./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2398247978 <...> Warning: Permanently added '10.128.1.121' (ED25519) to the list of known hosts. execve("./syz-executor2398247978", ["./syz-executor2398247978"], 0x7ffd21002470 /* 10 vars */) = 0 brk(NULL) = 0x5555573c4000 brk(0x5555573c4d00) = 0x5555573c4d00 arch_prctl(ARCH_SET_FS, 0x5555573c4380) = 0 set_tid_address(0x5555573c4650) = 5064 set_robust_list(0x5555573c4660, 24) = 0 rseq(0x5555573c4ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2398247978", 4096) = 28 getrandom("\x05\xc6\xc4\xa5\x23\x55\xcc\x21", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555573c4d00 brk(0x5555573e5d00) = 0x5555573e5d00 brk(0x5555573e6000) = 0x5555573e6000 mprotect(0x7f5b15821000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.YXUA2m", 0700) = 0 chmod("./syzkaller.YXUA2m", 0777) = 0 chdir("./syzkaller.YXUA2m") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5066 attached , child_tidptr=0x5555573c4650) = 5066 [pid 5066] set_robust_list(0x5555573c4660, 24) = 0 [pid 5066] chdir("./0") = 0 [pid 5066] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5066] setpgid(0, 0) = 0 [pid 5066] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5066] write(3, "1000", 4) = 4 [pid 5066] close(3) = 0 [pid 5066] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5066] memfd_create("syzkaller", 0) = 3 [pid 5066] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5b0d36e000 [pid 5066] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 5066] munmap(0x7f5b0d36e000, 138412032) = 0 [pid 5066] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5066] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5066] close(3) = 0 [pid 5066] mkdir("./file1", 0777) = 0 [ 54.231338][ T5066] loop0: detected capacity change from 0 to 512 [ 54.255920][ T5066] EXT4-fs (loop0): 1 orphan inode deleted [ 54.261728][ T5066] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [pid 5066] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 5066] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 5066] chdir("./file1") = 0 [pid 5066] ioctl(4, LOOP_CLR_FD) = 0 [pid 5066] close(4) = 0 [pid 5066] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 5066] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 172032 [ 54.275189][ T5066] ext4 filesystem being mounted at /root/syzkaller.YXUA2m/0/file1 supports timestamps until 2038-01-19 (0x7fffffff) [pid 5066] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 5066] preadv(4, 0x200015c0, 1, 0) = 171904 [pid 5066] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 5066] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 5066] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 5066] write(6, 0x20000700, 34136651) = 170240 [pid 5066] exit_group(0) = ? [pid 5066] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5066, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555573c56f0 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x5555573cd730 /* 2 entries */, 32768) = 48 [ 54.441215][ T5064] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 54.452353][ T5064] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5761: Out of memory [ 54.463066][ T5064] EXT4-fs error (device loop0): ext4_quota_off:7156: inode #3: comm syz-executor239: mark_inode_dirty error getdents64(4, 0x5555573cd730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file1") = 0 getdents64(3, 0x5555573c56f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5070 attached , child_tidptr=0x5555573c4650) = 5070 [pid 5070] set_robust_list(0x5555573c4660, 24) = 0 [pid 5070] chdir("./1") = 0 [pid 5070] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5070] setpgid(0, 0) = 0 [pid 