./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor839854922
<...>
Warning: Permanently added '10.128.0.52' (ED25519) to the list of known hosts.
execve("./syz-executor839854922", ["./syz-executor839854922"], 0x7ffed2f89bc0 /* 10 vars */) = 0
brk(NULL) = 0x555556273000
brk(0x555556273d00) = 0x555556273d00
arch_prctl(ARCH_SET_FS, 0x555556273380) = 0
set_tid_address(0x555556273650) = 5038
set_robust_list(0x555556273660, 24) = 0
rseq(0x555556273ca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor839854922", 4096) = 27
getrandom("\x5e\xb3\xee\xab\x98\x7e\xe8\xe6", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x555556273d00
brk(0x555556294d00) = 0x555556294d00
brk(0x555556295000) = 0x555556295000
mprotect(0x7f113d33f000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
mkdir("./syzkaller.uqDftf", 0700) = 0
chmod("./syzkaller.uqDftf", 0777) = 0
chdir("./syzkaller.uqDftf") = 0
mkdir("./0", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556273650) = 5039
./strace-static-x86_64: Process 5039 attached
[pid 5039] set_robust_list(0x555556273660, 24) = 0
[pid 5039] chdir("./0") = 0
[pid 5039] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5039] setpgid(0, 0) = 0
[pid 5039] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5039] write(3, "1000", 4) = 4
[pid 5039] close(3) = 0
[pid 5039] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5039] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5039] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5039] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5039] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5039] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5039] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5039] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5039] write(6, "8", 1) = 1
[ 74.272810][ T5039] FAULT_INJECTION: forcing a failure.
[ 74.272810][ T5039] name failslab, interval 1, probability 0, space 0, times 1
[ 74.285762][ T5039] CPU: 1 PID: 5039 Comm: syz-executor839 Not tainted 6.5.0-syzkaller-03967-gbd6c11bc43c4 #0
[ 74.295860][ T5039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 74.305934][ T5039] Call Trace:
[ 74.309226][ T5039]
[ 74.312171][ T5039] dump_stack_lvl+0x125/0x1b0
[ 74.316932][ T5039] should_fail_ex+0x496/0x5b0
[ 74.321668][ T5039] should_failslab+0x9/0x20
[ 74.326312][ T5039] kmem_cache_alloc_node+0x389/0x3f0
[ 74.331640][ T5039] ? __alloc_skb+0x287/0x330
[ 74.336270][ T5039] __alloc_skb+0x287/0x330
[ 74.340722][ T5039] ? __napi_build_skb+0x50/0x50
[ 74.345688][ T5039] ? mark_held_locks+0x9f/0xe0
[ 74.350510][ T5039] ? kasan_quarantine_put+0x102/0x230
[ 74.355916][ T5039] ? find_held_lock+0x2d/0x110
[ 74.360717][ T5039] alloc_skb_with_frags+0xe4/0x710
[ 74.365875][ T5039] sock_alloc_send_pskb+0x7c8/0x950
[ 74.371120][ T5039] ? aa_profile_af_perm+0x470/0x470
[ 74.376364][ T5039] ? tomoyo_unix_entry+0x1d2/0x650
[ 74.381505][ T5039] ? sock_wmalloc+0x120/0x120
[ 74.386224][ T5039] ? unix_gc+0x12b0/0x12b0
[ 74.390696][ T5039] ? apparmor_socket_getpeersec_dgram+0x9/0x10
[ 74.396887][ T5039] unix_dgram_sendmsg+0x455/0x1c30
[ 74.402126][ T5039] ? aa_sk_perm+0x2c1/0xae0
[ 74.406679][ T5039] ? unix_dgram_connect+0xba0/0xba0
[ 74.411910][ T5039] ? aa_af_perm+0x260/0x260
[ 74.416456][ T5039] ? reacquire_held_locks+0x4b0/0x4b0
[ 74.421872][ T5039] ? bpf_lsm_socket_sendmsg+0x9/0x10
[ 74.427203][ T5039] ? unix_dgram_connect+0xba0/0xba0
[ 74.432524][ T5039] sock_sendmsg+0xd9/0x180
[ 74.436972][ T5039] ____sys_sendmsg+0x2ac/0x940
[ 74.441862][ T5039] ? copy_msghdr_from_user+0x10b/0x160
[ 74.447371][ T5039] ? kernel_sendmsg+0x50/0x50
[ 74.452169][ T5039] ? find_held_lock+0x2d/0x110
[ 74.456973][ T5039] ___sys_sendmsg+0x135/0x1d0
[ 74.461706][ T5039] ? do_recvmmsg+0x740/0x740
[ 74.466326][ T5039] ? __lock_acquire+0x182f/0x5de0
[ 74.471401][ T5039] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 74.477436][ T5039] ? __fget_light+0x1fc/0x260
[ 74.482141][ T5039] __sys_sendmmsg+0x1a1/0x450
