./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1737748365 <...> Warning: Permanently added '10.128.1.172' (ECDSA) to the list of known hosts. execve("./syz-executor1737748365", ["./syz-executor1737748365"], 0x7fffa0845330 /* 10 vars */) = 0 brk(NULL) = 0x5555565ea000 brk(0x5555565eac40) = 0x5555565eac40 arch_prctl(ARCH_SET_FS, 0x5555565ea300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x5555565ea5d0) = 4995 set_robust_list(0x5555565ea5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f01006d9610, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f01006d9ce0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f01006d96b0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f01006d9ce0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1737748365", 4096) = 28 brk(0x55555660bc40) = 0x55555660bc40 brk(0x55555660c000) = 0x55555660c000 mprotect(0x7f01007ad000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 4995 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 write(3, "10000000000", 11) = 11 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 write(3, "20", 2) = 2 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 write(3, "100", 3) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 write(3, "7 4 1 3", 7) = 7 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 write(3, "4995", 4) = 4 close(3) = 0 getpid() = 4995 mkdir("./syzkaller.uOjLzR", 0700) = 0 chmod("./syzkaller.uOjLzR", 0777) = 0 chdir("./syzkaller.uOjLzR") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 4997 attached , child_tidptr=0x5555565ea5d0) = 4997 [pid 4997] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 4997] chdir("./0") = 0 [pid 4997] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4997] setpgid(0, 0) = 0 [pid 4997] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4997] write(3, "1000", 4) = 4 [pid 4997] close(3) = 0 [pid 4997] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4997] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4997] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 4997] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4997] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4998], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 4998 ./strace-static-x86_64: Process 4998 attached [pid 4997] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4997] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4998] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 4998] memfd_create("syzkaller", 0) = 3 [pid 4998] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [ 70.821045][ T4998] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4998 'syz-executor173' [pid 4998] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4998] munmap(0x7f00f82a8000, 16777216) = 0 [pid 4998] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4998] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4998] close(3) = 0 [pid 4998] mkdir("./file0", 0777) = 0 [ 71.094990][ T4998] loop0: detected capacity change from 0 to 32768 [ 71.111833][ T4998] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 71.120303][ T4998] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 71.133555][ T4998] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 71.143452][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 71.150492][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4998] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4998] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4998] chdir("./file0") = 0 [pid 4998] ioctl(4, LOOP_CLR_FD) = 0 [pid 4998] close(4) = 0 [pid 4998] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4997] <... futex resumed>) = 0 [pid 4998] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4997] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 4998] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 4997] <... futex resumed>) = 0 [pid 4998] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 71.199668][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 49ms [ 71.209779][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 71.215478][ T4998] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 71.254053][ T4998] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 71.262926][ T4998] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 71.262926][ T4998] inode = 12 2341 [ 71.262926][ T4998] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 71.281970][ T4998] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 71.291722][ T4998] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4998 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 4997] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 4997] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4997] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 4997] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4997] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5000], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5000 [pid 4997] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4997] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5000 attached [pid 5000] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5000] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5000] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 4997] <... futex resumed>) = 0 [pid 4997] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4997] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5000] <... futex resumed>) = 1 [pid 5000] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5000] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 4997] <... futex resumed>) = 0 [pid 5000] <... futex resumed>) = 1 [ 71.302259][ T4998] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 71.311780][ T4998] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 71.320319][ T4998] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 71.329804][ T4998] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 71.336861][ T4998] gfs2: fsid=syz:syz.0: File system withdrawn [ 71.343278][ T4998] CPU: 0 PID: 4998 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 71.353733][ T4998] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 71.363793][ T4998] Call Trace: [ 71.367073][ T4998] [ 71.370021][ T4998] dump_stack_lvl+0x1e7/0x2d0 [ 71.374742][ T4998] ? nf_tcp_handle_invalid+0x650/0x650 [ 71.380214][ T4998] ? panic+0x770/0x770 [ 71.384285][ T4998] ? kobject_uevent_env+0x54e/0x8e0 [ 71.389510][ T4998] gfs2_withdraw+0xf48/0x1550 [ 71.394206][ T4998] ? gfs2_lm+0x240/0x240 [ 71.398452][ T4998] ? gfs2_dirent_scan+0xb2/0x640 [ 71.403390][ T4998] ? panic+0x770/0x770 [ 71.407466][ T4998] ? gfs2_consist_inode_i+0xf5/0x110 [ 71.412766][ T4998] gfs2_dirent_scan+0x512/0x640 [ 71.417622][ T4998] ? gfs2_permission+0x268/0x3c0 [ 71.422575][ T4998] ? gfs2_dirent_search+0x8c0/0x8c0 [ 71.427790][ T4998] gfs2_dirent_search+0x30e/0x8c0 [ 71.432818][ T4998] ? gfs2_dirent_search+0x8c0/0x8c0 [ 71.438025][ T4998] ? generic_permission+0x1df/0x550 [ 71.443223][ T4998] ? gfs2_dir_search+0x2f0/0x2f0 [ 71.448179][ T4998] ? gfs2_permission+0x34a/0x3c0 [ 71.453143][ T4998] gfs2_dir_search+0xb2/0x2f0 [ 71.457828][ T4998] ? do_filldir_main+0x520/0x520 [ 71.462778][ T4998] ? inode_go_held+0xea/0x200 [ 71.467461][ T4998] ? gfs2_glock_wait+0x21a/0x2b0 [ 71.472423][ T4998] gfs2_lookupi+0x460/0x5d0 [ 71.476938][ T4998] ? gfs2_lookup_simple+0x180/0x180 [ 71.482145][ T4998] ? __gfs2_lookup+0xa4/0x270 [ 71.486818][ T4998] ? d_alloc_parallel+0x1262/0x13a0 [ 71.492041][ T4998] __gfs2_lookup+0xa4/0x270 [ 71.496548][ T4998] ? gfs2_atomic_open+0x230/0x230 [ 71.501664][ T4998] ? __init_waitqueue_head+0xae/0x150 [ 71.507042][ T4998] __lookup_slow+0x282/0x3e0 [ 71.511640][ T4998] ? lookup_one_len+0x2d0/0x2d0 [ 71.516501][ T4998] ? down_read+0x1b5/0x2f0 [ 71.520940][ T4998] lookup_slow+0x53/0x70 [ 71.525191][ T4998] link_path_walk+0x9c8/0xe70 [ 71.529889][ T4998] ? handle_lookup_down+0x130/0x130 [ 71.535096][ T4998] ? lockdep_hardirqs_on+0x98/0x140 [ 71.540307][ T4998] path_lookupat+0xa9/0x450 [ 71.544814][ T4998] do_o_path+0x95/0x230 [ 71.548982][ T4998] ? do_tmpfile+0x330/0x330 [ 71.553492][ T4998] ? __alloc_file+0x15a/0x230 [ 71.558173][ T4998] path_openat+0x29f0/0x3170 [ 71.562777][ T4998] ? __stack_depot_save+0x20/0x650 [ 71.567895][ T4998] ? mark_lock+0x9a/0x340 [ 71.572237][ T4998] ? kmem_cache_alloc+0x11f/0x2e0 [ 71.577271][ T4998] ? mark_lock+0x9a/0x340 [ 71.581627][ T4998] ? __lock_acquire+0x1295/0x2000 [ 71.586767][ T4998] ? do_filp_open+0x490/0x490 [ 71.591486][ T4998] do_filp_open+0x234/0x490 [ 71.596025][ T4998] ? vfs_tmpfile+0x4a0/0x4a0 [ 71.600647][ T4998] ? _raw_spin_unlock+0x28/0x40 [ 71.605514][ T4998] ? alloc_fd+0x59c/0x640 [ 71.609884][ T4998] do_sys_openat2+0x13f/0x500 [ 71.614574][ T4998] ? print_irqtrace_events+0x220/0x220 [ 71.620139][ T4998] ? do_sys_open+0x230/0x230 [ 71.624752][ T4998] ? lockdep_hardirqs_on+0x98/0x140 [ 71.629968][ T4998] ? _raw_spin_unlock_irq+0x2e/0x50 [ 71.635171][ T4998] ? ptrace_notify+0x278/0x380 [ 71.639939][ T4998] __x64_sys_openat+0x247/0x290 [ 71.644816][ T4998] ? __ia32_sys_open+0x270/0x270 [ 71.649772][ T4998] ? syscall_enter_from_user_mode+0x32/0x230 [ 71.655761][ T4998] ? syscall_enter_from_user_mode+0x8c/0x230 [ 71.661842][ T4998] do_syscall_64+0x41/0xc0 [ 71.666285][ T4998] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 71.672184][ T4998] RIP: 0033:0x7f0100724159 [ 71.676599][ T4998] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 71.696212][ T4998] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5000] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4998] <... openat resumed>) = -1 EIO (Input/output error) [pid 4998] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4998] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4997] exit_group(0 [pid 5000] <... futex resumed>) = ? [pid 4997] <... exit_group