5070] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5070] write(3, "1000", 4) = 4 [pid 5070] close(3) = 0 [pid 5070] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5070] memfd_create("syzkaller", 0) = 3 [pid 5070] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5b0d36e000 [pid 5070] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 5070] munmap(0x7f5b0d36e000, 138412032) = 0 [pid 5070] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5070] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5070] close(3) = 0 [pid 5070] mkdir("./file1", 0777) = 0 [ 54.625880][ T5070] loop0: detected capacity change from 0 to 512 [ 54.663960][ T5070] EXT4-fs (loop0): 1 orphan inode deleted [pid 5070] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 5070] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 5070] chdir("./file1") = 0 [pid 5070] ioctl(4, LOOP_CLR_FD) = 0 [pid 5070] close(4) = 0 [pid 5070] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 54.669812][ T5070] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 54.682462][ T5070] ext4 filesystem being mounted at /root/syzkaller.YXUA2m/1/file1 supports timestamps until 2038-01-19 (0x7fffffff) [pid 5070] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 172032 [pid 5070] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 5070] preadv(4, 0x200015c0, 1, 0) = 171904 [pid 5070] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 5070] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 5070] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 5070] write(6, 0x20000700, 34136651) = 170240 [pid 5070] exit_group(0) = ? [pid 5070] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5070, si_uid=0, si_status=0, si_utime=0, si_stime=6 /* 0.06 s */} --- umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555573c56f0 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 [ 54.807869][ T142] EXT4-fs error (device loop0): ext4_map_blocks:687: inode #16: block 49: comm kworker/u4:5: lblock 0 mapped to illegal pblock 49 (length 1) [ 54.823676][ T142] EXT4-fs (loop0): Delayed block allocation failed for inode 16 at logical offset 0 with max blocks 1 with error 117 [ 54.836070][ T142] EXT4-fs (loop0): This should not happen!! Data will be lost [ 54.836070][ T142] umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [ 54.849491][ T5064] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 54.860795][ T5064] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5761: Out of memory [ 54.870125][ T5064] EXT4-fs error (device loop0): ext4_quota_off:7156: inode #3: comm syz-executor239: mark_inode_dirty error getdents64(4, 0x5555573cd730 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555573cd730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file1") = 0 getdents64(3, 0x5555573c56f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5073 attached , child_tidptr=0x5555573c4650) = 5073 [pid 5073] set_robust_list(0x5555573c4660, 24) = 0 [pid 5073] chdir("./2") = 0 [pid 5073] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5073] setpgid(0, 0) = 0 [pid 5073] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5073] write(3, "1000", 4) = 4 [pid 5073] close(3) = 0 [pid 5073] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5073] memfd_create("syzkaller", 0) = 3 [pid 5073] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5b0d36e000 [pid 5073] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 5073] munmap(0x7f5b0d36e000, 138412032) = 0 [pid 5073] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5073] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5073] close(3) = 0 [pid 5073] mkdir("./file1", 0777) = 0 [ 55.020732][ T5073] loop0: detected capacity change from 0 to 