[ 74.486876][ T5039] ? __ia32_sys_sendmsg+0xb0/0xb0
[ 74.491934][ T5039] ? cgroup_update_frozen+0x144/0x6b0
[ 74.497352][ T5039] ? find_held_lock+0x2d/0x110
[ 74.502168][ T5039] ? _raw_spin_unlock_irq+0x23/0x50
[ 74.507406][ T5039] ? lockdep_hardirqs_on+0x7d/0x100
[ 74.512648][ T5039] __x64_sys_sendmmsg+0x9c/0x100
[ 74.517712][ T5039] do_syscall_64+0x38/0xb0
[ 74.522162][ T5039] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 74.528090][ T5039] RIP: 0033:0x7f113d2cc5a9
[ 74.532538][ T5039] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 74.552174][ T5039] RSP: 002b:00007ffde85d92e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 74.560612][ T5039] RAX: ffffffffffffffda RBX: 00007ffde85d9310 RCX: 00007f113d2cc5a9
[pid 5039] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 ENOBUFS (No buffer space available)
[pid 5039] exit_group(0) = ?
[pid 5039] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5039, si_uid=0, si_status=0, si_utime=0, si_stime=2 /* 0.02 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555562746f0 /* 4 entries */, 32768) = 112
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/binderfs") = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/file0") = 0
getdents64(3, 0x5555562746f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./0") = 0
mkdir("./1", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5040 attached
, child_tidptr=0x555556273650) = 5040
[pid 5040] set_robust_list(0x555556273660, 24) = 0
[pid 5040] chdir("./1") = 0
[pid 5040] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5040] setpgid(0, 0) = 0
[pid 5040] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5040] write(3, "1000", 4) = 4
[pid 5040] close(3) = 0
[pid 5040] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5040] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5040] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5040] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5040] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5040] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5040] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[ 74.568692][ T5039] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 74.576680][ T5039] RBP: 0000000000000001 R08: 00007ffde85d9087 R09: 00007ffde85e51a0
[ 74.584675][ T5039] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 74.592752][ T5039] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 74.600794][ T5039]
[pid 5040] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5040] write(6, "8", 1) = 1
[pid 5040] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 5040] exit_group(0) = ?
[pid 5040] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5040, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555562746f0 /* 4 entries */, 32768) = 112
umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./1/binderfs") = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./1/file0") = 0
getdents64(3, 0x5555562746f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./1") = 0
mkdir("./2", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5041 attached
, child_tidptr=0x555556273650) = 5041
[pid 5041] set_robust_list(0x555556273660, 24) = 0
[pid 5041] chdir("./2") = 0
[pid 5041] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5041] setpgid(0, 0) = 0
[pid 5041] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5041] write(3, "1000", 4) = 4
[pid 5041] close(3) = 0
[pid 5041] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5041] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5041] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5041] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5041] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5041] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5041] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5041] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5041] write(6, "8", 1) = 1
[pid 5041] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 74.693383][ T5041] FAULT_INJECTION: forcing a failure.