resumed>) = ? [pid 5000] +++ exited with 0 +++ [pid 4998] <... futex resumed>) = ? [pid 4998] +++ exited with 0 +++ [pid 4997] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4997, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=39 /* 0.39 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./0/binderfs") = 0 [ 71.704636][ T4998] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 71.712611][ T4998] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 71.720582][ T4998] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 71.728556][ T4998] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 71.736529][ T4998] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 71.744512][ T4998] umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5001 ./strace-static-x86_64: Process 5001 attached [pid 5001] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5001] chdir("./1") = 0 [pid 5001] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5001] setpgid(0, 0) = 0 [pid 5001] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5001] write(3, "1000", 4) = 4 [pid 5001] close(3) = 0 [pid 5001] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5001] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5001] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5001] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5002], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5002 [pid 5001] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5002 attached [pid 5002] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5002] memfd_create("syzkaller", 0) = 3 [pid 5002] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5002] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5002] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5002] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5002] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5002] close(3) = 0 [pid 5002] mkdir("./file0", 0777) = 0 [ 72.184731][ T5002] loop0: detected capacity change from 0 to 32768 [ 72.198300][ T5002] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 72.206488][ T5002] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 72.219240][ T5002] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 72.228534][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 72.235340][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5002] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5002] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5002] chdir("./file0") = 0 [pid 5002] ioctl(4, LOOP_CLR_FD) = 0 [pid 5002] close(4) = 0 [pid 5002] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5002] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5001] <... futex resumed>) = 0 [pid 5001] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5002] <... futex resumed>) = 0 [ 72.284340][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 48ms [ 72.294928][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 72.300742][ T5002] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5002] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 72.340151][ T5002] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 72.348811][ T5002] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 72.348811][ T5002] inode = 12 2341 [ 72.348811][ T5002] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 72.367469][ T5002] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 72.376538][ T5002] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5002 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5001] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5001] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5001] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5001] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5004], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5004 [pid 5001] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5004 attached [pid 5004] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5004] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5004] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5001] <... futex resumed>) = 0 [pid 5001] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5004] <... futex resumed>) = 1 [pid 5004] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5004] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5001] <... futex resumed>) = 0 [pid 5004] <... futex resumed>) = 1 [ 72.386588][ T5002] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 72.395071][ T5002] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 72.402877][ T5002] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 72.412826][ T5002] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 72.420328][ T5002] gfs2: fsid=syz:syz.0: File system withdrawn [ 72.426433][ T5002] CPU: 1 PID: 5002 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 72.436876][ T5002] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 