./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1225254365 <...> tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1 [ 12.964950][ T28] audit: type=1400 audit(1687673960.989:64): avc: denied { rlimitinh } for pid=224 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 12.967836][ T28] audit: type=1400 audit(1687673960.989:65): avc: denied { siginh } for pid=224 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 Warning: Permanently added '10.128.1.80' (ECDSA) to the list of known hosts. execve("./syz-executor1225254365", ["./syz-executor1225254365"], 0x7ffcd44f0920 /* 10 vars */) = 0 brk(NULL) = 0x5555556ca000 brk(0x5555556cac40) = 0x5555556cac40 arch_prctl(ARCH_SET_FS, 0x5555556ca300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x5555556ca5d0) = 293 set_robust_list(0x5555556ca5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7fa77c5406b0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fa77c540d80}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7fa77c540750, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fa77c540d80}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1225254365", 4096) = 28 brk(0x5555556ebc40) = 0x5555556ebc40 brk(0x5555556ec000) = 0x5555556ec000 mprotect(0x7fa77c602000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 293 mkdir("./syzkaller.IwjKPm", 0700) = 0 chmod("./syzkaller.IwjKPm", 0777) = 0 chdir("./syzkaller.IwjKPm") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 295 ./strace-static-x86_64: Process 295 attached [pid 295] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 295] chdir("./0") = 0 [pid 295] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 295] setpgid(0, 0) = 0 [pid 295] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 295] write(3, "1000", 4) = 4 [pid 295] close(3) = 0 [pid 295] symlink("/dev/binderfs", "./binderfs") = 0 [pid 295] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 295] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 295] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[296], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 296 [pid 295] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 296 attached ) = 0 [pid 295] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 296] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 296] memfd_create("syzkaller", 0) = 3 [pid 296] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 296] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 296] munmap(0x7fa77410f000, 262144) = 0 [pid 296] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 296] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 296] close(3) = 0 [pid 296] mkdir("./file1", 0777) = 0 [ 21.908270][ T28] audit: type=1400 audit(1687673969.939:66): avc: denied { execmem } for pid=293 comm="syz-executor122" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 21.911148][ T28] audit: type=1400 audit(1687673969.939:67): avc: denied { read write } for pid=293 comm="syz-executor122" name="loop0" dev="devtmpfs" ino=113 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.914649][ T28] audit: type=1400 audit(1687673969.939:68): avc: denied { open } for pid=293 comm="syz-executor122" path="/dev/loop0" dev="devtmpfs" ino=113 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.918636][ T28] audit: type=1400 audit(1687673969.939:69): avc: denied { ioctl } for pid=293 comm="syz-executor122" path="/dev/loop0" dev="devtmpfs" ino=113 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 21.926591][ T296] loop0: detected capacity change from 0 to 512 [ 21.930012][ T28] audit: type=1400 audit(1687673969.959:70): avc: denied { mounton } for pid=295 comm="syz-executor122" path="/root/syzkaller.IwjKPm/0/file1" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [pid 296] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 296] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 296] chdir("./file1") = 0 [pid 296] ioctl(4, LOOP_CLR_FD) = 0 [pid 296] close(4) = 0 [pid 296] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 296] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 295] <... futex resumed>) = 0 [pid 295] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 295] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 296] <... futex resumed>) = 0 [ 21.959141][ T296] EXT4-fs (loop0): 1 orphan inode deleted [ 21.964726][ T296] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 21.973697][ T28] audit: type=1400 audit(1687673970.009:71): avc: denied { mount } for pid=295 comm="syz-executor122" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 21.973732][ T296] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/0/file1 supports timestamps until 2038 (0x7fffffff) [pid 296] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 296] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 296] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 295] <... futex resumed>) = 0 [pid 295] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 295] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 295] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 295] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[300], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 300 [pid 295] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 296] <... futex resumed>) = 0 [pid 296] fallocate(4, 0, 35143, 7) = 0 [pid 296] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 300 attached [pid 296] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 300] set_robust_list(0x7fa77414e9e0, 24) = 0 [ 22.009179][ T28] audit: type=1400 audit(1687673970.039:72): avc: denied { write } for pid=295 comm="syz-executor122" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 22.031202][ T28] audit: type=1400 audit(1687673970.039:73): avc: denied { add_name } for pid=295 comm="syz-executor122" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [pid 300] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL [pid 295] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 300] <... mount resumed>) = 0 [pid 295] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 296] <... futex resumed>) = 0 [pid 295] <... futex resumed>) = 1 [pid 296] sendmmsg(-1, [pid 295] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 296] <... sendmmsg resumed>[{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 296] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 295] <... futex resumed>) = 0 [pid 296] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 295] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 296] <... open resumed>) = 5 [pid 295] <... futex resumed>) = 0 [pid 296] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 295] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 296] <... futex resumed>) = 0 [pid 295] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 296] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 295] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 296] <... write resumed>) = 262144 [pid 296] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 295] <... futex resumed>) = 0 [pid 296] <... futex resumed>) = 1 [pid 296] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 300] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 295] exit_group(0 [pid 296] <... futex resumed>) = ? [pid 295] <... exit_group resumed>) = ? [pid 300] +++ exited with 0 +++ [pid 296] +++ exited with 0 +++ [pid 295] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=295, si_uid=0, si_status=0, si_utime=0, si_stime=6} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./0/binderfs") = 0 [ 22.052043][ T28] audit: type=1400 audit(1687673970.039:74): avc: denied { create } for pid=295 comm="syz-executor122" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 22.072629][ T28] audit: type=1400 audit(1687673970.039:75): avc: denied { read write open } for pid=295 comm="syz-executor122" path="/root/syzkaller.IwjKPm/0/file1/bus" dev="loop0" ino=18 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 304 ./strace-static-x86_64: Process 304 attached [pid 304] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 304] chdir("./1") = 0 [pid 304] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 304] setpgid(0, 0) = 0 [pid 304] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 304] write(3, "1000", 4) = 4 [pid 304] close(3) = 0 [pid 304] symlink("/dev/binderfs", "./binderfs") = 0 [pid 304] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 304] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 304] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[305], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 305 [pid 304] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 305 attached [pid 305] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 305] memfd_create("syzkaller", 0) = 3 [pid 305] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 305] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 305] munmap(0x7fa77410f000, 262144) = 0 [pid 305] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 305] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 305] close(3) = 0 [pid 305] mkdir("./file1", 0777) = 0 [ 22.114684][ T8] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:0: Invalid inode table block 0 in block_group 0 [ 22.128361][ T293] EXT4-fs (loop0): unmounting filesystem. [ 22.147340][ T305] loop0: detected capacity change from 0 to 512 [ 22.159354][ T305] EXT4-fs (loop0): 1 orphan inode deleted [pid 305] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 305] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 305] chdir("./file1") = 0 [pid 305] ioctl(4, LOOP_CLR_FD) = 0 [pid 305] close(4) = 0 [pid 305] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 304] <... futex resumed>) = 0 [pid 305] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000 [pid 304] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 305] <... open resumed>) = 4 [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 305] <... futex resumed>) = 1 [pid 304] <... futex resumed>) = 0 [pid 305] fallocate(4, 0, 35143, 7 [pid 304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 305] <... fallocate resumed>) = 0 [pid 304] <... mmap resumed>) = 0x7fa77412e000 [pid 304] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE [pid 305] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... mprotect resumed>) = 0 [pid 305] <... futex resumed>) = 0 [pid 304] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 305] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 304] <... clone resumed>, parent_tid=[308], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 308 [pid 304] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 308 attached [pid 308] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 308] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 308] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 304] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 305] <... futex resumed>) = 0 [pid 304] <... futex resumed>) = 1 [pid 305] sendmmsg(-1, [pid 304] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... sendmmsg resumed>[{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 305] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 304] <... futex resumed>) = 0 [pid 305] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 304] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 305] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 304] <... futex resumed>) = 0 [pid 305] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 304] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... open resumed>) = 5 [pid 305] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 304] <... futex resumed>) = 0 [pid 305] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 304] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 304] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 305] <... write resumed>) = 262144 [pid 305] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 304] <... futex resumed>) = 0 [pid 304] exit_group(0) = ? [pid 308] <... futex resumed>) = ? [pid 305] <... futex resumed>) = ? [pid 305] +++ exited with 0 +++ [pid 308] +++ exited with 0 +++ [pid 304] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=304, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./1/binderfs") = 0 [ 22.164966][ T305] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.174075][ T305] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/1/file1 supports timestamps until 2038 (0x7fffffff) umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 309 ./strace-static-x86_64: Process 309 attached [pid 309] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 309] chdir("./2") = 0 [pid 309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 309] setpgid(0, 0) = 0 [pid 309] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 309] write(3, "1000", 4) = 4 [pid 309] close(3) = 0 [pid 309] symlink("/dev/binderfs", "./binderfs") = 0 [pid 309] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 309] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 309] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[310], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 310 [pid 309] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 310 attached [pid 310] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 310] memfd_create("syzkaller", 0) = 3 [pid 310] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 310] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 310] munmap(0x7fa77410f000, 262144) = 0 [pid 310] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 310] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 310] close(3) = 0 [pid 310] mkdir("./file1", 0777) = 0 [ 22.208604][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:3: Invalid inode table block 0 in block_group 0 [ 22.221816][ T293] EXT4-fs (loop0): unmounting filesystem. [ 22.240316][ T310] loop0: detected capacity change from 0 to 512 [pid 310] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 310] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 310] chdir("./file1") = 0 [pid 310] ioctl(4, LOOP_CLR_FD) = 0 [pid 310] close(4) = 0 [pid 310] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] <... futex resumed>) = 0 [pid 309] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 310] <... futex resumed>) = 1 [pid 310] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 310] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] <... futex resumed>) = 0 [pid 309] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 309] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 309] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[313], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 313 [pid 309] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 310] <... futex resumed>) = 1 [pid 310] fallocate(4, 0, 35143, 7) = 0 [pid 310] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 310] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 313 attached [pid 313] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 313] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 313] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] <... futex resumed>) = 0 [pid 309] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 309] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 310] <... futex resumed>) = 0 [pid 310] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 310] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 309] <... futex resumed>) = 0 [pid 309] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 310] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 313] <... futex resumed>) = 1 [pid 310] <... open resumed>) = 5 [pid 310] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 309] <... futex resumed>) = 0 [pid 309] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 309] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 310] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 313] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 310] <... write resumed>) = 262144 [pid 310] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 309] <... futex resumed>) = 0 [pid 309] exit_group(0) = ? [pid 310] <... futex resumed>) = ? [pid 310] +++ exited with 0 +++ [pid 313] <... futex resumed>) = ? [pid 313] +++ exited with 0 +++ [pid 309] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=309, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- [ 22.259096][ T310] EXT4-fs (loop0): 1 orphan inode deleted [ 22.265337][ T310] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.274451][ T310] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/2/file1 supports timestamps until 2038 (0x7fffffff) restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./2/binderfs") = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./2/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 314 ./strace-static-x86_64: Process 314 attached [pid 314] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 314] chdir("./3") = 0 [pid 314] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 314] setpgid(0, 0) = 0 [pid 314] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 314] write(3, "1000", 4) = 4 [pid 314] close(3) = 0 [pid 314] symlink("/dev/binderfs", "./binderfs") = 0 [pid 314] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 314] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 314] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 315 attached , parent_tid=[315], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 315 [pid 314] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 315] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 315] memfd_create("syzkaller", 0) = 3 [pid 315] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 315] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 315] munmap(0x7fa77410f000, 262144) = 0 [pid 315] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 22.298914][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 22.313817][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 315] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 315] close(3) = 0 [pid 315] mkdir("./file1", 0777) = 0 [pid 315] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 315] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 315] chdir("./file1") = 0 [pid 315] ioctl(4, LOOP_CLR_FD) = 0 [pid 315] close(4) = 0 [pid 315] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... futex resumed>) = 1 [pid 315] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 315] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 314] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 314] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[318], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 318 [pid 314] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... futex resumed>) = 1 [pid 315] fallocate(4, 0, 35143, 7) = 0 [pid 315] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 315] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 318 attached [pid 318] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 318] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 318] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] <... futex resumed>) = 0 [pid 315] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 315] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 318] <... futex resumed>) = 1 [pid 315] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 314] <... futex resumed>) = 0 [pid 314] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 314] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 315] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 318] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 315] <... write resumed>) = 262144 [pid 315] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 314] <... futex resumed>) = 0 [pid 314] exit_group(0) = ? [pid 318] <... futex resumed>) = ? [pid 315] <... futex resumed>) = ? [pid 318] +++ exited with 0 +++ [pid 315] +++ exited with 0 +++ [pid 314] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=314, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./3/binderfs") = 0 [ 22.351889][ T315] loop0: detected capacity change from 0 to 512 [ 22.368641][ T315] EXT4-fs (loop0): 1 orphan inode deleted [ 22.374235][ T315] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.383212][ T315] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/3/file1 supports timestamps until 2038 (0x7fffffff) umount2("./3/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./3/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./3/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 319 attached , child_tidptr=0x5555556ca5d0) = 319 [pid 319] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 319] chdir("./4") = 0 [pid 319] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 319] setpgid(0, 0) = 0 [pid 319] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 319] write(3, "1000", 4) = 4 [pid 319] close(3) = 0 [pid 319] symlink("/dev/binderfs", "./binderfs") = 0 [pid 319] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 319] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 319] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[320], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 320 [pid 319] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 320 attached [pid 320] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 320] memfd_create("syzkaller", 0) = 3 [pid 320] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [ 22.408945][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 22.422744][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 320] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 320] munmap(0x7fa77410f000, 262144) = 0 [pid 320] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 320] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 320] close(3) = 0 [pid 320] mkdir("./file1", 0777) = 0 [pid 320] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 320] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 320] chdir("./file1") = 0 [pid 320] ioctl(4, LOOP_CLR_FD) = 0 [pid 320] close(4) = 0 [pid 320] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 320] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 320] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 319] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 319] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[324], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 324 [pid 319] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 320] <... futex resumed>) = 1 [pid 320] fallocate(4, 0, 35143, 7) = 0 [pid 320] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 320] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 324 attached [pid 324] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 324] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 324] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 319] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 320] <... futex resumed>) = 0 [pid 320] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 320] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 320] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 320] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 319] <... futex resumed>) = 0 [pid 319] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 319] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 320] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 324] <... futex resumed>) = 1 [pid 324] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 320] <... write resumed>) = 262144 [pid 320] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 319] <... futex resumed>) = 0 [pid 319] exit_group(0) = ? [pid 320] <... futex resumed>) = ? [pid 320] +++ exited with 0 +++ [pid 324] <... futex resumed>) = ? [pid 324] +++ exited with 0 +++ [pid 319] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=319, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- [ 22.473008][ T320] loop0: detected capacity change from 0 to 512 [ 22.488907][ T320] EXT4-fs (loop0): 1 orphan inode deleted [ 22.494686][ T320] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.504099][ T320] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/4/file1 supports timestamps until 2038 (0x7fffffff) restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./4/binderfs") = 0 umount2("./4/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./4/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./4/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 325 ./strace-static-x86_64: Process 325 attached [pid 325] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 325] chdir("./5") = 0 [pid 325] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 325] setpgid(0, 0) = 0 [pid 325] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 325] write(3, "1000", 4) = 4 [pid 325] close(3) = 0 [pid 325] symlink("/dev/binderfs", "./binderfs") = 0 [pid 325] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 325] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 325] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[326], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 326 [pid 325] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 326 attached [pid 326] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 326] memfd_create("syzkaller", 0) = 3 [pid 326] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 326] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 326] munmap(0x7fa77410f000, 262144) = 0 [pid 326] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 22.536117][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 22.549599][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 326] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 326] close(3) = 0 [pid 326] mkdir("./file1", 0777) = 0 [pid 326] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 326] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 326] chdir("./file1") = 0 [pid 326] ioctl(4, LOOP_CLR_FD) = 0 [pid 326] close(4) = 0 [pid 326] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 325] <... futex resumed>) = 0 [pid 325] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] <... futex resumed>) = 1 [pid 326] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 326] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 325] <... futex resumed>) = 0 [pid 325] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 325] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 325] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[329], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 329 [pid 325] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] <... futex resumed>) = 1 [pid 326] fallocate(4, 0, 35143, 7) = 0 [pid 326] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 326] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 329 attached [pid 329] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 329] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 329] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 325] <... futex resumed>) = 0 [pid 325] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 325] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] <... futex resumed>) = 0 [pid 326] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 326] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 325] <... futex resumed>) = 0 [pid 325] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] <... futex resumed>) = 1 [pid 326] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 326] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 325] <... futex resumed>) = 0 [pid 325] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 325] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 326] <... futex resumed>) = 1 [pid 329] <... futex resumed>) = 1 [pid 326] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 329] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 326] <... write resumed>) = 262144 [pid 326] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 325] <... futex resumed>) = 0 [pid 325] exit_group(0) = ? [pid 326] <... futex resumed>) = ? [pid 326] +++ exited with 0 +++ [pid 329] <... futex resumed>) = ? [pid 329] +++ exited with 0 +++ [pid 325] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=325, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./5/binderfs") = 0 [ 22.577770][ T326] loop0: detected capacity change from 0 to 512 [ 22.588546][ T326] EXT4-fs (loop0): 1 orphan inode deleted [ 22.594081][ T326] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.603195][ T326] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/5/file1 supports timestamps until 2038 (0x7fffffff) umount2("./5/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./5/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./5/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./5/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 330 ./strace-static-x86_64: Process 330 attached [pid 330] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 330] chdir("./6") = 0 [pid 330] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 330] setpgid(0, 0) = 0 [pid 330] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 330] write(3, "1000", 4) = 4 [pid 330] close(3) = 0 [pid 330] symlink("/dev/binderfs", "./binderfs") = 0 [pid 330] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 330] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 330] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[331], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 331 [pid 330] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 331 attached [pid 331] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 331] memfd_create("syzkaller", 0) = 3 [pid 331] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 331] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 331] munmap(0x7fa77410f000, 262144) = 0 [pid 331] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 331] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 331] close(3) = 0 [pid 331] mkdir("./file1", 0777) = 0 [ 22.627473][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 22.640685][ T293] EXT4-fs (loop0): unmounting filesystem. [ 22.659240][ T331] loop0: detected capacity change from 0 to 512 [pid 331] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 331] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 331] chdir("./file1") = 0 [pid 331] ioctl(4, LOOP_CLR_FD) = 0 [pid 331] close(4) = 0 [pid 331] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... futex resumed>) = 0 [pid 330] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 331] <... futex resumed>) = 1 [pid 331] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 331] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... futex resumed>) = 0 [pid 330] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 330] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 330] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[334], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 334 [pid 330] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 331] <... futex resumed>) = 1 ./strace-static-x86_64: Process 334 attached [pid 334] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 331] fallocate(4, 0, 35143, 7) = 0 [pid 331] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 331] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 334] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 334] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 330] <... futex resumed>) = 0 [pid 330] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 330] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 331] <... futex resumed>) = 0 [pid 331] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 331] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 334] <... futex resumed>) = 1 [pid 331] <... futex resumed>) = 1 [pid 330] <... futex resumed>) = 0 [pid 330] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 331] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 330] <... futex resumed>) = 0 [pid 331] <... open resumed>) = 5 [pid 330] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 334] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 331] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 330] <... futex resumed>) = 0 [pid 331] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 330] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 330] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 331] <... write resumed>) = 262144 [pid 331] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 330] <... futex resumed>) = 0 [pid 330] exit_group(0) = ? [pid 334] <... futex resumed>) = ? [pid 331] +++ exited with 0 +++ [ 22.678920][ T331] EXT4-fs (loop0): 1 orphan inode deleted [ 22.684672][ T331] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.693583][ T331] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/6/file1 supports timestamps until 2038 (0x7fffffff) [pid 334] +++ exited with 0 +++ [pid 330] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=330, si_uid=0, si_status=0, si_utime=1, si_stime=3} --- umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./6/binderfs") = 0 umount2("./6/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./6/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./6/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./6/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 335 ./strace-static-x86_64: Process 335 attached [pid 335] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 335] chdir("./7") = 0 [pid 335] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 335] setpgid(0, 0) = 0 [pid 335] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 335] write(3, "1000", 4) = 4 [pid 335] close(3) = 0 [pid 335] symlink("/dev/binderfs", "./binderfs") = 0 [pid 335] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 335] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 335] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 335] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 336 attached , parent_tid=[336], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 336 [pid 336] set_robust_list(0x7fa77c52f9e0, 24 [pid 335] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 336] <... set_robust_list resumed>) = 0 [pid 335] <... futex resumed>) = 0 [pid 335] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 336] memfd_create("syzkaller", 0) = 3 [pid 336] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 336] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 336] munmap(0x7fa77410f000, 262144) = 0 [pid 336] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 336] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 336] close(3) = 0 [pid 336] mkdir("./file1", 0777) = 0 [ 22.721093][ T43] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:2: Invalid inode table block 0 in block_group 0 [ 22.734619][ T293] EXT4-fs (loop0): unmounting filesystem. [ 22.762676][ T336] loop0: detected capacity change from 0 to 512 [pid 336] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 336] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 336] chdir("./file1") = 0 [pid 336] ioctl(4, LOOP_CLR_FD) = 0 [pid 336] close(4) = 0 [pid 336] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 335] <... futex resumed>) = 0 [pid 335] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 335] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... futex resumed>) = 1 [pid 336] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 336] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 335] <... futex resumed>) = 0 [pid 335] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 335] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 335] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 335] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 335] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[339], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 339 [pid 335] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 335] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... futex resumed>) = 1 [pid 336] fallocate(4, 0, 35143, 7) = 0 [pid 336] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 336] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 339 attached [pid 339] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 339] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 339] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 335] <... futex resumed>) = 0 [pid 335] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 335] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... futex resumed>) = 0 [pid 336] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 336] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 335] <... futex resumed>) = 0 [pid 335] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 335] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... futex resumed>) = 1 [pid 339] <... futex resumed>) = 1 [pid 336] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 339] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 336] <... open resumed>) = 5 [pid 336] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 335] <... futex resumed>) = 0 [pid 336] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 335] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 336] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 335] <... futex resumed>) = 0 [pid 336] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 335] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 336] <... write resumed>) = 262144 [pid 336] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 335] <... futex resumed>) = 0 [pid 335] exit_group(0) = ? [pid 339] <... futex resumed>) = ? [pid 339] +++ exited with 0 +++ [pid 336] <... futex resumed>) = ? [pid 336] +++ exited with 0 +++ [pid 335] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=335, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./7/binderfs") = 0 [ 22.778405][ T336] EXT4-fs (loop0): 1 orphan inode deleted [ 22.783938][ T336] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.793451][ T336] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/7/file1 supports timestamps until 2038 (0x7fffffff) umount2("./7/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./7/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./7/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./7/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./7/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 340 ./strace-static-x86_64: Process 340 attached [pid 340] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 340] chdir("./8") = 0 [pid 340] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 340] setpgid(0, 0) = 0 [pid 340] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 340] write(3, "1000", 4) = 4 [pid 340] close(3) = 0 [pid 340] symlink("/dev/binderfs", "./binderfs") = 0 [pid 340] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 340] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 340] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 340] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[341], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 341 [pid 340] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 340] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 341 attached [pid 341] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 341] memfd_create("syzkaller", 0) = 3 [pid 341] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 341] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 341] munmap(0x7fa77410f000, 262144) = 0 [pid 341] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 22.830413][ T43] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:2: Invalid inode table block 0 in block_group 0 [ 22.843754][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 341] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 341] close(3) = 0 [pid 341] mkdir("./file1", 0777) = 0 [pid 341] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 341] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 341] chdir("./file1") = 0 [pid 341] ioctl(4, LOOP_CLR_FD) = 0 [pid 341] close(4) = 0 [pid 341] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... futex resumed>) = 0 [pid 340] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 340] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 341] <... futex resumed>) = 1 [pid 341] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 341] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... futex resumed>) = 0 [pid 340] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 340] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 340] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 340] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 340] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[344], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 344 [pid 340] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 340] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 341] <... futex resumed>) = 1 [pid 341] fallocate(4, 0, 35143, 7./strace-static-x86_64: Process 344 attached ) = 0 [pid 341] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 341] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 344] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 344] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 344] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 344] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 340] <... futex resumed>) = 0 [pid 340] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 341] <... futex resumed>) = 0 [pid 340] <... futex resumed>) = 1 [pid 340] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 341] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 341] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... futex resumed>) = 0 [pid 340] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 340] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 341] <... futex resumed>) = 1 [pid 341] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 341] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... futex resumed>) = 0 [pid 340] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 340] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 341] <... futex resumed>) = 1 [pid 341] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 341] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 340] <... futex resumed>) = 0 [pid 340] exit_group(0) = ? [pid 341] <... futex resumed>) = ? [pid 344] <... futex resumed>) = ? [pid 341] +++ exited with 0 +++ [pid 344] +++ exited with 0 +++ [pid 340] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=340, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./8/binderfs") = 0 [ 22.887298][ T341] loop0: detected capacity change from 0 to 512 [ 22.898697][ T341] EXT4-fs (loop0): 1 orphan inode deleted [ 22.904331][ T341] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 22.913148][ T341] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/8/file1 supports timestamps until 2038 (0x7fffffff) umount2("./8/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./8/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./8/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./8/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./8/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./8") = 0 mkdir("./9", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 345 ./strace-static-x86_64: Process 345 attached [pid 345] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 