audit: type=1400 audit(1753028624.044:68): avc: denied { mounton } for pid=292 comm="syz-executor198" path="/root/syzkaller.6JWMYM/0/file1" dev="sda1" ino=2027 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 49.205987][ T292] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [pid 292] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 292] chdir("./file1") = 0 [pid 292] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 292] ioctl(4, LOOP_CLR_FD) = 0 [pid 292] close(4) = 0 [pid 292] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 49.236526][ T28] audit: type=1400 audit(1753028624.174:69): avc: denied { mount } for pid=292 comm="syz-executor198" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 49.262228][ T28] audit: type=1400 audit(1753028624.174:70): avc: denied { write } for pid=292 comm="syz-executor198" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 49.276444][ T292] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor198: Allocating blocks 497-513 which overlap fs metadata [ 49.287977][ T28] audit: type=1400 audit(1753028624.174:71): avc: denied { add_name } for pid=292 comm="syz-executor198" name="memory.stat" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 49.303933][ T292] EXT4-fs (loop0): pa ffff888118244150: logic 256, phys. 385, len 8 [ 49.329792][ T28] audit: type=1400 audit(1753028624.174:72): avc: denied { create } for pid=292 comm="syz-executor198" name="memory.stat" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 49.340471][ T292] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 [pid 292] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 292] ftruncate(4, 7) = 0 [pid 292] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 292] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 292] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 292] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 292] copy_file_range(-1, NULL, -1, NULL, 2147, 0) = -1 EBADF (Bad file descriptor) [pid 292] exit_group(0) = ? [pid 292] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=292, si_uid=0, si_status=0, si_utime=0, si_stime=15} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555567c206f0 /* 4 entries */, 32768) = 112 umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./0/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555567c28730 /* 10 entries */, 32768) = 296 umount2("./0/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 2 entries */, 32768) = 48 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./0/file1/lost+found") = 0 umount2("./0/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 4 entries */, 32768) = 112 umount2("./0/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file0/file0") = 0 umount2("./0/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file0/file1") = 0 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./0/file1/file0") = 0 umount2("./0/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file1") = 0 umount2("./0/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file2") = 0 umount2("./0/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file3") = 0 umount2("./0/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file.cold") = 0 umount2("./0/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 49.379856][ T28] audit: type=1400 audit(1753028624.174:73): avc: denied { read append open } for pid=292 comm="syz-executor198" path="/root/syzkaller.6JWMYM/0/file1/memory.stat" dev="loop0" ino=18 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 49.438884][ T290] ================================================================== [ 49.447974][ T290] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x2f43/0x3fb0 [ 49.459597][ T290] Read of size 4 at addr ffff888125223db8 by task syz-executor198/290 [ 49.470571][ T290] [ 49.473550][ T290] CPU: 0 PID: 290 Comm: syz-executor198 Not tainted 6.1.141-syzkaller-00039-g145c7fad733f #0 [ 49.485422][ T290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 49.498042][ T290] Call Trace: [ 49.501852][ T290] [ 49.505269][ T290] __dump_stack+0x21/0x24 [ 49.511135][ T290] dump_stack_lvl+0xee/0x150 [ 49.516144][ T290] ? __cfi_dump_stack_lvl+0x8/0x8 [ 49.521917][ T290] ? ext4_inode_block_valid+0x2d7/0x3f0 [ 49.529003][ T290] ? ext4_ext_remove_space+0x2f43/0x3fb0 [ 49.535580][ T290] print_address_description+0x71/0x210 [ 49.541240][ T290] print_report+0x4a/0x60 [ 49.547019][ T290] kasan_report+0x122/0x150 [ 49.553708][ T290] ? ext4_ext_remove_space+0x2f43/0x3fb0 [ 49.560987][ T290] __asan_report_load4_noabort+0x14/0x20 [ 49.567108][ T290] ext4_ext_remove_space+0x2f43/0x3fb0 [ 49.573750][ T290] ? ext4_es_free_extent+0x3de/0x4c0 [ 49.579556][ T290] ? ext4_es_insert_extent+0x2d70/0x2d70 [ 49.585548][ T290] ? ext4_da_release_space+0x1d6/0x480 [ 49.592028][ T290] ? __cfi_ext4_ext_remove_space+0x10/0x10 [ 49.598487][ T290] ? ext4_es_remove_extent+0x1d9/0x330 [ 49.604574][ T290] ext4_ext_truncate+0x200/0x320 [ 49.610265][ T290] ext4_truncate+0x9a6/0xf90 [ 49.616535][ T290] ? __cfi_ext4_truncate+0x10/0x10 [ 49.624095][ T290] ext4_evict_inode+0xcc3/0x1460 [ 49.630560][ T290] ? _raw_spin_unlock+0x4c/0x70 [ 49.639020][ T290] ? __cfi_ext4_evict_inode+0x10/0x10 [ 49.647809][ T290] ? _raw_spin_unlock+0x4c/0x70 [ 49.655522][ T290] ? inode_io_list_del+0x19b/0x1b0 [ 49.661590][ T290] ? __cfi_ext4_evict_inode+0x10/0x10 [ 49.669429][ T290] evict+0x493/0x890 [ 49.674264][ T290] ? __kasan_check_write+0x14/0x20 [ 49.680033][ T290] ? proc_nr_inodes+0x2f0/0x2f0 [ 49.687032][ T290] ? lockref_put_return+0x152/0x1c0 [ 49.694554][ T290] ? __cfi_lockref_put_return+0x10/0x10 [ 49.700570][ T290] ? __kasan_check_write+0x14/0x20 [ 49.707156][ T290] iput+0x620/0x670 [ 49.714985][ T290] do_unlinkat+0x375/0x6b0 [ 49.721318][ T290] ? __cfi_do_unlinkat+0x10/0x10 [ 49.729593][ T290] ? getname_flags+0x206/0x500 [ 49.734691][ T290] __x64_sys_unlink+0x49/0x50 [ 49.741838][ T290] x64_sys_call+0x958/0x9a0 [ 49.747282][ T290] do_syscall_64+0x4c/0xa0 [ 49.752261][ T290] ? clear_bhb_loop+0x30/0x80 [ 49.758736][ T290] ? clear_bhb_loop+0x30/0x80 [ 49.764166][ T290] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 49.771216][ T290] RIP: 0033:0x7fc9c6435d57 [ 49.776029][ T290] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 49.802870][ T290] RSP: 002b:00007fff16909478 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 49.813879][ T290] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc9c6435d57 [ 49.822524][ T290] RDX: 00007fff169094a0 RSI: 00007fff16909530 RDI: 00007fff16909530 [ 49.833067][ T290] RBP: 00007fff16909530 R08: 0000000000000000 R09: 0000000000000000 [ 49.843765][ T290] R10: 0000000000000100 R11: 0000000000000206 R12: 00007fff1690a620 [ 49.854700][ T290] R13: 0000555567c28700 R14: 431bde82d7b634db R15: 00007fff1690b6b0 [ 49.863356][ T290] [ 49.867157][ T290] [ 49.870768][ T290] The buggy address belongs to the physical page: [ 49.878871][ T290] page:ffffea00049488c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x125223 [ 49.892021][ T290] flags: 0x4000000000000000(zone=1) [ 49.899018][ T290] raw: 4000000000000000 ffffea0004948188 ffffea0004948888 0000000000000000 [ 49.909714][ T290] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 49.920868][ T290] page dumped because: kasan: bad access detected [ 49.929812][ T290] page_owner tracks the page as freed [ 49.936851][ T290] page last allocated via order 0, migratetype Movable, gfp_mask 0x141cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_WRITE), pid 292, tgid 292 (syz-executor198), ts 49273010715, free_ts 49414771602 [ 49.961935][ T290] post_alloc_hook+0x1f5/0x210 [ 49.969403][ T290] prep_new_page+0x1c/0x110 [ 49.975277][ T290] get_page_from_freelist+0x2c7b/0x2cf0 [ 49.982334][ T290] __alloc_pages+0x19e/0x3a0 [ 49.987379][ T290] __folio_alloc+0x12/0x40 [ 49.994892][ T290] __filemap_get_folio+0x6ec/0x980 [ 50.001726][ T290] pagecache_get_page+0x2b/0x110 [ 50.006881][ T290] grab_cache_page_write_begin+0x43/0x60 [ 50.013174][ T290] ext4_write_begin+0x24b/0xf70 [ 50.018521][ T290] ext4_da_write_begin+0x3e1/0x8b0 [ 50.024710][ T290] generic_perform_write+0x2f6/0x6d0 [ 50.031576][ T290] ext4_buffered_write_iter+0x36f/0x660 [ 50.038482][ T290] ext4_file_write_iter+0x18f/0x13d0 [ 50.044379][ T290] vfs_write+0x5db/0xca0 [ 50.050646][ T290] ksys_write+0x140/0x240 [ 50.056400][ T290] __x64_sys_write+0x7b/0x90 [ 50.062785][ T290] page last free stack trace: [ 50.070137][ T290] free_unref_page_prepare+0x742/0x750 [ 50.077070][ T290] free_unref_page_list+0xba/0x7c0 [ 50.083916][ T290] release_pages+0xad1/0xb20 [ 50.089734][ T290] __pagevec_release+0x71/0xe0 [ 50.097996][ T290] truncate_inode_pages_range+0x309/0xcc0 [ 50.105416][ T290] truncate_pagecache+0x6c/0x90 [ 50.112914][ T290] ext4_setattr+0xf9b/0x1a50 [ 50.118561][ T290] notify_change+0xcc3/0xf80 [ 50.123661][ T290] do_sys_ftruncate+0x58f/0x7f0 [ 50.128791][ T290] __x64_sys_ftruncate+0x60/0x70 [ 50.133952][ T290] x64_sys_call+0x2f9/0x9a0 [ 50.138676][ T290] do_syscall_64+0x4c/0xa0 [ 50.143281][ T290] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 50.149841][ T290] [ 50.153107][ T290] Memory state around the buggy address: [ 50.160611][ T290] ffff888125223c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.170646][ T290] ffff888125223d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.181700][ T290] >ffff888125223d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff unlink("./0/file1/memory.stat") = 0 umount2("./0/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./0/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/bus") = 0 getdents64(4, 0x555567c28730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file1") = -1 EBUSY (Device or resource busy) [ 50.191012][ T290] ^ [ 50.197381][ T290] ffff888125223e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.206410][ T290] ffff888125223e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 50.215772][ T290] ================================================================== [ 50.228100][ T290] Disabling lock debugging due to kernel taint umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./0/file1") = 0 umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 getdents64(3, 0x555567c206f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555567c1f650) = 296 ./strace-static-x86_64: Process 296 attached [pid 296] set_robust_list(0x555567c1f660, 