[ 74.693383][ T5041] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 74.707179][ T5041] CPU: 1 PID: 5041 Comm: syz-executor839 Not tainted 6.5.0-syzkaller-03967-gbd6c11bc43c4 #0
[ 74.717324][ T5041] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 74.727402][ T5041] Call Trace:
[ 74.730696][ T5041]
[ 74.733658][ T5041] dump_stack_lvl+0x125/0x1b0
[ 74.738378][ T5041] should_fail_ex+0x496/0x5b0
[ 74.743091][ T5041] __should_fail_alloc_page+0xe7/0x130
[ 74.748675][ T5041] prepare_alloc_pages.constprop.0+0x16f/0x550
[ 74.754909][ T5041] ? mark_lock+0x105/0x1950
[ 74.759544][ T5041] __alloc_pages+0x14e/0x4a0
[ 74.764159][ T5041] ? __alloc_pages_slowpath.constprop.0+0x2360/0x2360
[ 74.770982][ T5041] ? __lock_acquire+0x182f/0x5de0
[ 74.776056][ T5041] ? find_held_lock+0x2d/0x110
[ 74.780882][ T5041] __folio_alloc+0x16/0x40
[ 74.785325][ T5041] vma_alloc_folio+0x156/0x890
[ 74.790142][ T5041] ? policy_nodemask+0x1d0/0x1d0
[ 74.795212][ T5041] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 74.801326][ T5041] do_wp_page+0x79b/0x3710
[ 74.805775][ T5041] ? lock_sync+0x190/0x190
[ 74.810312][ T5041] ? finish_mkwrite_fault+0x250/0x250
[ 74.815725][ T5041] ? spin_bug+0x1d0/0x1d0
[ 74.820186][ T5041] __handle_mm_fault+0x1af7/0x3b80
[ 74.825340][ T5041] ? vm_iomap_memory+0x170/0x170
[ 74.830328][ T5041] ? find_vma+0x10e/0x1b0
[ 74.834979][ T5041] ? vma_link+0x290/0x290
[ 74.839476][ T5041] handle_mm_fault+0x2ab/0x9d0
[ 74.844267][ T5041] ? access_error+0x156/0x2d0
[ 74.848979][ T5041] ? lock_mm_and_find_vma+0xa6/0x760
[ 74.854477][ T5041] do_user_addr_fault+0x446/0xfc0
[ 74.859530][ T5041] ? rcu_is_watching+0x12/0xb0
[ 74.864414][ T5041] exc_page_fault+0x5c/0xd0
[ 74.868968][ T5041] asm_exc_page_fault+0x26/0x30
[ 74.873853][ T5041] RIP: 0033:0x7f113d2a24d0
[ 74.878398][ T5041] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d 1d 0b 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 d0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 c3 38 0a 00 4c
[ 74.898036][ T5041] RSP: 002b:00007ffde85d9290 EFLAGS: 00010246
[ 74.904126][ T5041] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ 74.912119][ T5041] RDX: 0000000000000001 RSI: 00007f113d343120 RDI: 0000000000000000
[ 74.920110][ T5041] RBP: 00007f113d343120 R08: 00007ffde85d9087 R09: 00007ffde85e51a0
[ 74.928147][ T5041] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 74.936243][ T5041] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[pid 5041] exit_group(0) = ?
[pid 5041] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5041, si_uid=0, si_status=0, si_utime=0, si_stime=3 /* 0.03 s */} ---
umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555562746f0 /* 4 entries */, 32768) = 112
umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./2/binderfs") = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./2/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./2/file0") = 0
getdents64(3, 0x5555562746f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./2") = 0
mkdir("./3", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5042 attached
, child_tidptr=0x555556273650) = 5042
[pid 5042] set_robust_list(0x555556273660, 24) = 0
[pid 5042] chdir("./3") = 0
[pid 5042] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5042] setpgid(0, 0) = 0
[pid 5042] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5042] write(3, "1000", 4) = 4
[pid 5042] close(3) = 0
[pid 5042] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5042] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5042] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5042] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5042] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5042] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5042] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5042] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5042] write(6, "8", 1) = 1
[pid 5042] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 74.944262][ T5041]
[ 74.948026][ T5041] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
[ 74.983667][ T5042] FAULT_INJECTION: forcing a failure.