72.446952][ T5002] Call Trace: [ 72.450239][ T5002] [ 72.453178][ T5002] dump_stack_lvl+0x1e7/0x2d0 [ 72.457886][ T5002] ? nf_tcp_handle_invalid+0x650/0x650 [ 72.463363][ T5002] ? panic+0x770/0x770 [ 72.467446][ T5002] ? kobject_uevent_env+0x54e/0x8e0 [ 72.472669][ T5002] gfs2_withdraw+0xf48/0x1550 [ 72.477373][ T5002] ? gfs2_lm+0x240/0x240 [ 72.481630][ T5002] ? gfs2_dirent_scan+0xb2/0x640 [ 72.486582][ T5002] ? panic+0x770/0x770 [ 72.490670][ T5002] ? gfs2_consist_inode_i+0xf5/0x110 [ 72.496062][ T5002] gfs2_dirent_scan+0x512/0x640 [ 72.500935][ T5002] ? gfs2_permission+0x268/0x3c0 [ 72.505906][ T5002] ? gfs2_dirent_search+0x8c0/0x8c0 [ 72.511138][ T5002] gfs2_dirent_search+0x30e/0x8c0 [ 72.516173][ T5002] ? gfs2_dirent_search+0x8c0/0x8c0 [ 72.521379][ T5002] ? generic_permission+0x1df/0x550 [ 72.526585][ T5002] ? gfs2_dir_search+0x2f0/0x2f0 [ 72.531533][ T5002] ? gfs2_permission+0x34a/0x3c0 [ 72.536491][ T5002] gfs2_dir_search+0xb2/0x2f0 [ 72.541195][ T5002] ? do_filldir_main+0x520/0x520 [ 72.546144][ T5002] ? inode_go_held+0xea/0x200 [ 72.550860][ T5002] ? gfs2_glock_wait+0x21a/0x2b0 [ 72.555850][ T5002] gfs2_lookupi+0x460/0x5d0 [ 72.560390][ T5002] ? gfs2_lookup_simple+0x180/0x180 [ 72.565615][ T5002] ? __gfs2_lookup+0xa4/0x270 [ 72.570316][ T5002] ? d_alloc_parallel+0x1262/0x13a0 [ 72.575541][ T5002] __gfs2_lookup+0xa4/0x270 [ 72.580063][ T5002] ? gfs2_atomic_open+0x230/0x230 [ 72.585104][ T5002] ? __init_waitqueue_head+0xae/0x150 [ 72.590494][ T5002] __lookup_slow+0x282/0x3e0 [ 72.595103][ T5002] ? lookup_one_len+0x2d0/0x2d0 [ 72.599974][ T5002] ? down_read+0x1b5/0x2f0 [ 72.604408][ T5002] lookup_slow+0x53/0x70 [ 72.608672][ T5002] link_path_walk+0x9c8/0xe70 [ 72.613375][ T5002] ? handle_lookup_down+0x130/0x130 [ 72.618596][ T5002] ? lockdep_hardirqs_on+0x98/0x140 [ 72.623809][ T5002] path_lookupat+0xa9/0x450 [ 72.628338][ T5002] do_o_path+0x95/0x230 [ 72.632512][ T5002] ? do_tmpfile+0x330/0x330 [ 72.637027][ T5002] ? __alloc_file+0x15a/0x230 [ 72.641719][ T5002] path_openat+0x29f0/0x3170 [ 72.646321][ T5002] ? __stack_depot_save+0x20/0x650 [ 72.651458][ T5002] ? __lock_acquire+0x1295/0x2000 [ 72.656499][ T5002] ? mark_lock+0x9a/0x340 [ 72.660842][ T5002] ? kmem_cache_alloc+0x11f/0x2e0 [ 72.665874][ T5002] ? mark_lock+0x9a/0x340 [ 72.670220][ T5002] ? __lock_acquire+0x1295/0x2000 [ 72.675263][ T5002] ? do_filp_open+0x490/0x490 [ 72.679967][ T5002] do_filp_open+0x234/0x490 [ 72.684487][ T5002] ? vfs_tmpfile+0x4a0/0x4a0 [ 72.689133][ T5002] ? _raw_spin_unlock+0x28/0x40 [ 72.694004][ T5002] ? alloc_fd+0x59c/0x640 [ 72.698364][ T5002] do_sys_openat2+0x13f/0x500 [ 72.703062][ T5002] ? print_irqtrace_events+0x220/0x220 [ 72.708540][ T5002] ? do_sys_open+0x230/0x230 [ 72.713161][ T5002] ? lockdep_hardirqs_on+0x98/0x140 [ 72.718376][ T5002] ? _raw_spin_unlock_irq+0x2e/0x50 [ 72.723585][ T5002] ? ptrace_notify+0x278/0x380 [ 72.728365][ T5002] __x64_sys_openat+0x247/0x290 [ 72.733236][ T5002] ? __ia32_sys_open+0x270/0x270 [ 72.738192][ T5002] ? syscall_enter_from_user_mode+0x32/0x230 [ 72.744185][ T5002] ? syscall_enter_from_user_mode+0x8c/0x230 [ 72.750235][ T5002] do_syscall_64+0x41/0xc0 [ 72.754674][ T5002] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 72.760581][ T5002] RIP: 0033:0x7f0100724159 [ 72.765007][ T5002] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5004] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5002] <... openat resumed>) = -1 EIO (Input/output error) [pid 5002] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5002] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5001] exit_group(0 [pid 5004] <... futex resumed>) = ? [pid 5002] <... futex resumed>) = ? [pid 5001] <... exit_group resumed>) = ? [pid 5004] +++ exited with 0 +++ [pid 5002] +++ exited with 0 +++ [pid 5001] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5001, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=39 /* 0.39 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./1/binderfs") = 0 [ 72.784656][ T5002] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 72.793086][ T5002] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 72.801063][ T5002] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 72.809041][ T5002] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 72.817040][ T5002] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 72.825569][ T5002] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 72.833558][ T5002] umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5006 ./strace-static-x86_64: Process 5006 attached [pid 5006] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5006] chdir("./2") = 0 [pid 5006] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5006] setpgid(0, 0) = 0 [pid 5006] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5006] write(3, "1000", 4) = 4 [pid 5006] close(3) = 0 [pid 