24) = 0 [pid 296] chdir("./1") = 0 [pid 296] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 296] setpgid(0, 0) = 0 [pid 296] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 296] write(3, "1000", 4) = 4 [pid 296] close(3) = 0 [pid 296] symlink("/dev/binderfs", "./binderfs") = 0 [pid 296] write(1, "executing program\n", 18executing program ) = 18 [pid 296] memfd_create("syzkaller", 0) = 3 [pid 296] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc9bdff7000 [pid 296] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 296] munmap(0x7fc9bdff7000, 138412032) = 0 [pid 296] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 296] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 296] close(3) = 0 [pid 296] close(4) = 0 [pid 296] mkdir("./file1", 0777) = 0 [ 50.241878][ T290] EXT4-fs (loop0): unmounting filesystem. [ 50.275993][ T296] loop0: detected capacity change from 0 to 1024 [pid 296] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 296] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 296] chdir("./file1") = 0 [pid 296] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 296] ioctl(4, LOOP_CLR_FD) = 0 [pid 296] close(4) = 0 [pid 296] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 50.295333][ T296] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 50.322399][ T296] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor198: Allocating blocks 497-513 which overlap fs metadata [pid 296] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 296] ftruncate(4, 7) = 0 [pid 296] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 296] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 296] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 296] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 296] copy_file_range(-1, NULL, -1, NULL, 2147, 0) = -1 EBADF (Bad file descriptor) [pid 296] exit_group(0) = ? [pid 296] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=296, si_uid=0, si_status=0, si_utime=0, si_stime=7} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555567c206f0 /* 4 entries */, 32768) = 112 umount2("./1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./1/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./1/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555567c28730 /* 10 entries */, 32768) = 296 umount2("./1/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 2 entries */, 32768) = 48 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./1/file1/lost+found") = 0 umount2("./1/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 4 entries */, 32768) = 112 umount2("./1/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file0/file0") = 0 umount2("./1/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file0/file1") = 0 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./1/file1/file0") = 0 umount2("./1/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file1") = 0 umount2("./1/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file2") = 0 umount2("./1/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file3") = 0 umount2("./1/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file.cold") = 0 umount2("./1/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/memory.stat") = 0 umount2("./1/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./1/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/bus") = 0 getdents64(4, 0x555567c28730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file1") = -1 EBUSY (Device or resource busy) [ 50.338673][ T296] EXT4-fs (loop0): pa ffff888111ff8a80: logic 256, phys. 385, len 8 [ 50.347909][ T296] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 umount2("./1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./1/file1") = 0 umount2("./1/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 getdents64(3, 0x555567c206f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555567c1f650) = 299 ./strace-static-x86_64: Process 299 attached [pid 299] set_robust_list(0x555567c1f660, 24) = 0 [pid 299] chdir("./2") = 0 [pid 299] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 299] setpgid(0, 0) = 0 [pid 299] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 299] write(3, "1000", 4) = 4 [pid 299] close(3) = 0 [pid 299] symlink("/dev/binderfs", "./binderfs") = 0 executing program [pid 299] write(1, "executing program\n", 18) = 18 [pid 299] memfd_create("syzkaller", 0) = 3 [pid 299] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc9bdff7000 [pid 299] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 299] munmap(0x7fc9bdff7000, 138412032) = 0 [pid 299] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 299] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 299] close(3) = 0 [pid 299] close(4) = 0 [pid 299] mkdir("./file1", 0777) = 0 [ 50.388139][ T290] EXT4-fs (loop0): unmounting filesystem. [ 50.416725][ T299] loop0: detected capacity change from 0 to 1024 [pid 299] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 299] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 299] chdir("./file1") = 0 [pid 299] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 299] ioctl(4, LOOP_CLR_FD) = 0 [pid 299] close(4) = 0 [pid 299] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 50.434605][ T299] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 50.463874][ T299] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor198: Allocating blocks 497-513 which overlap fs metadata [pid 299] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 299] ftruncate(4, 7) = 0 [pid 299] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 299] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 299] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 299] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 299] copy_file_range(-1, NULL, -1, NULL, 2147, 0) = -1 EBADF (Bad file descriptor) [pid 299] exit_group(0) = ? [pid 299] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=299, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555567c206f0 /* 4 entries */, 32768) = 112 umount2("./2/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./2/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./2/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555567c28730 /* 10 entries */, 32768) = 296 umount2("./2/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 2 entries */, 32768) = 48 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./2/file1/lost+found") = 0 umount2("./2/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 4 entries */, 32768) = 112 umount2("./2/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file0/file0") = 0 umount2("./2/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file0/file1") = 0 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./2/file1/file0") = 0 umount2("./2/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file1") = 0 umount2("./2/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file2") = 0 umount2("./2/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file3") = 0 umount2("./2/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file.cold") = 0 umount2("./2/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/memory.stat") = 0 umount2("./2/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./2/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/bus") = 0 getdents64(4, 0x555567c28730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file1") = -1 EBUSY (Device or resource busy) [ 50.484206][ T299] EXT4-fs (loop0): pa ffff888111ff83f0: logic 256, phys. 385, len 8 [ 50.498380][ T299] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 umount2("./2/file1", MNT_FORCE|UMOUNT_NOFOLLOWexecuting program ) = 0 rmdir("./2/file1") = 0 umount2("./2/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 getdents64(3, 0x555567c206f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555567c1f650) = 302 ./strace-static-x86_64: Process 302 attached [pid 302] set_robust_list(0x555567c1f660, 24) = 0 [pid 302] chdir("./3") = 0 [pid 302] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 302] setpgid(0, 0) = 0 [pid 302] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 302] write(3, "1000", 4) = 4 [pid 302] close(3) = 0 [pid 302] symlink("/dev/binderfs", "./binderfs") = 0 [pid 302] write(1, "executing program\n", 18) = 18 [pid 302] memfd_create("syzkaller", 0) = 3 [pid 302] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc9bdff7000 [pid 302] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 302] munmap(0x7fc9bdff7000, 138412032) = 0 [pid 302] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 302] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 302] close(3) = 0 [pid 302] close(4) = 0 [pid 302] mkdir("./file1", 0777) = 0 [pid 302] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 302] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 302] chdir("./file1") = 0 [pid 302] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 302] ioctl(4, LOOP_CLR_FD) = 0 [pid 302] close(4) = 0 [pid 302] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 50.546485][ T290] EXT4-fs (loop0): unmounting filesystem. [ 50.566248][ T302] loop0: detected capacity change from 0 to 1024 [ 50.584266][ T302] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [pid 302] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 302] ftruncate(4, 7) = 0 [pid 302] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 302] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 302] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 302] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 302] copy_file_range(-1, NULL, -1, NULL, 2147, 0) = -1 EBADF (Bad file descriptor) [pid 302] exit_group(0) = ? [pid 302] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=302, si_uid=0, si_status=0, si_utime=0, si_stime=7} --- umount2("./3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555567c206f0 /* 4 entries */, 32768) = 112 umount2("./3/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./3/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./3/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555567c28730 /* 10 entries */, 32768) = 296 umount2("./3/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 2 entries */, 32768) = 48 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./3/file1/lost+found") = 0 umount2("./3/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 