[ 74.983667][ T5042] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 74.997001][ T5042] CPU: 1 PID: 5042 Comm: syz-executor839 Not tainted 6.5.0-syzkaller-03967-gbd6c11bc43c4 #0
[ 75.007198][ T5042] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 75.017371][ T5042] Call Trace:
[ 75.020754][ T5042]
[ 75.023787][ T5042] dump_stack_lvl+0x125/0x1b0
[ 75.028495][ T5042] should_fail_ex+0x496/0x5b0
[ 75.033215][ T5042] __should_fail_alloc_page+0xe7/0x130
[ 75.038845][ T5042] prepare_alloc_pages.constprop.0+0x16f/0x550
[ 75.045056][ T5042] ? mark_lock+0x105/0x1950
[ 75.049631][ T5042] __alloc_pages+0x14e/0x4a0
[ 75.054276][ T5042] ? __alloc_pages_slowpath.constprop.0+0x2360/0x2360
[ 75.061116][ T5042] ? __lock_acquire+0x182f/0x5de0
[ 75.066441][ T5042] ? find_held_lock+0x2d/0x110
[ 75.071323][ T5042] __folio_alloc+0x16/0x40
[ 75.075764][ T5042] vma_alloc_folio+0x156/0x890
[ 75.080559][ T5042] ? policy_nodemask+0x1d0/0x1d0
[ 75.085534][ T5042] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 75.091586][ T5042] do_wp_page+0x79b/0x3710
[ 75.096047][ T5042] ? lock_sync+0x190/0x190
[ 75.100532][ T5042] ? finish_mkwrite_fault+0x250/0x250
[ 75.105944][ T5042] ? spin_bug+0x1d0/0x1d0
[ 75.110309][ T5042] __handle_mm_fault+0x1af7/0x3b80
[ 75.115448][ T5042] ? vm_iomap_memory+0x170/0x170
[ 75.120420][ T5042] ? find_vma+0x10e/0x1b0
[ 75.124778][ T5042] ? vma_link+0x290/0x290
[ 75.129135][ T5042] handle_mm_fault+0x2ab/0x9d0
[ 75.133921][ T5042] ? access_error+0x156/0x2d0
[ 75.138616][ T5042] ? lock_mm_and_find_vma+0xa6/0x760
[ 75.143930][ T5042] do_user_addr_fault+0x446/0xfc0
[ 75.148979][ T5042] ? rcu_is_watching+0x12/0xb0
[ 75.153777][ T5042] exc_page_fault+0x5c/0xd0
[ 75.158441][ T5042] asm_exc_page_fault+0x26/0x30
[ 75.163338][ T5042] RIP: 0033:0x7f113d2a24d0
[ 75.167771][ T5042] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d 1d 0b 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 d0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 c3 38 0a 00 4c
[ 75.187399][ T5042] RSP: 002b:00007ffde85d9290 EFLAGS: 00010246
[ 75.193491][ T5042] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ 75.201488][ T5042] RDX: 0000000000000001 RSI: 00007f113d343120 RDI: 0000000000000000
[ 75.209492][ T5042] RBP: 00007f113d343120 R08: 00007ffde85d9087 R09: 00007ffde85e51a0
[ 75.217484][ T5042] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 75.225979][ T5042] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 75.234043][ T5042]
[pid 5042] exit_group(0) = ?
[pid 5042] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5042, si_uid=0, si_status=0, si_utime=0, si_stime=2 /* 0.02 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555562746f0 /* 4 entries */, 32768) = 112
umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./3/binderfs") = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./3/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./3/file0") = 0
getdents64(3, 0x5555562746f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./3") = 0
mkdir("./4", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5043 attached
, child_tidptr=0x555556273650) = 5043
[pid 5043] set_robust_list(0x555556273660, 24) = 0
[pid 5043] chdir("./4") = 0
[pid 5043] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5043] setpgid(0, 0) = 0
[pid 5043] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5043] write(3, "1000", 4) = 4
[pid 5043] close(3) = 0
[pid 5043] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5043] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5043] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5043] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5043] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5043] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5043] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5043] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5043] write(6, "8", 1) = 1
[pid 5043] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 5043] exit_group(0) = ?
[pid 5043] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5043, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555562746f0 /* 4 entries */, 32768) = 112
umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./4/binderfs") = 0
umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./4/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./4/file0") = 0
[ 75.240124][ T5042] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
getdents64(3, 0x5555562746f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./4") = 0
mkdir("./5", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5044 attached
, child_tidptr=0x555556273650) = 5044
[pid 5044] set_robust_list(0x555556273660, 24) = 0
[pid 5044] chdir("./5") = 0
[pid 5044] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5044] setpgid(0, 0) = 0
[pid 5044] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5044] write(3, "1000", 4) = 4
[pid 5044] close(3) = 0
[pid 5044] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5044] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5044] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5044] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5044] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5044] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5044] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5044] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5044] write(6, "8", 1) = 1
[pid 5044] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 75.303171][ T5044] FAULT_INJECTION: forcing a failure.