512 [ 55.043719][ T5073] EXT4-fs (loop0): 1 orphan inode deleted [ 55.049541][ T5073] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [pid 5073] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 5073] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 5073] chdir("./file1") = 0 [pid 5073] ioctl(4, LOOP_CLR_FD) = 0 [pid 5073] close(4) = 0 [pid 5073] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 55.062167][ T5073] ext4 filesystem being mounted at /root/syzkaller.YXUA2m/2/file1 supports timestamps until 2038-01-19 (0x7fffffff) [pid 5073] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 172032 [pid 5073] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 5073] preadv(4, 0x200015c0, 1, 0) = 171904 [pid 5073] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 5073] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 5073] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 5073] write(6, 0x20000700, 34136651) = 170240 [pid 5073] exit_group(0) = ? [pid 5073] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5073, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555573c56f0 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x5555573cd730 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555573cd730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file1") = 0 getdents64(3, 0x5555573c56f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [ 55.203107][ T5064] EXT4-fs (loop0): unmounting filesystem 00000000-0000-0000-0000-000000000000. [ 55.213961][ T5064] EXT4-fs error (device loop0) in ext4_reserve_inode_write:5761: Out of memory [ 55.223474][ T5064] EXT4-fs error (device loop0): ext4_quota_off:7156: inode #3: comm syz-executor239: mark_inode_dirty error close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5076 attached [pid 5076] set_robust_list(0x5555573c4660, 24) = 0 [pid 5076] chdir("./3") = 0 [pid 5076] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5076] setpgid(0, 0 [pid 5064] <... clone resumed>, child_tidptr=0x5555573c4650) = 5076 [pid 5076] <... setpgid resumed>) = 0 [pid 5076] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5076] write(3, "1000", 4) = 4 [pid 5076] close(3) = 0 [pid 5076] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5076] memfd_create("syzkaller", 0) = 3 [pid 5076] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5b0d36e000 [pid 5076] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 5076] munmap(0x7f5b0d36e000, 138412032) = 0 [pid 5076] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5076] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5076] close(3) = 0 [pid 5076] mkdir("./file1", 0777) = 0 [ 55.349610][ T5076] loop0: detected capacity change from 0 to 512 [pid 5076] mount("/dev/loop0", "./file1", "ext4", MS_REC, ",errors=continue") = 0 [pid 5076] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 5076] chdir("./file1") = 0 [pid 5076] ioctl(4, LOOP_CLR_FD) = 0 [pid 5076] close(4) = 0 [pid 5076] openat(AT_FDCWD, "memory.current", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 5076] write(4, "\x9e\x25\x9c\x32\x69\x46\xb9\xc0\x29\x8d\xdf\xa8\xb6\x29\x00\x00\x00\x10\x65\xd9\x4a\x7d\xf6\x0f\xaa\xee\x4d\x4b\xc1\x86\x47\xf6\x0f\x78\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 172032 [ 55.394013][ T5076] EXT4-fs (loop0): 1 orphan inode deleted [ 55.399928][ T5076] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 55.412588][ T5076] ext4 filesystem being mounted at /root/syzkaller.YXUA2m/3/file1 supports timestamps until 2038-01-19 (0x7fffffff) [pid 5076] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 4, 0) = 0x20000000 [pid 5076] preadv(4, 0x200015c0, 1, 0) = 171904 [pid 5076] open(0x20000540, O_RDONLY|O_CREAT, 000) = 