4 entries */, 32768) = 112 umount2("./3/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file0/file0") = 0 umount2("./3/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file0/file1") = 0 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./3/file1/file0") = 0 umount2("./3/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file1") = 0 umount2("./3/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file2") = 0 umount2("./3/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file3") = 0 umount2("./3/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file.cold") = 0 umount2("./3/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 50.609161][ T302] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor198: Allocating blocks 497-513 which overlap fs metadata [ 50.626214][ T302] EXT4-fs (loop0): pa ffff888111ff8930: logic 256, phys. 385, len 8 [ 50.636886][ T302] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 [ 50.671065][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 140893315144832, count = 16 [ 50.688166][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 140893315137536, count = 7307 [ 50.704679][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 140893315137536, count = 16 [ 50.721541][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 80024906794123, count = 2377 [ 50.738661][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 80024906794112, count = 16 [ 50.754648][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2303251696, count = 16 [ 50.770212][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2303250943, count = 768 [ 50.785943][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2303250928, count = 16 unlink("./3/file1/memory.stat") = 0 umount2("./3/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./3/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/bus") = 0 getdents64(4, 0x555567c28730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file1") = -1 EBUSY (Device or resource busy) umount2("./3/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./3/file1") = 0 umount2("./3/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 getdents64(3, 0x555567c206f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3executing program ) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555567c1f650) = 305 ./strace-static-x86_64: Process 305 attached [pid 305] set_robust_list(0x555567c1f660, 24) = 0 [pid 305] chdir("./4") = 0 [pid 305] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 305] setpgid(0, 0) = 0 [pid 305] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 305] write(3, "1000", 4) = 4 [pid 305] close(3) = 0 [pid 305] symlink("/dev/binderfs", "./binderfs") = 0 [pid 305] write(1, "executing program\n", 18) = 18 [pid 305] memfd_create("syzkaller", 0) = 3 [pid 305] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc9bdff7000 [pid 305] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 305] munmap(0x7fc9bdff7000, 138412032) = 0 [pid 305] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 305] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 305] close(3) = 0 [pid 305] close(4) = 0 [pid 305] mkdir("./file1", 0777) = 0 [ 51.015002][ T290] EXT4-fs (loop0): unmounting filesystem. [ 51.041421][ T305] loop0: detected capacity change from 0 to 1024 [pid 305] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 305] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 305] chdir("./file1") = 0 [pid 305] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 305] ioctl(4, LOOP_CLR_FD) = 0 [pid 305] close(4) = 0 [pid 305] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 51.064709][ T305] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 51.088887][ T305] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor198: Allocating blocks 497-513 which overlap fs metadata [pid 305] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 305] ftruncate(4, 7) = 0 [pid 305] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 305] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 305] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 305] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 305] copy_file_range(-1, NULL, -1, NULL, 2147, 0) = -1 EBADF (Bad file descriptor) [pid 305] exit_group(0) = ? [pid 305] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=305, si_uid=0, si_status=0, si_utime=0, si_stime=6} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./4", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555567c206f0 /* 4 entries */, 32768) = 112 umount2("./4/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./4/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./4/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555567c28730 /* 10 entries */, 32768) = 296 umount2("./4/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 2 entries */, 32768) = 48 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./4/file1/lost+found") = 0 umount2("./4/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 4 entries */, 32768) = 112 umount2("./4/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file0/file0") = 0 umount2("./4/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file0/file1") = 