[ 75.303171][ T5044] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 75.316701][ T5044] CPU: 1 PID: 5044 Comm: syz-executor839 Not tainted 6.5.0-syzkaller-03967-gbd6c11bc43c4 #0
[ 75.326978][ T5044] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 75.337059][ T5044] Call Trace:
[ 75.340371][ T5044]
[ 75.343321][ T5044] dump_stack_lvl+0x125/0x1b0
[ 75.348880][ T5044] should_fail_ex+0x496/0x5b0
[ 75.353621][ T5044] __should_fail_alloc_page+0xe7/0x130
[ 75.359207][ T5044] prepare_alloc_pages.constprop.0+0x16f/0x550
[ 75.365439][ T5044] ? mark_lock+0x105/0x1950
[ 75.369984][ T5044] __alloc_pages+0x14e/0x4a0
[ 75.374599][ T5044] ? __alloc_pages_slowpath.constprop.0+0x2360/0x2360
[ 75.381425][ T5044] ? __lock_acquire+0x182f/0x5de0
[ 75.386486][ T5044] ? find_held_lock+0x2d/0x110
[ 75.391371][ T5044] __folio_alloc+0x16/0x40
[ 75.395817][ T5044] vma_alloc_folio+0x156/0x890
[ 75.400707][ T5044] ? policy_nodemask+0x1d0/0x1d0
[ 75.405764][ T5044] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 75.411786][ T5044] do_wp_page+0x79b/0x3710
[ 75.416240][ T5044] ? lock_sync+0x190/0x190
[ 75.420712][ T5044] ? finish_mkwrite_fault+0x250/0x250
[ 75.426115][ T5044] ? spin_bug+0x1d0/0x1d0
[ 75.430493][ T5044] __handle_mm_fault+0x1af7/0x3b80
[ 75.435634][ T5044] ? vm_iomap_memory+0x170/0x170
[ 75.440612][ T5044] ? find_vma+0x10e/0x1b0
[ 75.444974][ T5044] ? vma_link+0x290/0x290
[ 75.449335][ T5044] handle_mm_fault+0x2ab/0x9d0
[ 75.454124][ T5044] ? access_error+0x156/0x2d0
[ 75.458829][ T5044] ? lock_mm_and_find_vma+0xa6/0x760
[ 75.464143][ T5044] do_user_addr_fault+0x446/0xfc0
[ 75.469198][ T5044] ? rcu_is_watching+0x12/0xb0
[ 75.473987][ T5044] exc_page_fault+0x5c/0xd0
[ 75.478532][ T5044] asm_exc_page_fault+0x26/0x30
[ 75.483416][ T5044] RIP: 0033:0x7f113d2a24d0
[ 75.487854][ T5044] Code: 41 54 55 48 89 f5 53 89 fb 48 83 ec 18 48 83 3d 1d 0b 0a 00 00 89 54 24 0c 74 08 84 c9 0f 85 09 02 00 00 31 c0 ba 01 00 00 00 0f b1 15 d0 38 0a 00 0f 85 0f 02 00 00 4c 8d 25 c3 38 0a 00 4c
[ 75.507486][ T5044] RSP: 002b:00007ffde85d9290 EFLAGS: 00010246
[ 75.513585][ T5044] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001
[ 75.521572][ T5044] RDX: 0000000000000001 RSI: 00007f113d343120 RDI: 0000000000000000
[ 75.529560][ T5044] RBP: 00007f113d343120 R08: 00007ffde85d9087 R09: 00007ffde85e51a0
[ 75.537552][ T5044] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 75.545558][ T5044] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[pid 5044] exit_group(0) = ?
[pid 5044] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5044, si_uid=0, si_status=0, si_utime=0, si_stime=2 /* 0.02 s */} ---
umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555562746f0 /* 4 entries */, 32768) = 112
umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./5/binderfs") = 0
umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./5/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./5/file0") = 0
getdents64(3, 0x5555562746f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./5") = 0
mkdir("./6", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556273650) = 5045
./strace-static-x86_64: Process 5045 attached
[pid 5045] set_robust_list(0x555556273660, 24) = 0
[pid 5045] chdir("./6") = 0
[pid 5045] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5045] setpgid(0, 0) = 0
[pid 5045] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5045] write(3, "1000", 4) = 4
[pid 5045] close(3) = 0
[pid 5045] symlink("/dev/binderfs", "./binderfs") = 0
[ 75.553577][ T5044]
[ 75.557036][ T5044] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF
[ 75.565429][ T22] ==================================================================
[ 75.573529][ T22] BUG: KASAN: slab-use-after-free in consume_skb+0x32/0x170
[ 75.580956][ T22] Read of size 4 at addr ffff8880209f6ae4 by task kworker/1:0/22
[ 75.588710][ T22]
[ 75.591068][ T22] CPU: 1 PID: 22 Comm: kworker/1:0 Not tainted 6.5.0-syzkaller-03967-gbd6c11bc43c4 #0
[pid 5045] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5045] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5045] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5045] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5045] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5045] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5045] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5045] write(6, "8", 1) = 1
[pid 5045] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 5045] exit_group(0) = ?