345] chdir("./9") = 0 [pid 345] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 345] setpgid(0, 0) = 0 [pid 345] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 345] write(3, "1000", 4) = 4 [pid 345] close(3) = 0 [pid 345] symlink("/dev/binderfs", "./binderfs") = 0 [pid 345] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 345] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 345] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 345] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 346 attached , parent_tid=[346], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 346 [pid 345] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 345] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 346] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 346] memfd_create("syzkaller", 0) = 3 [pid 346] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 346] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 346] munmap(0x7fa77410f000, 262144) = 0 [pid 346] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 22.941093][ T43] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:2: Invalid inode table block 0 in block_group 0 [ 22.954348][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 346] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 346] close(3) = 0 [pid 346] mkdir("./file1", 0777) = 0 [pid 346] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 346] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 346] chdir("./file1") = 0 [pid 346] ioctl(4, LOOP_CLR_FD) = 0 [pid 346] close(4) = 0 [pid 346] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 345] <... futex resumed>) = 0 [pid 345] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 345] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 346] <... futex resumed>) = 1 [pid 346] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 346] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 345] <... futex resumed>) = 0 [pid 345] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 345] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 345] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 345] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 345] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[349], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 349 [pid 345] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 345] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 346] <... futex resumed>) = 1 [pid 346] fallocate(4, 0, 35143, 7) = 0 [pid 346] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 346] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 349 attached [pid 349] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 349] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 349] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 345] <... futex resumed>) = 0 [pid 349] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 345] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 346] <... futex resumed>) = 0 [pid 345] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 346] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 346] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 345] <... futex resumed>) = 0 [pid 346] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 345] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 346] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 345] <... futex resumed>) = 0 [pid 346] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 345] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 346] <... open resumed>) = 5 [pid 346] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 345] <... futex resumed>) = 0 [pid 346] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 345] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 346] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 345] <... futex resumed>) = 0 [pid 346] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 345] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 346] <... write resumed>) = 262144 [pid 346] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 345] <... futex resumed>) = 0 [pid 345] exit_group(0 [pid 349] <... futex resumed>) = ? [pid 345] <... exit_group resumed>) = ? [pid 349] +++ exited with 0 +++ [pid 346] +++ exited with 0 +++ [pid 345] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=345, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./9", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./9/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./9/binderfs") = 0 [ 22.997412][ T346] loop0: detected capacity change from 0 to 512 [ 23.008631][ T346] EXT4-fs (loop0): 1 orphan inode deleted [ 23.014165][ T346] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 23.022947][ T346] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/9/file1 supports timestamps until 2038 (0x7fffffff) umount2("./9/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./9/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./9/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./9/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./9/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./9") = 0 mkdir("./10", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 350 ./strace-static-x86_64: Process 350 attached [pid 350] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 350] chdir("./10") = 0 [pid 350] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 350] setpgid(0, 0) = 0 [pid 350] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 350] write(3, "1000", 4) = 4 [pid 350] close(3) = 0 [pid 350] symlink("/dev/binderfs", "./binderfs") = 0 [pid 350] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 350] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 350] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 351 attached , parent_tid=[351], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 351 [pid 350] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 351] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 351] memfd_create("syzkaller", 0) = 3 [pid 351] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 351] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 351] munmap(0x7fa77410f000, 262144) = 0 [pid 351] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 23.057947][ T43] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:2: Invalid inode table block 0 in block_group 0 [ 23.071169][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 351] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 351] close(3) = 0 [pid 351] mkdir("./file1", 0777) = 0 [pid 351] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 351] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 351] chdir("./file1") = 0 [pid 351] ioctl(4, LOOP_CLR_FD) = 0 [pid 351] close(4) = 0 [pid 351] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 351] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 350] <... futex resumed>) = 0 [pid 350] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 350] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] <... futex resumed>) = 0 [pid 351] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 351] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 350] <... futex resumed>) = 0 [pid 350] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 351] fallocate(4, 0, 35143, 7 [pid 350] <... futex resumed>) = 0 [pid 350] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 350] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 350] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[354], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 354 [pid 350] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] <... fallocate resumed>) = 0 [pid 351] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 351] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 354 attached [pid 354] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 354] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 354] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 350] <... futex resumed>) = 0 [pid 354] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 350] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 350] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] <... futex resumed>) = 0 [pid 351] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 351] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 350] <... futex resumed>) = 0 [pid 351] <... futex resumed>) = 1 [pid 350] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 351] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 350] <... futex resumed>) = 0 [pid 351] <... futex resumed>) = 1 [pid 350] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 350] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 351] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 351] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 350] <... futex resumed>) = 0 [pid 351] <... futex resumed>) = 1 [pid 350] exit_group(0) = ? [pid 354] <... futex resumed>) = ? [pid 354] +++ exited with 0 +++ [pid 351] +++ exited with 0 +++ [pid 350] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=350, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./10", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./10/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./10/binderfs") = 0 [ 23.114856][ T351] loop0: detected capacity change from 0 to 512 [ 23.128322][ T351] EXT4-fs (loop0): 1 orphan inode deleted [ 23.134035][ T351] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 23.143046][ T351] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/10/file1 supports timestamps until 2038 (0x7fffffff) umount2("./10/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./10/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./10/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./10/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./10/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./10") = 0 mkdir("./11", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 [ 23.187937][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:3: Invalid inode table block 0 in block_group 0 [ 23.202497][ T293] EXT4-fs (loop0): unmounting filesystem. clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 355 attached [pid 355] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 355] chdir("./11") = 0 [pid 355] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 355] setpgid(0, 0) = 0 [pid 355] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 355] write(3, "1000", 4) = 4 [pid 355] close(3) = 0 [pid 355] symlink("/dev/binderfs", "./binderfs") = 0 [pid 355] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 355] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 355] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 355] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[356], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 356 [pid 355] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 355] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 356 attached [pid 356] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 356] memfd_create("syzkaller", 0) = 3 [pid 356] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 356] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 356] munmap(0x7fa77410f000, 262144) = 0 [pid 356] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 356] ioctl(4, LOOP_SET_FD, 3 [pid 293] <... clone resumed>, child_tidptr=0x5555556ca5d0) = 355 [pid 356] <... ioctl resumed>) = 0 [pid 356] close(3) = 0 [pid 356] mkdir("./file1", 0777) = 0 [pid 356] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 356] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 356] chdir("./file1") = 0 [pid 356] ioctl(4, LOOP_CLR_FD) = 0 [pid 356] close(4) = 0 [pid 356] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 355] <... futex resumed>) = 0 [pid 355] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 355] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 356] <... futex resumed>) = 1 [pid 356] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 356] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 355] <... futex resumed>) = 0 [pid 355] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 355] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 355] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 355] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 355] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[359], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 359 [pid 355] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 359 attached [pid 356] <... futex resumed>) = 1 [pid 355] <... futex resumed>) = 0 [pid 355] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 359] set_robust_list(0x7fa77414e9e0, 24 [pid 356] fallocate(4, 0, 35143, 7 [pid 359] <... set_robust_list resumed>) = 0 [pid 356] <... fallocate resumed>) = 0 [pid 359] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 359] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 355] <... futex resumed>) = 0 [pid 355] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 355] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 359] <... futex resumed>) = 1 [pid 359] sendmmsg(-1, [pid 356] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 359] <... sendmmsg resumed>[{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 356] <... futex resumed>) = 0 [pid 359] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 356] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 355] <... futex resumed>) = 0 [pid 355] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 355] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 359] <... futex resumed>) = 1 [pid 356] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 359] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 356] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 356] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 355] <... futex resumed>) = 0 [pid 355] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 355] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 356] <... futex resumed>) = 1 [pid 356] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 356] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 355] <... futex resumed>) = 0 [pid 355] exit_group(0) = ? [pid 359] <... futex resumed>) = ? [pid 359] +++ exited with 0 +++ [pid 356] <... futex resumed>) = ? [pid 356] +++ exited with 0 +++ [pid 355] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=355, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./11", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./11/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./11/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./11/binderfs") = 0 [ 23.244931][ T356] loop0: detected capacity change from 0 to 512 [ 23.258608][ T356] EXT4-fs (loop0): 1 orphan inode deleted [ 23.264143][ T356] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 23.273209][ T356] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/11/file1 supports timestamps until 2038 (0x7fffffff) umount2("./11/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./11/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./11/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./11/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./11/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./11") = 0 mkdir("./12", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 360 ./strace-static-x86_64: Process 360 attached [pid 360] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 360] chdir("./12") = 0 [pid 360] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 360] setpgid(0, 0) = 0 [pid 360] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 360] write(3, "1000", 4) = 4 [pid 360] close(3) = 0 [pid 360] symlink("/dev/binderfs", "./binderfs") = 0 [pid 360] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 360] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 360] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[361], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 361 ./strace-static-x86_64: Process 361 attached [pid 361] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 361] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 360] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 361] <... futex resumed>) = 0 [pid 360] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 361] memfd_create("syzkaller", 0) = 3 [pid 361] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 361] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 361] munmap(0x7fa77410f000, 262144) = 0 [pid 361] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 23.300806][ T43] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:2: Invalid inode table block 0 in block_group 0 [ 23.314118][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 361] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 361] close(3) = 0 [pid 361] mkdir("./file1", 0777) = 0 [ 23.359538][ T361] loop0: detected capacity change from 0 to 512 [ 23.389179][ T361] EXT4-fs (loop0): 1 orphan inode deleted [ 23.394908][ T361] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [pid 361] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 361] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 361] chdir("./file1") = 0 [pid 361] ioctl(4, LOOP_CLR_FD) = 0 [pid 361] close(4) = 0 [pid 361] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 360] <... futex resumed>) = 0 [pid 360] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 361] <... futex resumed>) = 1 [pid 361] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 361] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 360] <... futex resumed>) = 0 [pid 360] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 360] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 360] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[364], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 364 [pid 360] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 361] <... futex resumed>) = 1 [pid 361] fallocate(4, 0, 35143, 7) = 0 [pid 361] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 361] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 364 attached [pid 364] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 364] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 364] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 360] <... futex resumed>) = 0 [pid 360] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 360] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 361] <... futex resumed>) = 0 [pid 361] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 361] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 360] <... futex resumed>) = 0 [pid 360] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 361] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 361] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 364] <... futex resumed>) = 1 [pid 361] <... futex resumed>) = 1 [pid 360] <... futex resumed>) = 0 [pid 360] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 360] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 361] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 364] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 361] <... write resumed>) = 262144 [pid 361] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 360] <... futex resumed>) = 0 [pid 360] exit_group(0) = ? [pid 361] <... futex resumed>) = ? [pid 361] +++ exited with 0 +++ [pid 364] <... futex resumed>) = ? [pid 364] +++ exited with 0 +++ [pid 360] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=360, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./12", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./12/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./12/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./12/binderfs") = 0 umount2("./12/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./12/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./12/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./12/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./12/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./12") = 0 mkdir("./13", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 [ 23.403710][ T361] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/12/file1 supports timestamps until 2038 (0x7fffffff) [ 23.438044][ T43] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:2: Invalid inode table block 0 in block_group 0 [ 23.451375][ T293] EXT4-fs (loop0): unmounting filesystem. clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 365 ./strace-static-x86_64: Process 365 attached [pid 365] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 365] chdir("./13") = 0 [pid 365] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 365] setpgid(0, 0) = 0 [pid 365] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 365] write(3, "1000", 4) = 4 [pid 365] close(3) = 0 [pid 365] symlink("/dev/binderfs", "./binderfs") = 0 [pid 365] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 365] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 365] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 365] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[366], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 366 [pid 365] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 365] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 366 attached [pid 366] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 366] memfd_create("syzkaller", 0) = 3 [pid 366] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 366] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 366] munmap(0x7fa77410f000, 262144) = 0 [pid 366] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 366] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 366] close(3) = 0 [pid 366] mkdir("./file1", 0777) = 0 [pid 366] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 366] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 366] chdir("./file1") = 0 [pid 366] ioctl(4, LOOP_CLR_FD) = 0 [pid 366] close(4) = 0 [pid 366] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 366] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 365] <... futex resumed>) = 0 [pid 365] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 365] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 366] <... futex resumed>) = 0 [pid 366] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 366] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 365] <... futex resumed>) = 0 [pid 365] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 366] fallocate(4, 0, 35143, 7 [pid 365] <... futex resumed>) = 0 [pid 365] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 366] <... fallocate resumed>) = 0 [pid 365] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 366] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 365] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE [pid 366] <... futex resumed>) = 0 [pid 365] <... mprotect resumed>) = 0 [pid 365] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 366] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 370 attached [pid 370] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 370] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 365] <... clone resumed>, parent_tid=[370], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 370 [pid 365] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 370] <... futex resumed>) = 0 [pid 370] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 365] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 370] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 365] <... futex resumed>) = 0 [pid 365] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 365] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 366] <... futex resumed>) = 0 [pid 366] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 366] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 365] <... futex resumed>) = 0 [pid 365] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 365] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 366] <... futex resumed>) = 1 [pid 366] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 366] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 365] <... futex resumed>) = 0 [pid 365] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 365] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 366] <... futex resumed>) = 1 [pid 366] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 370] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 366] <... write resumed>) = 262144 [pid 366] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 365] <... futex resumed>) = 0 [pid 365] exit_group(0) = ? [pid 370] <... futex resumed>) = ? [pid 370] +++ exited with 0 +++ [pid 366] +++ exited with 0 +++ [pid 365] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=365, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./13", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./13/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./13/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./13/binderfs") = 0 [ 23.497381][ T366] loop0: detected capacity change from 0 to 512 [ 23.508831][ T366] EXT4-fs (loop0): 1 orphan inode deleted [ 23.514368][ T366] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 23.523277][ T366] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/13/file1 supports timestamps until 2038 (0x7fffffff) umount2("./13/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./13/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./13/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./13/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./13/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./13") = 0 mkdir("./14", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 371 ./strace-static-x86_64: Process 371 attached [pid 371] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 371] chdir("./14") = 0 [pid 371] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 371] setpgid(0, 0) = 0 [pid 371] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 371] write(3, "1000", 4) = 4 [pid 371] close(3) = 0 [pid 371] symlink("/dev/binderfs", "./binderfs") = 0 [pid 371] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 371] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 371] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 372 attached , parent_tid=[372], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 372 [pid 371] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 372] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 372] memfd_create("syzkaller", 0) = 3 [pid 372] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 372] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 372] munmap(0x7fa77410f000, 262144) = 0 [pid 372] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 23.555219][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 23.568510][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 372] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 372] close(3) = 0 [pid 372] mkdir("./file1", 0777) = 0 [pid 372] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 372] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 372] chdir("./file1") = 0 [pid 372] ioctl(4, LOOP_CLR_FD) = 0 [pid 372] close(4) = 0 [pid 372] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 371] <... futex resumed>) = 0 [pid 372] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000 [pid 371] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... open resumed>) = 4 [pid 372] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 371] <... futex resumed>) = 0 [pid 372] fallocate(4, 0, 35143, 7 [pid 371] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 372] <... fallocate resumed>) = 0 [pid 371] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 372] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 371] <... mmap resumed>) = 0x7fa77412e000 [pid 372] <... futex resumed>) = 0 [pid 371] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE [pid 372] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 371] <... mprotect resumed>) = 0 [pid 371] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 375 attached [pid 375] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 375] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 371] <... clone resumed>, parent_tid=[375], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 375 [pid 371] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 375] <... futex resumed>) = 0 [pid 371] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 375] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 375] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 371] <... futex resumed>) = 0 [pid 375] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 371] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 371] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] <... futex resumed>) = 0 [pid 372] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 372] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 371] <... futex resumed>) = 0 [pid 371] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 372] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 371] <... futex resumed>) = 0 [pid 371] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 371] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 372] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 372] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 371] <... futex resumed>) = 0 [pid 372] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 371] exit_group(0 [pid 375] <... futex resumed>) = ? [pid 371] <... exit_group resumed>) = ? [pid 375] +++ exited with 0 +++ [pid 372] <... futex resumed>) = ? [pid 372] +++ exited with 0 +++ [pid 371] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=371, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./14", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./14/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./14/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 [ 23.608887][ T372] loop0: detected capacity change from 0 to 512 [ 23.629019][ T372] EXT4-fs (loop0): 1 orphan inode deleted [ 23.634562][ T372] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 23.643347][ T372] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/14/file1 supports timestamps until 2038 (0x7fffffff) unlink("./14/binderfs") = 0 umount2("./14/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./14/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./14/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./14/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./14/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./14") = 0 mkdir("./15", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 376 ./strace-static-x86_64: Process 376 attached [pid 376] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 376] chdir("./15") = 0 [pid 376] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 376] setpgid(0, 0) = 0 [pid 376] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 376] write(3, "1000", 4) = 4 [pid 376] close(3) = 0 [pid 376] symlink("/dev/binderfs", "./binderfs") = 0 [pid 376] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 376] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 376] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 376] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[377], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 377 [pid 376] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 376] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 377 attached [pid 377] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 377] memfd_create("syzkaller", 0) = 3 [pid 377] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 377] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 377] munmap(0x7fa77410f000, 262144) = 0 [pid 377] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 23.685170][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 23.698497][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 377] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 377] close(3) = 0 [pid 377] mkdir("./file1", 0777) = 0 [pid 377] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 377] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 377] chdir("./file1") = 0 [pid 377] ioctl(4, LOOP_CLR_FD) = 0 [pid 377] close(4) = 0 [pid 377] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 376] <... futex resumed>) = 0 [pid 376] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 376] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 377] <... futex resumed>) = 1 [pid 377] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 377] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 376] <... futex resumed>) = 0 [pid 376] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 376] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 377] <... futex resumed>) = 1 [pid 376] <... futex resumed>) = 0 [pid 377] fallocate(4, 0, 35143, 7) = 0 [pid 377] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 377] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 376] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 376] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 376] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[380], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 380 [pid 376] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 376] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 380 attached [pid 380] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 380] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 380] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 376] <... futex resumed>) = 0 [pid 376] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 376] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 380] <... futex resumed>) = 1 [pid 377] <... futex resumed>) = 0 [pid 380] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 377] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 377] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 376] <... futex resumed>) = 0 [pid 376] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 376] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 377] <... futex resumed>) = 1 [pid 377] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 377] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 376] <... futex resumed>) = 0 [pid 377] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 376] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 376] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 377] <... futex resumed>) = 0 [pid 377] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 377] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 376] <... futex resumed>) = 0 [pid 376] exit_group(0) = ? [pid 377] <... futex resumed>) = ? [pid 377] +++ exited with 0 +++ [pid 380] <... futex resumed>) = ? [pid 380] +++ exited with 0 +++ [pid 376] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=376, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- [ 23.734021][ T377] loop0: detected capacity change from 0 to 512 [ 23.748855][ T377] EXT4-fs (loop0): 1 orphan inode deleted [ 23.754433][ T377] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 23.763460][ T377] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/15/file1 supports timestamps until 2038 (0x7fffffff) restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./15", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./15/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./15/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./15/binderfs") = 0 umount2("./15/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./15/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./15/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./15/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./15/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./15") = 0 mkdir("./16", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 381 attached [pid 381] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 381] chdir("./16") = 0 [pid 381] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 381] setpgid(0, 0) = 0 [pid 381] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 381] write(3, "1000", 4) = 4 [pid 381] close(3) = 0 [pid 381] symlink("/dev/binderfs", "./binderfs") = 0 [pid 381] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 381] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 381] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 381] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[382], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 382 [pid 381] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 381] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 382 attached [pid 382] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 382] memfd_create("syzkaller", 0) = 3 [pid 382] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 293] <... clone resumed>, child_tidptr=0x5555556ca5d0) = 381 [pid 382] <... mmap resumed>) = 0x7fa77410f000 [pid 382] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 382] munmap(0x7fa77410f000, 262144) = 0 [pid 382] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 23.788673][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:3: Invalid inode table block 0 in block_group 0 [ 23.801829][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 382] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 382] close(3) = 0 [pid 382] mkdir("./file1", 0777) = 0 [pid 382] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 382] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 382] chdir("./file1") = 0 [pid 382] ioctl(4, LOOP_CLR_FD) = 0 [pid 382] close(4) = 0 [pid 382] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] <... futex resumed>) = 0 [pid 381] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 381] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 382] <... futex resumed>) = 1 [pid 382] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 382] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] <... futex resumed>) = 0 [pid 381] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 381] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 381] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 381] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 381] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[385], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 385 [pid 381] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 381] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 382] <... futex resumed>) = 1 [pid 382] fallocate(4, 0, 35143, 7) = 0 [pid 382] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 382] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 385 attached [pid 385] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 385] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 385] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 381] <... futex resumed>) = 0 [pid 381] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 382] <... futex resumed>) = 0 [pid 381] <... futex resumed>) = 1 [pid 382] sendmmsg(-1, [pid 381] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 382] <... sendmmsg resumed>[{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 382] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 381] <... futex resumed>) = 0 [pid 385] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 381] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 382] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 381] <... futex resumed>) = 0 [pid 382] <... open resumed>) = 5 [pid 381] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 382] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 382] <... futex resumed>) = 0 [pid 381] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 381] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 382] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 382] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 381] <... futex resumed>) = 0 [pid 381] exit_group(0 [pid 382] <... futex resumed>) = 1 [pid 381] <... exit_group resumed>) = ? [pid 385] <... futex resumed>) = ? [pid 382] +++ exited with 0 +++ [pid 385] +++ exited with 0 +++ [pid 381] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=381, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./16", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./16/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./16/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./16/binderfs") = 0 [ 23.847996][ T382] loop0: detected capacity change from 0 to 512 [ 23.858626][ T382] EXT4-fs (loop0): 1 orphan inode deleted [ 23.864278][ T382] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 23.873095][ T382] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/16/file1 supports timestamps until 2038 (0x7fffffff) umount2("./16/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./16/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./16/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./16/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./16/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./16") = 0 mkdir("./17", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 386 ./strace-static-x86_64: Process 386 attached [pid 386] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 386] chdir("./17") = 0 [pid 386] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 386] setpgid(0, 0) = 0 [pid 386] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 386] write(3, "1000", 4) = 4 [pid 386] close(3) = 0 [pid 386] symlink("/dev/binderfs", "./binderfs") = 0 [pid 386] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 386] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 386] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 386] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[387], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 387 [pid 386] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 386] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 387 attached [pid 387] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 387] memfd_create("syzkaller", 0) = 3 [pid 387] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 387] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 387] munmap(0x7fa77410f000, 262144) = 0 [pid 387] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 387] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 387] close(3) = 0 [pid 387] mkdir("./file1", 0777) = 0 [ 23.919769][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:3: Invalid inode table block 0 in block_group 0 [ 23.933150][ T293] EXT4-fs (loop0): unmounting filesystem. [ 23.948766][ T387] loop0: detected capacity change from 0 to 512 [pid 387] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 387] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 387] chdir("./file1") = 0 [pid 387] ioctl(4, LOOP_CLR_FD) = 0 [pid 387] close(4) = 0 [pid 387] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 386] <... futex resumed>) = 0 [pid 386] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 386] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] <... futex resumed>) = 1 [pid 387] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 387] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 386] <... futex resumed>) = 0 [pid 386] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 386] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 386] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 386] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 386] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[390], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 390 [pid 386] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 386] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] <... futex resumed>) = 1 [pid 387] fallocate(4, 0, 35143, 7) = 0 [pid 387] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 387] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 390 attached [pid 390] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 390] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 390] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 386] <... futex resumed>) = 0 [pid 386] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 386] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] <... futex resumed>) = 0 [pid 390] <... futex resumed>) = 1 [pid 390] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 387] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 387] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 386] <... futex resumed>) = 0 [pid 386] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 386] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 387] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 386] <... futex resumed>) = 0 [pid 386] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 386] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 387] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 387] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 386] <... futex resumed>) = 0 [pid 386] exit_group(0) = ? [pid 390] <... futex resumed>) = ? [pid 387] <... futex resumed>) = ? [pid 387] +++ exited with 0 +++ [pid 390] +++ exited with 0 +++ [pid 386] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=386, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./17", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./17/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./17/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./17/binderfs") = 0 [ 23.968866][ T387] EXT4-fs (loop0): 1 orphan inode deleted [ 23.974456][ T387] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 23.983497][ T387] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/17/file1 supports timestamps until 2038 (0x7fffffff) umount2("./17/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./17/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./17/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./17/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./17/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./17") = 0 mkdir("./18", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 391 ./strace-static-x86_64: Process 391 attached [pid 391] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 391] chdir("./18") = 0 [pid 391] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 391] setpgid(0, 0) = 0 [pid 391] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 391] write(3, "1000", 4) = 4 [pid 391] close(3) = 0 [pid 391] symlink("/dev/binderfs", "./binderfs") = 0 [pid 391] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 391] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 391] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[392], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 392 [pid 391] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 392 attached [pid 392] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 392] memfd_create("syzkaller", 0) = 3 [pid 392] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 392] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 392] munmap(0x7fa77410f000, 262144) = 0 [pid 392] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 392] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 392] close(3) = 0 [pid 392] mkdir("./file1", 0777) = 0 [ 24.009022][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:3: Invalid inode table block 0 in block_group 0 [ 24.022251][ T293] EXT4-fs (loop0): unmounting filesystem. [ 24.058911][ T392] loop0: detected capacity change from 0 to 512 [pid 392] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 392] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 392] chdir("./file1") = 0 [pid 392] ioctl(4, LOOP_CLR_FD) = 0 [pid 392] close(4) = 0 [pid 392] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 392] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 391] <... futex resumed>) = 0 [pid 391] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 391] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] <... futex resumed>) = 0 [pid 392] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 392] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 391] <... futex resumed>) = 0 [pid 391] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 391] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 391] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[395], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 395 [pid 391] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] <... futex resumed>) = 1 [pid 392] fallocate(4, 0, 35143, 7) = 0 ./strace-static-x86_64: Process 395 attached [pid 392] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 392] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 395] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 395] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 395] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 391] <... futex resumed>) = 0 [pid 391] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 391] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] <... futex resumed>) = 0 [pid 392] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 392] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 391] <... futex resumed>) = 0 [pid 391] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] <... futex resumed>) = 1 [pid 392] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 392] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 391] <... futex resumed>) = 0 [pid 391] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 391] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 392] <... futex resumed>) = 1 [pid 392] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 395] <... futex resumed>) = 1 [pid 395] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 392] <... write resumed>) = 262144 [pid 392] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 391] <... futex resumed>) = 0 [pid 391] exit_group(0) = ? [pid 395] <... futex resumed>) = ? [pid 392] +++ exited with 0 +++ [pid 395] +++ exited with 0 +++ [pid 391] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=391, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- umount2("./18", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./18/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./18/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./18/binderfs") = 0 [ 24.068519][ T392] EXT4-fs (loop0): 1 orphan inode deleted [ 24.074168][ T392] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.083039][ T392] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/18/file1 supports timestamps until 2038 (0x7fffffff) umount2("./18/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./18/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./18/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./18/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./18/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./18") = 0 mkdir("./19", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 396 ./strace-static-x86_64: Process 396 attached [pid 396] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 396] chdir("./19") = 0 [pid 396] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 396] setpgid(0, 0) = 0 [pid 396] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 396] write(3, "1000", 4) = 4 [pid 396] close(3) = 0 [pid 396] symlink("/dev/binderfs", "./binderfs") = 0 [pid 396] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 396] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 396] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 396] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 397 attached , parent_tid=[397], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 397 [pid 397] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 397] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 396] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 396] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 397] <... futex resumed>) = 0 [pid 397] memfd_create("syzkaller", 0) = 3 [pid 397] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 397] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 397] munmap(0x7fa77410f000, 262144) = 0 [pid 397] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 24.114964][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:3: Invalid inode table block 0 in block_group 0 [ 24.128073][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 397] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 397] close(3) = 0 [pid 397] mkdir("./file1", 0777) = 0 [pid 397] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 397] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 397] chdir("./file1") = 0 [pid 397] ioctl(4, LOOP_CLR_FD) = 0 [pid 397] close(4) = 0 [pid 397] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 397] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 396] <... futex resumed>) = 0 [pid 396] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 396] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 397] <... futex resumed>) = 0 [pid 397] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 397] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 396] <... futex resumed>) = 0 [pid 396] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 397] fallocate(4, 0, 35143, 7 [pid 396] <... futex resumed>) = 0 [pid 396] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 396] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 397] <... fallocate resumed>) = 0 [pid 396] <... mmap resumed>) = 0x7fa77412e000 [pid 397] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 396] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 397] <... futex resumed>) = 0 [pid 396] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 400 attached , parent_tid=[400], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 400 [pid 400] set_robust_list(0x7fa77414e9e0, 24 [pid 397] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 400] <... set_robust_list resumed>) = 0 [pid 396] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 400] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL [pid 396] <... futex resumed>) = 0 [pid 396] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 400] <... mount resumed>) = 0 [pid 400] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 396] <... futex resumed>) = 0 [pid 396] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 396] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 400] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 397] <... futex resumed>) = 0 [pid 397] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 397] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 396] <... futex resumed>) = 0 [pid 396] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 396] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 397] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 397] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 396] <... futex resumed>) = 0 [pid 396] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 397] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 396] <... futex resumed>) = 0 [pid 396] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 397] <... write resumed>) = 262144 [pid 397] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 396] <... futex resumed>) = 0 [pid 396] exit_group(0) = ? [pid 400] <... futex resumed>) = ? [pid 400] +++ exited with 0 +++ [pid 397] +++ exited with 0 +++ [pid 396] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=396, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./19", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./19/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./19/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./19/binderfs") = 0 [ 24.160865][ T397] loop0: detected capacity change from 0 to 512 [ 24.178556][ T397] EXT4-fs (loop0): 1 orphan inode deleted [ 24.184127][ T397] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.193230][ T397] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/19/file1 supports timestamps until 2038 (0x7fffffff) umount2("./19/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./19/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./19/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./19/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./19/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./19") = 0 mkdir("./20", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 401 ./strace-static-x86_64: Process 401 attached [pid 401] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 401] chdir("./20") = 0 [pid 401] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 401] setpgid(0, 0) = 0 [pid 401] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 401] write(3, "1000", 4) = 4 [pid 401] close(3) = 0 [pid 401] symlink("/dev/binderfs", "./binderfs") = 0 [pid 401] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 401] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 401] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 401] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[402], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 402 [pid 401] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 401] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 402 attached [pid 402] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 402] memfd_create("syzkaller", 0) = 3 [pid 402] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 402] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 402] munmap(0x7fa77410f000, 262144) = 0 [pid 402] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 24.229626][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 24.242682][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 402] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 402] close(3) = 0 [pid 402] mkdir("./file1", 0777) = 0 [pid 402] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 402] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 402] chdir("./file1") = 0 [pid 402] ioctl(4, LOOP_CLR_FD) = 0 [pid 402] close(4) = 0 [pid 402] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 401] <... futex resumed>) = 0 [pid 402] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000 [pid 401] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 401] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] <... open resumed>) = 4 [pid 402] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 401] <... futex resumed>) = 0 [pid 402] fallocate(4, 0, 35143, 7 [pid 401] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 401] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 402] <... fallocate resumed>) = 0 [pid 402] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 401] <... futex resumed>) = 0 [pid 402] <... futex resumed>) = 0 [pid 401] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 402] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 401] <... mmap resumed>) = 0x7fa77412e000 [pid 401] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 401] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 405 attached [pid 405] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 405] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 401] <... clone resumed>, parent_tid=[405], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 405 [pid 401] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 401] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 405] <... futex resumed>) = 0 [pid 405] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 405] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 401] <... futex resumed>) = 0 [pid 401] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 405] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 401] <... futex resumed>) = 1 [pid 401] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] <... futex resumed>) = 0 [pid 402] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 402] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 401] <... futex resumed>) = 0 [pid 401] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 401] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 402] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 401] <... futex resumed>) = 0 [pid 401] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 401] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 402] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 402] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 401] <... futex resumed>) = 0 [pid 401] exit_group(0) = ? [pid 405] <... futex resumed>) = ? [pid 402] +++ exited with 0 +++ [ 24.283766][ T402] loop0: detected capacity change from 0 to 512 [ 24.298381][ T402] EXT4-fs (loop0): 1 orphan inode deleted [ 24.304029][ T402] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.312829][ T402] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/20/file1 supports timestamps until 2038 (0x7fffffff) [pid 405] +++ exited with 0 +++ [pid 401] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=401, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./20", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./20/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./20/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./20/binderfs") = 0 umount2("./20/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./20/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./20/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./20/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./20/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./20") = 0 mkdir("./21", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 406 attached , child_tidptr=0x5555556ca5d0) = 406 [pid 406] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 406] chdir("./21") = 0 [pid 406] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 406] setpgid(0, 0) = 0 [pid 406] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 406] write(3, "1000", 4) = 4 [pid 406] close(3) = 0 [pid 406] symlink("/dev/binderfs", "./binderfs") = 0 [pid 406] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 406] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 406] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 407 attached , parent_tid=[407], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 407 [pid 407] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 406] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 407] memfd_create("syzkaller", 0 [pid 406] <... futex resumed>) = 0 [pid 406] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 407] <... memfd_create resumed>) = 3 [pid 407] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 407] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 407] munmap(0x7fa77410f000, 262144) = 0 [pid 407] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 24.345338][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 24.358803][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 407] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 407] close(3) = 0 [pid 407] mkdir("./file1", 0777) = 0 [pid 407] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 407] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 407] chdir("./file1") = 0 [pid 407] ioctl(4, LOOP_CLR_FD) = 0 [pid 407] close(4) = 0 [pid 407] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 406] <... futex resumed>) = 0 [pid 406] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... futex resumed>) = 1 [pid 407] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 407] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 406] <... futex resumed>) = 0 [pid 406] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 406] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 406] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 410 attached [pid 410] set_robust_list(0x7fa77414e9e0, 24 [pid 406] <... clone resumed>, parent_tid=[410], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 410 [pid 410] <... set_robust_list resumed>) = 0 [pid 406] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 410] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL [pid 406] <... futex resumed>) = 0 [pid 410] <... mount resumed>) = 0 [pid 406] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... futex resumed>) = 1 [pid 407] fallocate(4, 0, 35143, 7) = 0 [pid 407] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 407] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 410] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 410] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 406] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 406] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 407] <... futex resumed>) = 0 [pid 406] <... futex resumed>) = 1 [pid 407] sendmmsg(-1, [pid 406] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... sendmmsg resumed>[{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 407] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 407] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 406] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 406] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 406] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... futex