0 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./4/file1/file0") = 0 umount2("./4/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file1") = 0 umount2("./4/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file2") = 0 umount2("./4/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file3") = 0 umount2("./4/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file.cold") = 0 umount2("./4/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 51.106588][ T305] EXT4-fs (loop0): pa ffff8881254d1738: logic 256, phys. 385, len 8 [ 51.116485][ T305] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 [ 51.151115][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 83565302031497, count = 0 [ 51.169868][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 83565302031488, count = 16 [ 51.188899][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 211262059322496, count = 16 [ 51.208482][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 211262059315200, count = 7307 [ 51.228661][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 83565973116043, count = 0 [ 51.246893][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 83565973116032, count = 16 [ 51.265904][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 202465966308368, count = 16 [ 51.282844][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 202465966292992, count = 15377 unlink("./4/file1/memory.stat") = 0 umount2("./4/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./4/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/bus") = 0 getdents64(4, 0x555567c28730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file1") = -1 EBUSY (Device or resource busy) umount2("./4/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 [ 54.750846][ T290] EXT4-fs (loop0): unmounting filesystem. rmdir("./4/file1") = 0 umount2("./4/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 getdents64(3, 0x555567c206f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDexecuting program , child_tidptr=0x555567c1f650) = 309 ./strace-static-x86_64: Process 309 attached [pid 309] set_robust_list(0x555567c1f660, 24) = 0 [pid 309] chdir("./5") = 0 [pid 309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 309] setpgid(0, 0) = 0 [pid 309] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 309] write(3, "1000", 4) = 4 [pid 309] close(3) = 0 [pid 309] symlink("/dev/binderfs", "./binderfs") = 0 [pid 309] write(1, "executing program\n", 18) = 18 [pid 309] memfd_create("syzkaller", 0) = 3 [pid 309] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc9bdff7000 [pid 309] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 309] munmap(0x7fc9bdff7000, 138412032) = 0 [pid 309] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 309] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 309] close(3) = 0 [pid 309] close(4) = 0 [pid 309] mkdir("./file1", 0777) = 0 [pid 309] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 309] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 309] chdir("./file1") = 0 [pid 309] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 309] ioctl(4, LOOP_CLR_FD) = 0 [pid 309] close(4) = 0 [pid 309] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 54.826659][ T309] loop0: detected capacity change from 0 to 1024 [ 54.844124][ T309] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 54.882280][ T309] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor198: Allocating blocks 497-513 which overlap fs metadata [ 54.916259][ T309] EXT4-fs (loop0): pa ffff88812570e930: logic 256, phys. 385, len 8 [pid 309] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 309] ftruncate(4, 7) = 0 [pid 309] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 309] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 309] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 309] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 309] copy_file_range(-1, NULL, -1, NULL, 2147, 0) = -1 EBADF (Bad file descriptor) [pid 309] exit_group(0) = ? [pid 309] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=309, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./5", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555567c206f0 /* 4 entries */, 32768) = 112 umount2("./5/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./5/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./5/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555567c28730 /* 10 entries */, 32768) = 296 umount2("./5/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 2 entries */, 32768) = 48 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./5/file1/lost+found") = 0 umount2("./5/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 4 entries */, 32768) = 112 umount2("./5/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file0/file0") = 0 umount2("./5/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file0/file1") = 0 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./5/file1/file0") = 0 umount2("./5/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file1") = 0 umount2("./5/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file2") = 0 umount2("./5/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file3") = 