[pid 5045] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5045, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555562746f0 /* 4 entries */, 32768) = 112
umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./6/binderfs") = 0
umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./6/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./6/file0") = 0
getdents64(3, 0x5555562746f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./6") = 0
mkdir("./7", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556273650) = 5046
./strace-static-x86_64: Process 5046 attached
[pid 5046] set_robust_list(0x555556273660, 24) = 0
[pid 5046] chdir("./7") = 0
[pid 5046] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5046] setpgid(0, 0) = 0
[pid 5046] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5046] write(3, "1000", 4) = 4
[pid 5046] close(3) = 0
[pid 5046] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5046] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[ 75.600662][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 75.610757][ T22] Workqueue: events sk_psock_destroy
[ 75.616281][ T22] Call Trace:
[ 75.619595][ T22]
[ 75.623253][ T22] dump_stack_lvl+0xd9/0x1b0
[ 75.627901][ T22] print_report+0xc4/0x620
[ 75.632384][ T22] ? __virt_addr_valid+0x5e/0x2d0
[ 75.637460][ T22] ? __phys_addr+0xc6/0x140
[ 75.642023][ T22] kasan_report+0xda/0x110
[ 75.646516][ T22] ? consume_skb+0x32/0x170
[pid 5046] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5046] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5046] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5046] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5046] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5046] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5046] write(6, "8", 1) = 1
[pid 5046] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 5046] exit_group(0) = ?
[pid 5046] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5046, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555562746f0 /* 4 entries */, 32768) = 112
umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./7/binderfs") = 0
umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./7/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./7/file0") = 0
getdents64(3, 0x5555562746f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./7") = 0
mkdir("./8", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556273650) = 5047
[ 75.651071][ T22] ? consume_skb+0x32/0x170
[ 75.655643][ T22] kasan_check_range+0xef/0x190
[ 75.660544][ T22] consume_skb+0x32/0x170
[ 75.664934][ T22] __sk_msg_free+0x230/0x380
[ 75.669578][ T22] ? lockdep_hardirqs_on+0x7d/0x100
[ 75.674838][ T22] ? _raw_spin_unlock_irqrestore+0x3b/0x70
[ 75.680725][ T22] sk_psock_destroy+0x335/0xa50
[ 75.685646][ T22] process_one_work+0xaa2/0x16f0
[ 75.690645][ T22] ? bpf_jit_binary_pack_hdr+0x200/0x200
[ 75.696326][ T22] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 75.701748][ T22] ? spin_bug+0x1d0/0x1d0
[ 75.706123][ T22] worker_thread+0x687/0x1110
[ 75.710837][ T22] ? process_one_work+0x16f0/0x16f0
[ 75.716066][ T22] kthread+0x33a/0x430
[ 75.720162][ T22] ? kthread_complete_and_exit+0x40/0x40
[ 75.725823][ T22] ret_from_fork+0x2c/0x70
[ 75.730261][ T22] ? kthread_complete_and_exit+0x40/0x40
[ 75.735917][ T22] ret_from_fork_asm+0x11/0x20
[ 75.740718][ T22]
[ 75.743744][ T22]
[ 75.746070][ T22] Allocated by task 5043:
[ 75.750403][ T22] kasan_save_stack+0x33/0x50
[ 75.755116][ T22] kasan_set_track+0x25/0x30
[ 75.759738][ T22] __kasan_slab_alloc+0x81/0x90
[ 75.764617][ T22] kmem_cache_alloc_node+0x185/0x3f0
[ 75.769932][ T22] __alloc_skb+0x287/0x330