5 [pid 5076] mount(0x20000380, 0x20000140, NULL, MS_BIND, NULL) = 0 [pid 5076] open(0x20000400, O_RDWR|O_NOCTTY|O_SYNC|O_NOATIME|0x3c) = 6 [pid 5076] write(6, 0x20000700, 34136651) = 170240 [pid 5076] exit_group(0) = ? [pid 5076] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5076, si_uid=0, si_status=0, si_utime=0, si_stime=5 /* 0.05 s */} --- umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555573c56f0 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 [ 55.564698][ T142] ================================================================== [ 55.572785][ T142] BUG: KASAN: use-after-free in ext4_find_extent+0xbe8/0xce0 [ 55.580166][ T142] Read of size 4 at addr ffff88807dbddbf0 by task kworker/u4:5/142 [ 55.588048][ T142] [ 55.590363][ T142] CPU: 1 PID: 142 Comm: kworker/u4:5 Not tainted 6.7.0-rc5-syzkaller-00042-g88035e5694a8 #0 [ 55.600413][ T142] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 55.610457][ T142] Workqueue: writeback wb_workfn (flush-7:0) [ 55.616431][ T142] Call Trace: [ 55.619699][ T142] [ 55.622619][ T142] dump_stack_lvl+0xd9/0x1b0 [ 55.627211][ T142] print_report+0xc4/0x620 [ 55.631626][ T142] ? __virt_addr_valid+0x5e/0x2d0 [ 55.636644][ T142] ? __phys_addr+0xc6/0x140 [ 55.641138][ T142] kasan_report+0xda/0x110 [ 55.645548][ T142] ? ext4_find_extent+0xbe8/0xce0 [ 55.650563][ T142] ? ext4_find_extent+0xbe8/0xce0 [ 55.655577][ T142] ext4_find_extent+0xbe8/0xce0 [ 55.660422][ T142] ext4_ext_map_blocks+0x26b/0x5ae0 [ 55.665610][ T142] ? hlock_class+0x4e/0x130 [ 55.670109][ T142] ? __lock_acquire+0x14f0/0x3b20 [ 55.675126][ T142] ? ext4_ext_release+0x10/0x10 [ 55.679967][ T142] ? __down_write_common+0x17a/0x1400 [ 55.685336][ T142] ? up_write+0x510/0x510 [ 55.689659][ T142] ? lock_sync+0x190/0x190 [ 55.694069][ T142] ? preempt_count_sub+0x160/0x160 [ 55.699164][ T142] ? ext4_es_lookup_extent+0xc7/0xbf0 [ 55.704532][ T142] ext4_map_blocks+0x619/0x1770 [ 55.709380][ T142] ? ext4_issue_zeroout+0x1f0/0x1f0 [ 55.714585][ T142] ? trace_kmem_cache_alloc+0x26/0xa0 [ 55.719951][ T142] ? ext4_alloc_io_end_vec+0x145/0x1c0 [ 55.725394][ T142] ext4_do_writepages+0x184e/0x3350 [ 55.730588][ T142] ? __ext4_mark_inode_dirty+0x810/0x810 [ 55.736213][ T142] ? print_usage_bug.part.0+0x550/0x550 [ 55.741755][ T142] ext4_writepages+0x30c/0x780 [ 55.746522][ T142] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0 [ 55.753370][ T142] ? hlock_class+0x4e/0x130 [ 55.757876][ T142] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0 [ 55.764994][ T142] do_writepages+0x1b4/0x690 [ 55.769593][ T142] ? writeback_set_ratelimit+0x140/0x140 [ 55.775221][ T142] ? writeback_sb_inodes+0x344/0x1080 [ 55.780583][ T142] ? find_held_lock+0x2d/0x110 [ 55.785344][ T142] ? wbc_attach_and_unlock_inode+0x446/0x910 [ 55.791315][ T142] ? reacquire_held_locks+0x4c0/0x4c0 [ 55.796680][ T142] __writeback_single_inode+0x158/0xe90 [ 55.802217][ T142] ? __mark_inode_dirty+0xd60/0xd60 [ 55.807426][ T142] ? _raw_spin_unlock+0x28/0x40 [ 55.812297][ T142] ? wbc_attach_and_unlock_inode+0x49c/0x910 [ 55.818267][ T142] writeback_sb_inodes+0x599/0x1080 [ 55.823465][ T142] ? _raw_spin_unlock+0x28/0x40 [ 55.828331][ T142] ? sync_inode_metadata+0xe0/0xe0 [ 55.833437][ T142] ? rcu_is_watching+0x12/0xb0 [ 55.838192][ T142] ? queue_io+0x3ed/0x4e0 [ 55.842566][ T142] wb_writeback+0x2a5/0xaa0 [ 55.847065][ T142] ? __writeback_inodes_wb+0x2d0/0x2d0 [ 55.852515][ T142] ? reacquire_held_locks+0x4c0/0x4c0 [ 55.857991][ T142] ? mark_held_locks+0x9f/0xe0 [ 55.862770][ T142] wb_workfn+0x29c/0xfe0 [ 55.867007][ T142] ? lockdep_hardirqs_on_prepare+0x361/0x420 [ 55.872985][ T142] ? inode_wait_for_writeback+0x30/0x30 [ 55.878518][ T142] ? lock_sync+0x190/0x190 [ 