resumed>) = 0 [pid 407] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 407] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 406] <... futex resumed>) = 0 [pid 406] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 406] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 407] <... futex resumed>) = 1 [pid 407] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 407] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 406] <... futex resumed>) = 0 [pid 406] exit_group(0) = ? [pid 407] <... futex resumed>) = ? [pid 407] +++ exited with 0 +++ [pid 410] <... futex resumed>) = ? [pid 410] +++ exited with 0 +++ [pid 406] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=406, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- [ 24.390622][ T407] loop0: detected capacity change from 0 to 512 [ 24.408769][ T407] EXT4-fs (loop0): 1 orphan inode deleted [ 24.414415][ T407] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.423151][ T407] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/21/file1 supports timestamps until 2038 (0x7fffffff) restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./21", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./21/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./21/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./21/binderfs") = 0 umount2("./21/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./21/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./21/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./21/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./21/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./21") = 0 mkdir("./22", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 411 ./strace-static-x86_64: Process 411 attached [pid 411] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 411] chdir("./22") = 0 [pid 411] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 411] setpgid(0, 0) = 0 [pid 411] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 411] write(3, "1000", 4) = 4 [pid 411] close(3) = 0 [pid 411] symlink("/dev/binderfs", "./binderfs") = 0 [pid 411] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 411] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 411] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 411] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 412 attached , parent_tid=[412], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 412 [pid 412] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 412] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 411] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 412] <... futex resumed>) = 0 [pid 411] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 412] memfd_create("syzkaller", 0) = 3 [pid 412] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 412] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 412] munmap(0x7fa77410f000, 262144) = 0 [pid 412] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 24.451189][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:3: Invalid inode table block 0 in block_group 0 [ 24.464220][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 412] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 412] close(3) = 0 [pid 412] mkdir("./file1", 0777) = 0 [ 24.509018][ T412] loop0: detected capacity change from 0 to 512 [ 24.538710][ T412] EXT4-fs (loop0): 1 orphan inode deleted [ 24.544372][ T412] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [pid 412] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 412] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 412] chdir("./file1") = 0 [pid 412] ioctl(4, LOOP_CLR_FD) = 0 [pid 412] close(4) = 0 [pid 412] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 411] <... futex resumed>) = 0 [pid 411] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 411] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 412] <... futex resumed>) = 1 [pid 412] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 412] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 411] <... futex resumed>) = 0 [pid 411] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 411] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 411] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 411] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 411] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 416 attached , parent_tid=[416], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 416 [pid 416] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 416] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 412] <... futex resumed>) = 1 [pid 411] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 412] fallocate(4, 0, 35143, 7 [pid 416] <... futex resumed>) = 0 [pid 411] <... futex resumed>) = 1 [pid 416] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL [pid 411] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 416] <... mount resumed>) = 0 [pid 412] <... fallocate resumed>) = 0 [pid 416] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 412] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 411] <... futex resumed>) = 0 [pid 416] <... futex resumed>) = 1 [pid 411] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 411] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 416] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 412] <... futex resumed>) = 1 [pid 411] <... futex resumed>) = 0 [pid 411] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 412] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 412] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] <... futex resumed>) = 0 [pid 411] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 411] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 412] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 412] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] <... futex resumed>) = 0 [pid 411] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 411] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 412] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 412] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 411] <... futex resumed>) = 0 [pid 411] exit_group(0) = ? [pid 416] <... futex resumed>) = ? [pid 416] +++ exited with 0 +++ [pid 412] +++ exited with 0 +++ [pid 411] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=411, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- umount2("./22", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./22/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./22/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./22/binderfs") = 0 umount2("./22/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./22/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./22/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./22/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./22/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./22") = 0 mkdir("./23", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 417 ./strace-static-x86_64: Process 417 attached [pid 417] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 417] chdir("./23") = 0 [pid 417] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 417] setpgid(0, 0) = 0 [pid 417] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 417] write(3, "1000", 4) = 4 [ 24.553198][ T412] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/22/file1 supports timestamps until 2038 (0x7fffffff) [ 24.583848][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:3: Invalid inode table block 0 in block_group 0 [ 24.597156][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 417] close(3) = 0 [pid 417] symlink("/dev/binderfs", "./binderfs") = 0 [pid 417] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 417] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 417] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 418 attached , parent_tid=[418], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 418 [pid 418] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 418] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 417] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 418] <... futex resumed>) = 0 [pid 418] memfd_create("syzkaller", 0) = 3 [pid 418] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 417] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 418] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 418] munmap(0x7fa77410f000, 262144) = 0 [pid 418] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 418] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 418] close(3) = 0 [pid 418] mkdir("./file1", 0777) = 0 [pid 418] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 418] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 418] chdir("./file1") = 0 [pid 418] ioctl(4, LOOP_CLR_FD) = 0 [pid 418] close(4) = 0 [pid 418] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] <... futex resumed>) = 1 [pid 418] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 418] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 417] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 417] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[421], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 421 [pid 417] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] <... futex resumed>) = 1 [pid 418] fallocate(4, 0, 35143, 7) = 0 [pid 418] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 421 attached ) = 0 [pid 418] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 421] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 421] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 421] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 421] <... futex resumed>) = 1 [pid 417] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] <... futex resumed>) = 0 [pid 418] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 421] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 418] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 418] <... futex resumed>) = 1 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 418] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 417] <... futex resumed>) = 0 [pid 417] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 417] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 418] <... futex resumed>) = 1 [pid 418] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 418] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 417] <... futex resumed>) = 0 [pid 417] exit_group(0) = ? [pid 421] <... futex resumed>) = ? [pid 421] +++ exited with 0 +++ [pid 418] <... futex resumed>) = ? [pid 418] +++ exited with 0 +++ [pid 417] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=417, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./23", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./23/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./23/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./23/binderfs") = 0 [ 24.647376][ T418] loop0: detected capacity change from 0 to 512 [ 24.664574][ T418] EXT4-fs (loop0): 1 orphan inode deleted [ 24.670163][ T418] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.679096][ T418] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/23/file1 supports timestamps until 2038 (0x7fffffff) umount2("./23/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./23/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./23/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./23/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./23/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./23") = 0 mkdir("./24", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 422 ./strace-static-x86_64: Process 422 attached [pid 422] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 422] chdir("./24") = 0 [pid 422] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 422] setpgid(0, 0) = 0 [pid 422] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 422] write(3, "1000", 4) = 4 [pid 422] close(3) = 0 [pid 422] symlink("/dev/binderfs", "./binderfs") = 0 [pid 422] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 422] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 422] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 422] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[423], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 423 [pid 422] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 422] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 423 attached [pid 423] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 423] memfd_create("syzkaller", 0) = 3 [pid 423] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 423] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 423] munmap(0x7fa77410f000, 262144) = 0 [pid 423] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 423] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 423] close(3) = 0 [pid 423] mkdir("./file1", 0777) = 0 [ 24.723351][ T43] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:2: Invalid inode table block 0 in block_group 0 [ 24.736906][ T293] EXT4-fs (loop0): unmounting filesystem. [ 24.763465][ T423] loop0: detected capacity change from 0 to 512 [pid 423] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 423] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 423] chdir("./file1") = 0 [pid 423] ioctl(4, LOOP_CLR_FD) = 0 [pid 423] close(4) = 0 [pid 423] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 423] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 422] <... futex resumed>) = 0 [pid 422] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 422] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 423] <... futex resumed>) = 0 [pid 423] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 423] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 422] <... futex resumed>) = 0 [pid 422] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 422] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 422] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 422] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 422] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[426], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 426 [pid 422] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 422] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 423] <... futex resumed>) = 1 [pid 423] fallocate(4, 0, 35143, 7) = 0 [pid 423] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 423] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 426 attached [pid 426] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 426] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 426] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 422] <... futex resumed>) = 0 [pid 422] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 422] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 423] <... futex resumed>) = 0 [pid 423] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 423] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 422] <... futex resumed>) = 0 [pid 422] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 422] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 423] <... futex resumed>) = 1 [pid 423] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 426] <... futex resumed>) = 1 [pid 423] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 426] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 422] <... futex resumed>) = 0 [pid 422] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 422] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 423] <... futex resumed>) = 1 [pid 423] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 423] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 422] <... futex resumed>) = 0 [pid 422] exit_group(0) = ? [pid 426] <... futex resumed>) = ? [pid 426] +++ exited with 0 +++ [pid 423] <... futex resumed>) = ? [pid 423] +++ exited with 0 +++ [pid 422] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=422, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./24", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./24/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./24/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./24/binderfs") = 0 [ 24.779584][ T423] EXT4-fs (loop0): 1 orphan inode deleted [ 24.785121][ T423] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.794128][ T423] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/24/file1 supports timestamps until 2038 (0x7fffffff) umount2("./24/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./24/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./24/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./24/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./24/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./24") = 0 mkdir("./25", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 427 attached , child_tidptr=0x5555556ca5d0) = 427 [pid 427] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 427] chdir("./25") = 0 [pid 427] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 427] setpgid(0, 0) = 0 [pid 427] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 427] write(3, "1000", 4) = 4 [pid 427] close(3) = 0 [pid 427] symlink("/dev/binderfs", "./binderfs") = 0 [pid 427] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 427] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 427] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 428 attached , parent_tid=[428], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 428 [pid 428] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 428] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 427] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 428] <... futex resumed>) = 0 [pid 427] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 428] memfd_create("syzkaller", 0) = 3 [pid 428] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 428] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 428] munmap(0x7fa77410f000, 262144) = 0 [pid 428] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 428] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 428] close(3) = 0 [pid 428] mkdir("./file1", 0777) = 0 [ 24.821894][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 24.835657][ T293] EXT4-fs (loop0): unmounting filesystem. [ 24.868409][ T428] loop0: detected capacity change from 0 to 512 [pid 428] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 428] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 428] chdir("./file1") = 0 [pid 428] ioctl(4, LOOP_CLR_FD) = 0 [pid 428] close(4) = 0 [pid 428] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 427] <... futex resumed>) = 0 [pid 428] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 427] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 427] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] <... futex resumed>) = 0 [pid 428] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 428] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 427] <... futex resumed>) = 0 [pid 427] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 427] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 427] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[431], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 431 [pid 427] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] <... futex resumed>) = 1 [pid 428] fallocate(4, 0, 35143, 7) = 0 [pid 428] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 428] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 431 attached [pid 431] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 431] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 431] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 427] <... futex resumed>) = 0 [pid 427] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 427] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] <... futex resumed>) = 0 [pid 428] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 428] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 427] <... futex resumed>) = 0 [pid 427] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] <... futex resumed>) = 1 [pid 428] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 428] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 427] <... futex resumed>) = 0 [pid 427] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 427] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 428] <... futex resumed>) = 1 [pid 428] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 431] <... futex resumed>) = 1 [pid 431] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 428] <... write resumed>) = 262144 [pid 428] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 427] <... futex resumed>) = 0 [pid 427] exit_group(0) = ? [pid 431] <... futex resumed>) = ? [pid 428] <... futex resumed>) = ? [pid 428] +++ exited with 0 +++ [pid 431] +++ exited with 0 +++ [pid 427] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=427, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./25", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./25/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./25/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 [ 24.878840][ T428] EXT4-fs (loop0): 1 orphan inode deleted [ 24.884479][ T428] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 24.893565][ T428] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/25/file1 supports timestamps until 2038 (0x7fffffff) unlink("./25/binderfs") = 0 umount2("./25/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./25/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./25/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./25/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./25/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./25") = 0 mkdir("./26", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 432 ./strace-static-x86_64: Process 432 attached [pid 432] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 432] chdir("./26") = 0 [pid 432] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 432] setpgid(0, 0) = 0 [pid 432] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 432] write(3, "1000", 4) = 4 [pid 432] close(3) = 0 [pid 432] symlink("/dev/binderfs", "./binderfs") = 0 [pid 432] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 432] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 432] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 432] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 433 attached , parent_tid=[433], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 433 [pid 433] set_robust_list(0x7fa77c52f9e0, 24 [pid 432] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 433] <... set_robust_list resumed>) = 0 [pid 432] <... futex resumed>) = 0 [pid 433] memfd_create("syzkaller", 0 [pid 432] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 433] <... memfd_create resumed>) = 3 [pid 433] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 433] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 433] munmap(0x7fa77410f000, 262144) = 0 [pid 433] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 24.920800][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:3: Invalid inode table block 0 in block_group 0 [ 24.934133][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 433] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 433] close(3) = 0 [pid 433] mkdir("./file1", 0777) = 0 [pid 433] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 433] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 433] chdir("./file1") = 0 [pid 433] ioctl(4, LOOP_CLR_FD) = 0 [pid 433] close(4) = 0 [pid 433] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 432] <... futex resumed>) = 0 [pid 432] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 432] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 433] <... futex resumed>) = 1 [pid 433] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 433] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 432] <... futex resumed>) = 0 [pid 432] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 432] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 432] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 432] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 432] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[436], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 436 [pid 432] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 432] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 433] <... futex resumed>) = 1 [pid 433] fallocate(4, 0, 35143, 7./strace-static-x86_64: Process 436 attached [pid 436] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 433] <... fallocate resumed>) = 0 [pid 433] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 433] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 436] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 436] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 432] <... futex resumed>) = 0 [pid 432] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 432] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 433] <... futex resumed>) = 0 [pid 433] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 433] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 432] <... futex resumed>) = 0 [pid 436] <... futex resumed>) = 1 [pid 436] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 433] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 432] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 433] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 433] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 432] <... futex resumed>) = 0 [pid 432] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 433] <... open resumed>) = 5 [pid 433] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 432] <... futex resumed>) = 0 [pid 432] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 432] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 433] <... futex resumed>) = 1 [pid 433] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 433] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 432] <... futex resumed>) = 0 [pid 432] exit_group(0) = ? [pid 436] <... futex resumed>) = ? [pid 436] +++ exited with 0 +++ [pid 433] <... futex resumed>) = ? [pid 433] +++ exited with 0 +++ [pid 432] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=432, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./26", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./26/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./26/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./26/binderfs") = 0 [ 24.980447][ T433] loop0: detected capacity change from 0 to 512 [ 24.998995][ T433] EXT4-fs (loop0): 1 orphan inode deleted [ 25.004589][ T433] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 25.013535][ T433] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/26/file1 supports timestamps until 2038 (0x7fffffff) umount2("./26/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./26/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./26/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./26/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./26/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./26") = 0 mkdir("./27", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 437 ./strace-static-x86_64: Process 437 attached [pid 437] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 437] chdir("./27") = 0 [pid 437] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 437] setpgid(0, 0) = 0 [pid 437] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 437] write(3, "1000", 4) = 4 [ 25.049858][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 25.062885][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 437] close(3) = 0 [pid 437] symlink("/dev/binderfs", "./binderfs") = 0 [pid 437] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 437] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 437] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 437] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 438 attached , parent_tid=[438], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 438 [pid 438] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 438] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 437] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 438] <... futex resumed>) = 0 [pid 438] memfd_create("syzkaller", 0 [pid 437] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 438] <... memfd_create resumed>) = 3 [pid 438] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 438] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 438] munmap(0x7fa77410f000, 262144) = 0 [pid 438] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 438] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 438] close(3) = 0 [pid 438] mkdir("./file1", 0777) = 0 [pid 438] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 438] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 438] chdir("./file1") = 0 [pid 438] ioctl(4, LOOP_CLR_FD) = 0 [pid 438] close(4) = 0 [pid 438] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 437] <... futex resumed>) = 0 [pid 437] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 437] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] <... futex resumed>) = 1 [pid 438] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 438] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 437] <... futex resumed>) = 0 [pid 437] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 437] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 437] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 437] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 437] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[441], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 441 [pid 437] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 437] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] <... futex resumed>) = 1 ./strace-static-x86_64: Process 441 attached [pid 438] fallocate(4, 0, 35143, 7 [pid 441] set_robust_list(0x7fa77414e9e0, 24 [pid 438] <... fallocate resumed>) = 0 [pid 438] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 438] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 441] <... set_robust_list resumed>) = 0 [pid 441] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 441] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 437] <... futex resumed>) = 0 [pid 437] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 437] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] <... futex resumed>) = 0 [pid 438] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 438] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 437] <... futex resumed>) = 0 [pid 437] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 437] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] <... futex resumed>) = 1 [pid 438] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 441] <... futex resumed>) = 1 [pid 441] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 438] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 437] <... futex resumed>) = 0 [pid 437] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 437] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 438] <... futex resumed>) = 1 [pid 438] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 438] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 437] <... futex resumed>) = 0 [pid 437] exit_group(0 [pid 441] <... futex resumed>) = ? [pid 437] <... exit_group resumed>) = ? [pid 441] +++ exited with 0 +++ [pid 438] +++ exited with 0 +++ [pid 437] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=437, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- umount2("./27", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./27/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./27/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./27/binderfs") = 0 [ 25.117214][ T438] loop0: detected capacity change from 0 to 512 [ 25.138738][ T438] EXT4-fs (loop0): 1 orphan inode deleted [ 25.144284][ T438] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 25.153102][ T438] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/27/file1 supports timestamps until 2038 (0x7fffffff) umount2("./27/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./27/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./27/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./27/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./27/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./27") = 0 mkdir("./28", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 442 ./strace-static-x86_64: Process 442 attached [pid 442] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 442] chdir("./28") = 0 [pid 442] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 442] setpgid(0, 0) = 0 [pid 442] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 442] write(3, "1000", 4) = 4 [pid 442] close(3) = 0 [pid 442] symlink("/dev/binderfs", "./binderfs") = 0 [pid 442] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 442] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 442] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 443 attached , parent_tid=[443], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 443 [pid 442] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 443] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 443] memfd_create("syzkaller", 0) = 3 [pid 443] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 443] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [ 25.182930][ T10] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:1: Invalid inode table block 0 in block_group 0 [ 25.196195][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 443] munmap(0x7fa77410f000, 262144) = 0 [pid 443] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 443] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 443] close(3) = 0 [pid 443] mkdir("./file1", 0777) = 0 [pid 443] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 443] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 443] chdir("./file1") = 0 [pid 443] ioctl(4, LOOP_CLR_FD) = 0 [pid 443] close(4) = 0 [pid 443] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 442] <... futex resumed>) = 0 [pid 443] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 442] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 443] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 443] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 442] <... futex resumed>) = 0 [pid 442] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 442] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE [pid 443] fallocate(4, 0, 35143, 7 [pid 442] <... mprotect resumed>) = 0 [pid 442] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 443] <... fallocate resumed>) = 0 [pid 443] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 446 attached [pid 443] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 446] set_robust_list(0x7fa77414e9e0, 24 [pid 442] <... clone resumed>, parent_tid=[446], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 446 [pid 446] <... set_robust_list resumed>) = 0 [pid 442] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 442] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 446] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 446] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 442] <... futex resumed>) = 0 [pid 446] <... futex resumed>) = 1 [pid 446] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 442] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 443] <... futex resumed>) = 0 [pid 442] <... futex resumed>) = 1 [pid 443] sendmmsg(-1, [pid 442] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] <... sendmmsg resumed>[{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 443] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 442] <... futex resumed>) = 0 [pid 443] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c [pid 442] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 443] <... open resumed>) = 5 [pid 442] <... futex resumed>) = 0 [pid 443] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 442] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] <... futex resumed>) = 0 [pid 442] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 442] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 443] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 442] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 443] <... write resumed>) = 262144 [pid 443] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 442] <... futex resumed>) = 0 [pid 443] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 442] exit_group(0 [pid 446] <... futex resumed>) = ? [pid 443] <... futex resumed>) = ? [pid 442] <... exit_group resumed>) = ? [pid 446] +++ exited with 0 +++ [pid 443] +++ exited with 0 +++ [pid 442] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=442, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./28", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./28/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./28/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./28/binderfs") = 0 [ 25.229252][ T443] loop0: detected capacity change from 0 to 512 [ 25.238723][ T443] EXT4-fs (loop0): 1 orphan inode deleted [ 25.244256][ T443] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 25.253171][ T443] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/28/file1 supports timestamps until 2038 (0x7fffffff) umount2("./28/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./28/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./28/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./28/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./28/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./28") = 0 mkdir("./29", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 447 ./strace-static-x86_64: Process 447 attached [pid 447] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 447] chdir("./29") = 0 [pid 447] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 447] setpgid(0, 0) = 0 [pid 447] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 447] write(3, "1000", 4) = 4 [pid 447] close(3) = 0 [pid 447] symlink("/dev/binderfs", "./binderfs") = 0 [pid 447] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 447] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 447] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 447] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[448], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 448 [pid 447] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 447] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 448 attached [pid 448] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 448] memfd_create("syzkaller", 0) = 3 [pid 448] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 448] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 448] munmap(0x7fa77410f000, 262144) = 0 [pid 448] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 448] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 448] close(3) = 0 [pid 448] mkdir("./file1", 0777) = 0 [ 25.293139][ T301] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:3: Invalid inode table block 0 in block_group 0 [ 25.306219][ T293] EXT4-fs (loop0): unmounting filesystem. [ 25.333207][ T448] loop0: detected capacity change from 0 to 512 [pid 448] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 448] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 448] chdir("./file1") = 0 [pid 448] ioctl(4, LOOP_CLR_FD) = 0 [pid 448] close(4) = 0 [pid 448] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 447] <... futex resumed>) = 0 [pid 447] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 447] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 448] <... futex resumed>) = 1 [pid 448] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 448] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 447] <... futex resumed>) = 0 [pid 447] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 447] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 447] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 447] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 447] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[451], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 451 [pid 447] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 447] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 448] <... futex resumed>) = 1 [pid 448] fallocate(4, 0, 35143, 7) = 0 [pid 448] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 448] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 451 attached [pid 451] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 451] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 451] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 451] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 447] <... futex resumed>) = 0 [pid 447] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 447] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 448] <... futex resumed>) = 0 [pid 448] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 448] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 447] <... futex resumed>) = 0 [pid 447] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 447] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 448] <... futex resumed>) = 1 [pid 448] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 448] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 447] <... futex resumed>) = 0 [pid 447] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 447] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 448] <... futex resumed>) = 1 [pid 448] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 448] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 447] <... futex resumed>) = 0 [pid 447] exit_group(0) = ? [pid 451] <... futex resumed>) = ? [pid 451] +++ exited with 0 +++ [pid 448] <... futex resumed>) = ? [pid 448] +++ exited with 0 +++ [pid 447] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=447, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./29", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./29/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./29/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./29/binderfs") = 0 [ 25.348556][ T448] EXT4-fs (loop0): 1 orphan inode deleted [ 25.354189][ T448] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 25.363177][ T448] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/29/file1 supports timestamps until 2038 (0x7fffffff) umount2("./29/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./29/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./29/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./29/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./29/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./29") = 0 mkdir("./30", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 452 ./strace-static-x86_64: Process 452 attached [pid 452] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 452] chdir("./30") = 0 [pid 452] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 452] setpgid(0, 0) = 0 [pid 452] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 452] write(3, "1000", 4) = 4 [pid 452] close(3) = 0 [pid 452] symlink("/dev/binderfs", "./binderfs") = 0 [pid 452] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 452] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 452] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 452] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 453 attached , parent_tid=[453], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 