0 umount2("./5/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file.cold") = 0 umount2("./5/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/memory.stat") = 0 umount2("./5/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./5/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/bus") = 0 getdents64(4, 0x555567c28730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file1") = -1 EBUSY (Device or resource busy) [ 54.931273][ T309] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 umount2("./5/file1", MNT_FORCE|UMOUNT_NOFOLLOWexecuting program ) = 0 rmdir("./5/file1") = 0 umount2("./5/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/binderfs") = 0 getdents64(3, 0x555567c206f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555567c1f650) = 314 ./strace-static-x86_64: Process 314 attached [pid 314] set_robust_list(0x555567c1f660, 24) = 0 [pid 314] chdir("./6") = 0 [pid 314] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 314] setpgid(0, 0) = 0 [pid 314] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 314] write(3, "1000", 4) = 4 [pid 314] close(3) = 0 [pid 314] symlink("/dev/binderfs", "./binderfs") = 0 [pid 314] write(1, "executing program\n", 18) = 18 [pid 314] memfd_create("syzkaller", 0) = 3 [pid 314] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fc9bdff7000 [pid 314] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 314] munmap(0x7fc9bdff7000, 138412032) = 0 [pid 314] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 314] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 314] close(3) = 0 [pid 314] close(4) = 0 [pid 314] mkdir("./file1", 0777) = 0 [ 54.986713][ T290] EXT4-fs (loop0): unmounting filesystem. [ 55.014229][ T314] loop0: detected capacity change from 0 to 1024 [pid 314] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 314] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 314] chdir("./file1") = 0 [pid 314] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 314] ioctl(4, LOOP_CLR_FD) = 0 [pid 314] close(4) = 0 [pid 314] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 55.044797][ T314] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [pid 314] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 314] ftruncate(4, 7) = 0 [pid 314] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 314] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 314] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 314] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 314] copy_file_range(-1, NULL, -1, NULL, 2147, 0) = -1 EBADF (Bad file descriptor) [pid 314] exit_group(0) = ? [pid 314] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=314, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./6", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x555567c206f0 /* 4 entries */, 32768) = 112 umount2("./6/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./6/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./6/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555567c28730 /* 10 entries */, 32768) = 296 umount2("./6/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 2 entries */, 32768) = 48 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./6/file1/lost+found") = 0 umount2("./6/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x555567c30770 /* 4 entries */, 32768) = 112 umount2("./6/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file0/file0") = 0 umount2("./6/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file0/file1") = 0 getdents64(5, 0x555567c30770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./6/file1/file0") = 0 umount2("./6/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file1") = 0 umount2("./6/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file2") = 0 umount2("./6/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file3") = 0 umount2("./6/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file.cold") = 0 umount2("./6/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [ 55.085115][ T314] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor198: Allocating blocks 497-513 which overlap fs metadata [ 55.104374][ T314] EXT4-fs (loop0): pa ffff88812570e690: logic 256, phys. 385, len 8 [ 55.112845][ T314] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 newfstatat(AT_FDCWD, "./6/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 55.171655][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2207646876672, count = 16 [ 55.187942][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2207646876163, count = 514 [ 55.206938][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2207646876160, count = 16 [ 55.225734][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2211941909504, count = 16 [ 55.242768][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2211941908994, count = 514 [ 55.259826][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2211941908992, count = 16 [ 55.277964][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2211941909504, count = 16 [ 55.300640][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor198: Freeing blocks not in datazone - block = 2211941908995, count = 514