55.882920][ T142] ? lock_sync+0x190/0x190 [ 55.887341][ T142] ? reacquire_held_locks+0x4c0/0x4c0 [ 55.892708][ T142] process_one_work+0x886/0x15d0 [ 55.898090][ T142] ? lock_sync+0x190/0x190 [ 55.902497][ T142] ? workqueue_congested+0x300/0x300 [ 55.907771][ T142] ? assign_work+0x1a0/0x250 [ 55.912368][ T142] worker_thread+0x8b9/0x1290 [ 55.917036][ T142] ? __kthread_parkme+0x14b/0x220 [ 55.922048][ T142] ? process_one_work+0x15d0/0x15d0 [ 55.927251][ T142] kthread+0x2c6/0x3a0 [ 55.931308][ T142] ? _raw_spin_unlock_irq+0x23/0x50 [ 55.936494][ T142] ? kthread_complete_and_exit+0x40/0x40 [ 55.942115][ T142] ret_from_fork+0x45/0x80 [ 55.946523][ T142] ? kthread_complete_and_exit+0x40/0x40 [ 55.952144][ T142] ret_from_fork_asm+0x11/0x20 [ 55.956908][ T142] [ 55.959911][ T142] [ 55.962216][ T142] The buggy address belongs to the physical page: [ 55.968603][ T142] page:ffffea0001f6f740 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x7dbdd [ 55.978763][ T142] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 55.985887][ T142] page_type: 0xffffffff() [ 55.990203][ T142] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000 [ 55.998790][ T142] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 56.007365][ T142] page dumped because: kasan: bad access detected [ 56.013765][ T142] page_owner tracks the page as freed [ 56.019114][ T142] page last allocated via order 0, migratetype Movable, gfp_mask 0x140dca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_ZERO), pid 4923, tgid 4923 (sshd), ts 47437741430, free_ts 47534633734 [ 56.037104][ T142] post_alloc_hook+0x2d0/0x350 [ 56.041987][ T142] get_page_from_freelist+0xa25/0x36d0 [ 56.047463][ T142] __alloc_pages+0x22e/0x2420 [ 56.052158][ T142] alloc_pages_mpol+0x258/0x5f0 [ 56.057102][ T142] vma_alloc_folio+0xad/0x220 [ 56.061765][ T142] __handle_mm_fault+0xe07/0x3d70 [ 56.066779][ T142] handle_mm_fault+0x47a/0xa10 [ 56.071538][ T142] do_user_addr_fault+0x30b/0x1000 [ 56.076666][ T142] exc_page_fault+0x5d/0xc0 [ 56.081169][ T142] asm_exc_page_fault+0x26/0x30 [ 56.086097][ T142] page last free stack trace: [ 56.090750][ T142] free_unref_page_prepare+0x4fa/0xaa0 [ 56.096201][ T142] free_unref_page_list+0xe6/0xb40 [ 56.101304][ T142] release_pages+0x32a/0x14f0 [ 56.105989][ T142] tlb_batch_pages_flush+0x9a/0x190 [ 56.111295][ T142] tlb_finish_mmu+0x14b/0x6f0 [ 56.115958][ T142] unmap_region.constprop.0+0x2e6/0x3b0 [ 56.121505][ T142] do_vmi_align_munmap+0xde6/0x1600 [ 56.126691][ T142] do_vmi_munmap+0x20e/0x450 [ 56.131293][ T142] __vm_munmap+0x144/0x390 [ 56.135699][ T142] __x64_sys_munmap+0x62/0x80 [ 56.140380][ T142] do_syscall_64+0x40/0x110 [ 56.144893][ T142] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 56.150781][ T142] [ 56.153091][ T142] Memory state around the buggy address: [ 56.158805][ T142] ffff88807dbdda80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.166855][ T142] ffff88807dbddb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.174910][ T142] >ffff88807dbddb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.182959][ T142] ^ [ 56.190680][ T142] ffff88807dbddc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.198727][ T142] ffff88807dbddc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 56.207226][ T142] ================================================================== [ 56.216056][ T142] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 56.223277][ T142] CPU: 1 PID: 142 Comm: kworker/u4:5 Not tainted 6.7.0-rc5-syzkaller-00042-g88035e5694a8 #0 [ 56.233340][ T142] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 56.243396][ T142] Workqueue: writeback wb_workfn (flush-7:0) [ 56.249387][ T142] Call Trace: [ 56.252661][ T142] [ 56.255602][ T142] dump_stack_lvl+0xd9/0x1b0 [ 56.260194][ T142] panic+0x6dc/0x790 [ 56.264090][ T142] ? panic_smp_self_stop+0xa0/0xa0 [ 56.269200][ T142] ? preempt_schedule_thunk+0x1a/0x30 [ 56.274579][ T142] ? preempt_schedule_common+0x45/0xc0 [ 56.280048][ T142] ? check_panic_on_warn+0x1f/0xb0 [ 56.285338][ T142] check_panic_on_warn+0xab/0xb0 [ 56.290285][ T142] end_report+0x108/0x150 [ 56.294636][ T142] kasan_report+0xea/0x110 [ 56.299062][ T142] ? ext4_find_extent+0xbe8/0xce0 [ 56.304092][ T142] ? ext4_find_extent+0xbe8/0xce0 [ 56.309136][ T142] ext4_find_extent+0xbe8/0xce0 [ 56.313993][ T142] ext4_ext_map_blocks+0x26b/0x5ae0 [ 56.319210][ T142] ? hlock_class+0x4e/0x130 [ 56.323714][ T142] ? __lock_acquire+0x14f0/0x3b20 [ 56.328751][ T142] ? ext4_ext_release+0x10/0x10 [ 56.333601][ T142] ? __down_write_common+0x17a/0x1400 [ 56.338974][ T142] ? up_write+0x510/0x510 [ 56.343308][ T142] ? lock_sync+0x190/0x190 [ 56.347740][ T142] ? preempt_count_sub+0x160/0x160 [ 56.352856][ T142] ? ext4_es_lookup_extent+0xc7/0xbf0 [ 56.358231][ T142] ext4_map_blocks+0x619/0x1770 [ 56.363085][ T142] ? ext4_issue_zeroout+0x1f0/0x1f0 [ 56.368277][ T142] ? trace_kmem_cache_alloc+0x26/0xa0 [ 56.373700][ T142] ? ext4_alloc_io_end_vec+0x145/0x1c0 [ 56.379191][ T142] ext4_do_writepages+0x184e/0x3350 [ 56.384514][ T142] ? __ext4_mark_inode_dirty+0x810/0x810 [ 56.390157][ T142] ? print_usage_bug.part.0+0x550/0x550 [ 56.395713][ T142] ext4_writepages+0x30c/0x780 [ 56.400481][ T142] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0 [ 56.407332][ T142] ? hlock_class+0x4e/0x130 [ 56.411844][ T142] ? ext4_normal_submit_inode_data_buffers+0x1a0/0x1a0 [ 56.418699][ T142] do_writepages+0x1b4/0x690 [ 56.423298][ T142] ? writeback_set_ratelimit+0x140/0x140 [ 56.428932][ T142] ? writeback_sb_inodes+0x344/0x1080 [ 56.434297][ T142] ? find_held_lock+0x2d/0x110 [ 56.439060][ T142] ? wbc_attach_and_unlock_inode+0x446/0x910 [ 56.445044][ T142] ? reacquire_held_locks+0x4c0/0x4c0 [ 56.450426][ T142] __writeback_single_inode+0x158/0xe90 [ 56.455970][ T142] ? __mark_inode_dirty+0xd60/0xd60 [ 56.461180][ T142] ? _raw_spin_unlock+0x28/0x40 [ 56.466033][ T142] ? wbc_attach_and_unlock_inode+0x49c/0x910 [ 56.472010][ T142] writeback_sb_inodes+0x599/0x1080 [ 56.477211][ T142] ? _raw_spin_unlock+0x28/0x40 [ 56.482060][ T142] ? sync_inode_metadata+0xe0/0xe0 [ 56.487255][ T142] ? rcu_is_watching+0x12/0xb0 [ 56.492018][ T142] ? queue_io+0x3ed/0x4e0 [ 56.496347][ T142] wb_writeback+0x2a5/0xaa0 [ 56.501027][ T142] ? __writeback_inodes_wb+0x2d0/0x2d0 [ 56.506478][ T142] ? reacquire_held_locks+0x4c0/0x4c0 [ 56.511858][ T142] ? mark_held_locks+0x9f/0xe0 [ 56.516648][ T142] wb_workfn+0x29c/0xfe0 [ 56.520976][ T142] ? lockdep_hardirqs_on_prepare+0x361/0x420 [ 56.527057][ T142] ? inode_wait_for_writeback+0x30/0x30 [ 56.532625][ T142] ? lock_sync+0x190/0x190 [ 56.537130][ T142] ? lock_sync+0x190/0x190 [ 56.541574][ T142] ? reacquire_held_locks+0x4c0/0x4c0 [ 56.546965][ T142] process_one_work+0x886/0x15d0 [ 56.551910][ T142] ? lock_sync+0x190/0x190 [ 56.556616][ T142] ? workqueue_congested+0x300/0x300 [ 56.561904][ T142] ? assign_work+0x1a0/0x250 [ 56.566494][ T142] worker_thread+0x8b9/0x1290 [ 56.571176][ T142] ? __kthread_parkme+0x14b/0x220 [ 56.576197][ T142] ? process_one_work+0x15d0/0x15d0 [ 56.581431][ T142] kthread+0x2c6/0x3a0 [ 56.585500][ T142] ? _raw_spin_unlock_irq+0x23/0x50 [ 56.590695][ T142] ? kthread_complete_and_exit+0x40/0x40 [ 56.596328][ T142] ret_from_fork+0x45/0x80 [ 56.600746][ T142] ? kthread_complete_and_exit+0x40/0x40 [ 56.606379][ T142] ret_from_fork_asm+0x11/0x20 [ 56.611149][ T142] [ 56.614471][ T142] Kernel Offset: disabled [ 56.618891][ T142] Rebooting in 86400 seconds..