453 [pid 452] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 452] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 453] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 453] memfd_create("syzkaller", 0) = 3 [pid 453] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 453] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 453] munmap(0x7fa77410f000, 262144) = 0 [pid 453] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 25.388096][ T303] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:5: Invalid inode table block 0 in block_group 0 [ 25.401826][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 453] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 453] close(3) = 0 [pid 453] mkdir("./file1", 0777) = 0 [pid 453] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 453] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 453] chdir("./file1") = 0 [pid 453] ioctl(4, LOOP_CLR_FD) = 0 [pid 453] close(4) = 0 [pid 453] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 452] <... futex resumed>) = 0 [pid 452] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 452] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 453] <... futex resumed>) = 1 [pid 453] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 453] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 452] <... futex resumed>) = 0 [pid 452] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 452] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 452] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77412e000 [pid 452] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 452] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 453] <... futex resumed>) = 1 ./strace-static-x86_64: Process 456 attached [pid 453] fallocate(4, 0, 35143, 7 [pid 452] <... clone resumed>, parent_tid=[456], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 456 [pid 452] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 452] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 453] <... fallocate resumed>) = 0 [pid 456] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 456] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 453] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 453] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 456] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 452] <... futex resumed>) = 0 [pid 452] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 452] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 453] <... futex resumed>) = 0 [pid 453] sendmmsg(-1, [pid 456] <... futex resumed>) = 1 [pid 456] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 453] <... sendmmsg resumed>[{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 453] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 452] <... futex resumed>) = 0 [pid 452] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 452] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 453] <... futex resumed>) = 1 [pid 453] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 453] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 452] <... futex resumed>) = 0 [pid 452] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 452] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 453] <... futex resumed>) = 1 [pid 453] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190) = 262144 [pid 453] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 452] <... futex resumed>) = 0 [pid 453] <... futex resumed>) = 1 [pid 452] exit_group(0 [pid 456] <... futex resumed>) = ? [pid 452] <... exit_group resumed>) = ? [pid 456] +++ exited with 0 +++ [pid 453] +++ exited with 0 +++ [pid 452] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=452, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- umount2("./30", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./30/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./30/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./30/binderfs") = 0 [ 25.440509][ T453] loop0: detected capacity change from 0 to 512 [ 25.458629][ T453] EXT4-fs (loop0): 1 orphan inode deleted [ 25.464220][ T453] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [ 25.473250][ T453] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/30/file1 supports timestamps until 2038 (0x7fffffff) umount2("./30/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./30/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./30/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./30/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./30/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./30") = 0 mkdir("./31", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 458 ./strace-static-x86_64: Process 458 attached [pid 458] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 458] chdir("./31") = 0 [pid 458] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 458] setpgid(0, 0) = 0 [pid 458] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 458] write(3, "1000", 4) = 4 [pid 458] close(3) = 0 [pid 458] symlink("/dev/binderfs", "./binderfs") = 0 [pid 458] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 458] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 458] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 458] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 459 attached , parent_tid=[459], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 459 [pid 459] set_robust_list(0x7fa77c52f9e0, 24) = 0 [pid 459] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 458] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 459] <... futex resumed>) = 0 [pid 458] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 459] memfd_create("syzkaller", 0) = 3 [pid 459] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 459] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 459] munmap(0x7fa77410f000, 262144) = 0 [pid 459] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 25.504185][ T303] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:5: Invalid inode table block 0 in block_group 0 [ 25.517651][ T293] EXT4-fs (loop0): unmounting filesystem. [pid 459] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 459] close(3) = 0 [pid 459] mkdir("./file1", 0777) = 0 [ 25.552470][ T459] loop0: detected capacity change from 0 to 512 [ 25.579083][ T459] EXT4-fs (loop0): 1 orphan inode deleted [ 25.584680][ T459] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: writeback. [pid 459] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 459] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 459] chdir("./file1") = 0 [pid 459] ioctl(4, LOOP_CLR_FD) = 0 [pid 459] close(4) = 0 [pid 459] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 458] <... futex resumed>) = 0 [pid 459] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000 [pid 458] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 458] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 459] <... open resumed>) = 4 [pid 459] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 458] <... futex resumed>) = 0 [pid 458] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 459] fallocate(4, 0, 35143, 7 [pid 458] <... futex resumed>) = 0 [pid 458] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 459] <... fallocate resumed>) = 0 [pid 458] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 459] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 459] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 458] <... mmap resumed>) = 0x7fa77412e000 [pid 458] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 458] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[462], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 462 [pid 458] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 458] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 462 attached [pid 462] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 462] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 462] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 458] <... futex resumed>) = 0 [pid 458] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 458] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 459] <... futex resumed>) = 0 [pid 459] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 459] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 458] <... futex resumed>) = 0 [pid 458] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 458] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 459] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 459] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 458] <... futex resumed>) = 0 [pid 458] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 458] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 459] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 462] <... futex resumed>) = 1 [pid 462] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 459] <... write resumed>) = 262144 [pid 459] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 458] <... futex resumed>) = 0 [pid 458] exit_group(0) = ? [pid 462] <... futex resumed>) = ? [pid 459] +++ exited with 0 +++ [pid 462] +++ exited with 0 +++ [pid 458] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=458, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./31", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555556cb620 /* 4 entries */, 32768) = 112 umount2("./31/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./31/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./31/binderfs") = 0 [ 25.593506][ T459] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/31/file1 supports timestamps until 2038 (0x7fffffff) umount2("./31/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./31/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./31/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./31/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555556d3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555556d3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./31/file1") = 0 getdents64(3, 0x5555556cb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./31") = 0 mkdir("./32", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555556ca5d0) = 463 ./strace-static-x86_64: Process 463 attached [pid 463] set_robust_list(0x5555556ca5e0, 24) = 0 [pid 463] chdir("./32") = 0 [pid 463] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 463] setpgid(0, 0) = 0 [pid 463] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 463] write(3, "1000", 4) = 4 [pid 463] close(3) = 0 [pid 463] symlink("/dev/binderfs", "./binderfs") = 0 [pid 463] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 463] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fa77c50f000 [pid 463] mprotect(0x7fa77c510000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 463] clone(child_stack=0x7fa77c52f3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 464 attached , parent_tid=[464], tls=0x7fa77c52f700, child_tidptr=0x7fa77c52f9d0) = 464 [pid 463] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 464] set_robust_list(0x7fa77c52f9e0, 24 [pid 463] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 464] <... set_robust_list resumed>) = 0 [pid 464] memfd_create("syzkaller", 0) = 3 [pid 464] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa77410f000 [pid 464] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 464] munmap(0x7fa77410f000, 262144) = 0 [pid 464] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 464] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 464] close(3) = 0 [pid 464] mkdir("./file1", 0777) = 0 [ 25.624917][ T303] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm kworker/u4:5: Invalid inode table block 0 in block_group 0 [ 25.649324][ T464] loop0: detected capacity change from 0 to 512 [ 25.668867][ T464] EXT4-fs (loop0): 1 orphan inode deleted [pid 464] mount("/dev/loop0", "./file1", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_REC, ",errors=continue") = 0 [pid 464] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 464] chdir("./file1") = 0 [pid 464] ioctl(4, LOOP_CLR_FD) = 0 [pid 464] close(4) = 0 [pid 464] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 463] <... futex resumed>) = 0 [pid 463] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 463] futex(0x7fa77c6087ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 464] <... futex resumed>) = 1 [pid 464] open("./bus", O_RDWR|O_CREAT|O_TRUNC|O_SYNC|O_DIRECT|O_LARGEFILE|O_NOATIME|0x3c, 000) = 4 [pid 464] futex(0x7fa77c6087ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 463] <... futex resumed>) = 0 [pid 464] <... futex resumed>) = 1 [pid 464] futex(0x7fa77c6087a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 463] futex(0x7fa77c6087a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 463] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 463] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 464] <... futex resumed>) = 0 [pid 463] <... mmap resumed>) = 0x7fa77412e000 [pid 463] mprotect(0x7fa77412f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 463] clone(child_stack=0x7fa77414e3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[467], tls=0x7fa77414e700, child_tidptr=0x7fa77414e9d0) = 467 [pid 463] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 463] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 467 attached [pid 467] set_robust_list(0x7fa77414e9e0, 24) = 0 [pid 467] mount("/dev/loop0", "./bus", NULL, MS_NOEXEC|MS_BIND|MS_SILENT, NULL) = 0 [pid 467] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 463] <... futex resumed>) = 0 [pid 463] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 463] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 467] <... futex resumed>) = 1 [pid 467] sendmmsg(-1, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., iov_len=1126}], msg_iovlen=1, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 EBADF (Bad file descriptor) [pid 467] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 463] <... futex resumed>) = 0 [pid 463] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 463] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 467] <... futex resumed>) = 1 [pid 467] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 5 [pid 467] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 463] <... futex resumed>) = 0 [pid 463] futex(0x7fa77c6087b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 463] futex(0x7fa77c6087bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 467] <... futex resumed>) = 1 [pid 467] write(5, "\x4d\xe8\x34\x8e\x35\xba\x09\x19\x0a\x9f\x07\x04\x5f\xfe\x36\x16\x70\x9a\xca\x5b\x8f\x30\xfa\x6b\x5b\xac\x8b\x0c\x17\xd3\x8b\xe2\x08\x57\xe5\xd4\xfa\x5a\xcc\x08\x0b\xb9\xb5\x8c\xa1\x32\xba\xb6\x7c\x5e\xa0\xc7\x90\x89\xe3\x67\xa3\x73\x4b\xee\x2b\xa6\x2b\x32\x8a\x1d\xae\x20\xf3\x07\x81\x52\x94\xf6\x62\x74\x83\x2f\x6a\x8d\xb4\x59\x64\x93\x47\x02\xeb\x02\x5d\xa3\x4e\x4b\x99\x7a\x4a\x6f\x36\xf2\xbe\x2c"..., 22455190 [pid 464] fallocate(4, 0, 35143, 7 [pid 467] <... write resumed>) = 262144 [pid 467] futex(0x7fa77c6087bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 463] <... futex resumed>) = 0 [pid 467] <... futex resumed>) = 1 [ 25.674493][ T464] ext4 filesystem being mounted at /root/syzkaller.IwjKPm/32/file1 supports timestamps until 2038 (0x7fffffff) [ 25.693712][ T464] EXT4-fs error (device loop0): ext4_map_blocks:607: inode #3: block 9: comm syz-executor122: lblock 0 mapped to illegal pblock 9 (length 1) [ 25.708334][ T464] EXT4-fs error (device loop0): __ext4_get_inode_loc:4492: comm syz-executor122: Invalid inode table block 0 in block_group 0 [ 25.721413][ T464] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5841: Corrupt filesystem [ 25.730767][ T464] EXT4-fs error (device loop0): ext4_dirty_inode:6045: inode #16: comm syz-executor122: mark_inode_dirty error [ 25.742840][ T464] ------------[ cut here ]------------ [ 25.748124][ T464] kernel BUG at fs/ext4/ext4.h:3331! [ 25.753226][ T464] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 25.759302][ T464] CPU: 0 PID: 464 Comm: syz-executor122 Not tainted 6.1.25-syzkaller-00122-gfa9645687ea5 #0 [pid 467] futex(0x7fa77c6087b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 463] exit_group(0 [pid 467] <... futex resumed>) = ? [pid 463] <... exit_group resumed>) = ? [pid 467] +++ exited with 0 +++ [ 25.769188][ T464] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 [ 25.779078][ T464] RIP: 0010:ext4_mb_find_by_goal+0xdf4/0xe30 [ 25.784891][ T464] Code: c4 ff e9 b5 fb ff ff e8 9a 9f 7e ff 49 bc 00 00 00 00 00 fc ff df e9 6f f7 ff ff e8 86 9f 7e ff e9 51 f7 ff ff e8 7c 9f 7e ff <0f> 0b e8 95 98 10 03 e8 70 9f 7e ff 0f 0b e8 69 9f 7e ff 0f 0b e8 [ 25.804337][ T464] RSP: 0018:ffffc900011471c0 EFLAGS: 00010293 [ 25.810233][ T464] RAX: ffffffff81f52434 RBX: 0000000000000001 RCX: ffff888120122880 [ 25.818047][ T464] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 25.825861][ T464] RBP: ffffc900011472d0 R08: ffffffff81f5176b R09: ffffed10217bbb7b [ 25.833668][ T464] R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff110213b6879 [ 25.841479][ T464] R13: 0000000000000001 R14: 1ffff92000228e48 R15: ffff888109db43c8 [ 25.849291][ T464] FS: 00007fa77c52f700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 25.858059][ T464] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 25.864477][ T464] CR2: 0000000020010000 CR3: 0000000122666000 CR4: 00000000003506b0 [ 25.872292][ T464] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 25.880102][ T464] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 25.887910][ T464] Call Trace: [ 25.891035][ T464] [ 25.893814][ T464] ? __stack_depot_save+0x36/0x480 [ 25.898763][ T464] ? ext4_mb_use_inode_pa+0x6e0/0x6e0 [ 25.903974][ T464] ? slab_post_alloc_hook+0x53/0x2c0 [ 25.909092][ T464] ? kmem_cache_alloc+0x175/0x2c0 [ 25.913951][ T464] ? ext4_mb_new_blocks+0xf3d/0x48f0 [ 25.919076][ T464] ? ext4_ext_map_blocks+0x19ca/0x71e0 [ 25.924376][ T464] ? ext4_map_blocks+0xa42/0x1ce0 [ 25.929229][ T464] ext4_mb_regular_allocator+0x24c/0x3610 [ 25.934783][ T464] ? kasan_save_alloc_info+0x1f/0x30 [ 25.939900][ T464] ? ext4_mb_normalize_request+0x1830/0x1830 [ 25.945718][ T464] ? ext4_mb_new_blocks+0xf3d/0x48f0 [ 25.950841][ T464] ? ext4_mb_new_blocks+0xf3d/0x48f0 [ 25.955959][ T464] ext4_mb_new_blocks+0xfd3/0x48f0 [ 25.960906][ T464] ? __kasan_kmalloc+0x9c/0xb0 [ 25.965502][ T464] ? ext4_mb_pa_callback+0xd0/0xd0 [ 25.970450][ T464] ? ext4_ext_search_right+0x4f5/0x900 [ 25.975743][ T464] ? ext4_inode_to_goal_block+0x35c/0x4b0 [ 25.981300][ T464] ? ext4_ext_find_goal+0x117/0x200 [ 25.986335][ T464] ext4_ext_map_blocks+0x19ca/0x71e0 [ 25.991460][ T464] ? kmem_cache_free+0x291/0x510 [ 25.996235][ T464] ? mb_cache_entry_create+0x4de/0x7e0 [ 26.001529][ T464] ? ext4_ext_release+0x10/0x10 [ 26.006208][ T464] ? down_read+0x976/0xfc0 [ 26.010460][ T464] ? up_read+0x55/0x170 [ 26.014467][ T464] ? _raw_read_unlock+0x25/0x40 [ 26.019142][ T464] ext4_map_blocks+0xa42/0x1ce0 [ 26.023826][ T464] ? __vfs_getxattr+0x3c3/0x3f0 [ 26.028517][ T464] ? cap_inode_need_killpriv+0x51/0x60 [ 26.033815][ T464] ? ext4_issue_zeroout+0x250/0x250 [ 26.038843][ T464] ? __kasan_check_read+0x11/0x20 [ 26.043703][ T464] ext4_alloc_file_blocks+0x3d5/0xcd0 [ 26.048912][ T464] ? trace_ext4_fallocate_enter+0x160/0x160 [ 26.054643][ T464] ext4_fallocate+0x942/0x1e90 [ 26.059255][ T464] ? avc_policy_seqno+0x1b/0x70 [ 26.063943][ T464] ? ext4_ext_truncate+0x320/0x320 [ 26.068907][ T464] ? fsnotify_perm+0x6a/0x5d0 [ 26.073384][ T464] vfs_fallocate+0x492/0x570 [ 26.077812][ T464] __x64_sys_fallocate+0xc0/0x110 [ 26.082671][ T464] do_syscall_64+0x3d/0xb0 [ 26.086930][ T464] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 26.092739][ T464] RIP: 0033:0x7fa77c583759 [ 26.096994][ T464] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 26.116434][ T464] RSP: 002b:00007fa77c52f2f8 EFLAGS: 00000246 ORIG_RAX: 000000000000011d [ 26.124679][ T464] RAX: ffffffffffffffda RBX: 00007fa77c6087a0 RCX: 00007fa77c583759 [ 26.132489][ T464] RDX: 0000000000008947 RSI: 0000000000000000 RDI: 0000000000000004 [ 26.140314][ T464] RBP: 00007fa77c5d59e0 R08: 0000000000000000 R09: 0000000000000000 [ 26.148115][ T464] R10: 0000000000000007 R11: 0000000000000246 R12: 00007fa77c5d5578 [ 26.155925][ T464] R13: 0031656c69662f2e R14: 6f6f6c2f7665642f R15: 00007fa77c6087a8 [ 26.163740][ T464] [ 26.166596][ T464] Modules linked in: [ 26.172049][ T464] ---[ end trace 0000000000000000 ]--- [ 26.177491][ T464] RIP: 0010:ext4_mb_find_by_goal+0xdf4/0xe30 [ 26.183344][ T464] Code: c4 ff e9 b5 fb ff ff e8 9a 9f 7e ff 49 bc 00 00 00 00 00 fc ff df e9 6f f7 ff ff e8 86 9f 7e ff e9 51 f7 ff ff e8 7c 9f 7e ff <0f> 0b e8 95 98 10 03 e8 70 9f 7e ff 0f 0b e8 69 9f 7e ff 0f 0b e8 [ 26.202937][ T464] RSP: 0018:ffffc900011471c0 EFLAGS: 00010293 [ 26.209059][ T464] RAX: ffffffff81f52434 RBX: 0000000000000001 RCX: ffff888120122880 [ 26.216926][ T464] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 26.224736][ T464] RBP: ffffc900011472d0 R08: ffffffff81f5176b R09: ffffed10217bbb7b [ 26.232487][ T464] R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff110213b6879 [ 26.240307][ T464] R13: 0000000000000001 R14: 1ffff92000228e48 R15: ffff888109db43c8 [ 26.248188][ T464] FS: 00007fa77c52f700(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000 [ 26.256936][ T464] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 26.263384][ T464] CR2: 0000000020010000 CR3: 0000000122666000 CR4: 00000000003506b0 [ 26.271185][ T464] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 26.278998][ T464] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 26.286795][ T464] Kernel panic - not syncing: Fatal exception [ 26.292866][ T464] Kernel Offset: disabled [ 26.296991][ T464] Rebooting in 86400 seconds..