[ 75.774367][ T22] alloc_skb_with_frags+0xe4/0x710
[ 75.779591][ T22] sock_alloc_send_pskb+0x7c8/0x950
[ 75.784821][ T22] unix_dgram_sendmsg+0x455/0x1c30
[ 75.789959][ T22] sock_sendmsg+0xd9/0x180
[ 75.794395][ T22] ____sys_sendmsg+0x2ac/0x940
[ 75.799185][ T22] ___sys_sendmsg+0x135/0x1d0
[ 75.803883][ T22] __sys_sendmmsg+0x1a1/0x450
[ 75.809275][ T22] __x64_sys_sendmmsg+0x9c/0x100
[ 75.814236][ T22] do_syscall_64+0x38/0xb0
[ 75.819037][ T22] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 75.824976][ T22]
[ 75.827309][ T22] Freed by task 22:
[ 75.831135][ T22] kasan_save_stack+0x33/0x50
[ 75.835869][ T22] kasan_set_track+0x25/0x30
[ 75.840516][ T22] kasan_save_free_info+0x2b/0x40
[ 75.845573][ T22] ____kasan_slab_free+0x15e/0x1b0
[ 75.850718][ T22] slab_free_freelist_hook+0x10b/0x1e0
[ 75.856205][ T22] kmem_cache_free+0xf0/0x490
[ 75.860906][ T22] kfree_skbmem+0xef/0x1b0
[ 75.865344][ T22] kfree_skb_reason+0x10e/0x210
[ 75.870217][ T22] sk_psock_destroy+0x18d/0xa50
[ 75.875094][ T22] process_one_work+0xaa2/0x16f0
[ 75.880145][ T22] worker_thread+0x687/0x1110
[ 75.884880][ T22] kthread+0x33a/0x430
[ 75.888978][ T22] ret_from_fork+0x2c/0x70
[ 75.893417][ T22] ret_from_fork_asm+0x11/0x20
[ 75.898218][ T22]
[ 75.900550][ T22] The buggy address belongs to the object at ffff8880209f6a00
[ 75.900550][ T22] which belongs to the cache skbuff_head_cache of size 240
[ 75.915227][ T22] The buggy address is located 228 bytes inside of
[ 75.915227][ T22] freed 240-byte region [ffff8880209f6a00, ffff8880209f6af0)
[ 75.929057][ T22]
[ 75.931398][ T22] The buggy address belongs to the physical page:
[ 75.937816][ T22] page:ffffea0000827d80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x209f6
[ 75.948087][ T22] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 75.955655][ T22] page_type: 0xffffffff()
[ 75.960008][ T22] raw: 00fff00000000200 ffff88814366e500 dead000000000122 0000000000000000
[ 75.968662][ T22] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 75.977272][ T22] page dumped because: kasan: bad access detected
[ 75.983712][ T22] page_owner tracks the page as allocated
[ 75.989437][ T22] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 4474, tgid 4474 (klogd), ts 74954777087, free_ts 74653052006
[ 76.007196][ T22] post_alloc_hook+0x2d2/0x350
[ 76.012038][ T22] get_page_from_freelist+0x10a9/0x31e0
[ 76.017706][ T22] __alloc_pages+0x1d0/0x4a0
[ 76.022307][ T22] alloc_pages+0x1a9/0x270
[ 76.026747][ T22] allocate_slab+0x24e/0x380
[ 76.031377][ T22] ___slab_alloc+0x8bc/0x1570
[ 76.036083][ T22] __slab_alloc.constprop.0+0x56/0xa0
[ 76.041481][ T22] kmem_cache_alloc_node+0x137/0x3f0
[ 76.046798][ T22] __alloc_skb+0x287/0x330
[ 76.051235][ T22] alloc_skb_with_frags+0xe4/0x710
[ 76.056369][ T22] sock_alloc_send_pskb+0x7c8/0x950
[ 76.061597][ T22] unix_dgram_sendmsg+0x455/0x1c30
[ 76.066909][ T22] sock_sendmsg+0xd9/0x180
[ 76.071348][ T22] __sys_sendto+0x255/0x340
[ 76.075872][ T22] __x64_sys_sendto+0xe0/0x1b0
[ 76.080658][ T22] do_syscall_64+0x38/0xb0
[ 76.085096][ T22] page last free stack trace:
[ 76.089769][ T22] free_unref_page_prepare+0x508/0xb90
[ 76.095261][ T22] free_unref_page+0x33/0x3b0
[ 76.099967][ T22] qlist_free_all+0x6a/0x170
[ 76.104580][ T22] kasan_quarantine_reduce+0x18b/0x1d0
[ 76.110087][ T22] __kasan_slab_alloc+0x65/0x90
[ 76.114971][ T22] kmem_cache_alloc+0x172/0x3b0
[ 76.119851][ T22] jbd2__journal_start+0x190/0x690
[ 76.124983][ T22] __ext4_journal_start_sb+0x40f/0x5c0
[ 76.130466][ T22] __ext4_new_inode+0x2e3a/0x5610
[ 76.135522][ T22] ext4_mknod+0x310/0x550
[ 76.139880][ T22] vfs_mknod+0x586/0x850
[ 76.144145][ T22] unix_bind+0x4bb/0x1440
[ 76.148499][ T22] __sys_bind+0x1ec/0x220
[ 76.152848][ T22] __x64_sys_bind+0x72/0xb0
[ 76.157368][ T22] do_syscall_64+0x38/0xb0
[ 76.161803][ T22] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 76.167719][ T22]
[ 76.170047][ T22] Memory state around the buggy address:
[ 76.175681][ T22] ffff8880209f6980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 76.183756][ T22] ffff8880209f6a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.191845][ T22] >ffff8880209f6a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 76.199913][ T22] ^
./strace-static-x86_64: Process 5047 attached
[pid 5047] set_robust_list(0x555556273660, 24) = 0
[pid 5047] chdir("./8") = 0
[pid 5047] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5047] setpgid(0, 0) = 0
[ 76.207119][ T22] ffff8880209f6b00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 76.215280][ T22] ffff8880209f6b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 76.223438][ T22] ==================================================================
[ 76.237597][ T22] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 76.244843][ T22] CPU: 1 PID: 22 Comm: kworker/1:0 Not tainted 6.5.0-syzkaller-03967-gbd6c11bc43c4 #0
[pid 5047] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5047] write(3, "1000", 4) = 4
[pid 5047] close(3) = 0
[pid 5047] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5047] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5047] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5047] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5047] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5047] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5047] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5047] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5047] write(6, "8", 1) = 1
[pid 5047] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 76.254434][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 76.264531][ T22] Workqueue: events sk_psock_destroy
[ 76.269881][ T22] Call Trace:
[ 76.273207][ T22]
[ 76.276180][ T22] dump_stack_lvl+0xd9/0x1b0
[ 76.280916][ T22] panic+0x6a4/0x750
[ 76.284826][ T5047] FAULT_INJECTION: forcing a failure.
[ 76.284826][ T5047] name fail_page_alloc, interval 1, probability 0, space 0, times 0
[ 76.298072][ T22] ? panic_smp_self_stop+0xa0/0xa0
[ 76.303320][ T22] ? preempt_schedule_thunk+0x1a/0x30
[ 76.308743][ T22] ? preempt_schedule_common+0x45/0xc0
[ 76.314261][ T22] check_panic_on_warn+0xab/0xb0
[ 76.319242][ T22] end_report+0x108/0x150
[ 76.323630][ T22] kasan_report+0xea/0x110
[ 76.328109][ T22] ? consume_skb+0x32/0x170
[ 76.332677][ T22] ? consume_skb+0x32/0x170
[ 76.337220][ T22] kasan_check_range+0xef/0x190
[ 76.342100][ T22] consume_skb+0x32/0x170
[ 76.346468][ T22] __sk_msg_free+0x230/0x380
[ 76.351533][ T22] ? lockdep_hardirqs_on+0x7d/0x100
[ 76.356768][ T22] ? _raw_spin_unlock_irqrestore+0x3b/0x70
[ 76.362626][ T22] sk_psock_destroy+0x335/0xa50
[ 76.367681][ T22] process_one_work+0xaa2/0x16f0
[ 76.372652][ T22] ? bpf_jit_binary_pack_hdr+0x200/0x200
[ 76.378303][ T22] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 76.383705][ T22] ? spin_bug+0x1d0/0x1d0
[ 76.388070][ T22] worker_thread+0x687/0x1110
[ 76.392869][ T22] ? process_one_work+0x16f0/0x16f0
[ 76.398095][ T22] kthread+0x33a/0x430
[ 76.402182][ T22] ? kthread_complete_and_exit+0x40/0x40
[ 76.407838][ T22] ret_from_fork+0x2c/0x70
[ 76.412282][ T22] ? kthread_complete_and_exit+0x40/0x40
[ 76.417937][ T22] ret_from_fork_asm+0x11/0x20
[ 76.422744][ T22]
[ 76.426088][ T22] Kernel Offset: disabled
[ 76.430433][ T22] Rebooting in 86400 seconds..