5006] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5006] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5006] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5006] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5006] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5007 attached , parent_tid=[5007], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5007 [pid 5007] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5007] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5006] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5007] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5006] <... futex resumed>) = 0 [pid 5006] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5007] memfd_create("syzkaller", 0) = 3 [pid 5007] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5007] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5007] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5007] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5007] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5007] close(3) = 0 [pid 5007] mkdir("./file0", 0777) = 0 [ 73.254380][ T5007] loop0: detected capacity change from 0 to 32768 [ 73.267609][ T5007] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 73.275917][ T5007] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 73.287044][ T5007] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 73.295795][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 73.302615][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5007] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5007] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5007] chdir("./file0") = 0 [pid 5007] ioctl(4, LOOP_CLR_FD) = 0 [pid 5007] close(4) = 0 [pid 5007] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5006] <... futex resumed>) = 0 [pid 5006] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5006] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5007] <... futex resumed>) = 1 [ 73.349471][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 73.358736][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 73.364000][ T5007] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 73.380293][ T5007] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 73.389419][ T5007] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5007] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5006] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 73.389419][ T5007] inode = 12 2341 [ 73.389419][ T5007] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 73.409160][ T5007] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 73.418759][ T5007] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5007 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 73.428913][ T5007] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 73.437485][ T5007] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5006] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5006] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5006] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5006] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5009], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5009 [pid 5006] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5006] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5009 attached [pid 5009] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5009] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5009] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5006] <... futex resumed>) = 0 [pid 5006] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5006] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5009] <... futex resumed>) = 1 [pid 5009] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5009] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5006] <... futex resumed>) = 0 [pid 5009] <... futex resumed>) = 1 [ 73.444787][ T5007] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 73.454112][ T5007] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 73.460795][ T5007] gfs2: fsid=syz:syz.0: File system withdrawn [ 73.466992][ T5007] CPU: 0 PID: 5007 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 73.477423][ T5007] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 73.487516][ T5007] Call Trace: [ 73.490826][ T5007] [ 73.493792][ T5007] dump_stack_lvl+0x1e7/0x2d0 [ 73.498572][ T5007] ? nf_tcp_handle_invalid+0x650/0x650 [ 73.504074][ T5007] ? panic+0x770/0x770 [ 73.508183][ T5007] ? kobject_uevent_env+0x54e/0x8e0 [ 73.513422][ T5007] gfs2_withdraw+0xf48/0x1550 [ 73.518129][ T5007] ? gfs2_lm+0x240/0x240 [ 73.522422][ T5007] ? gfs2_dirent_scan+0xb2/0x640 [ 73.527386][ T5007] ? panic+0x770/0x770 [ 73.531488][ T5007] ? gfs2_consist_inode_i+0xf5/0x110 [ 73.536809][ T5007] gfs2_dirent_scan+0x512/0x640 [ 73.541684][ T5007] ? gfs2_permission+0x268/0x3c0 [ 73.546666][ T5007] ? gfs2_dirent_search+0x8c0/0x8c0 [ 73.551902][ T5007] gfs2_dirent_search+0x30e/0x8c0 [ 73.556961][ T5007] ? gfs2_dirent_search+0x8c0/0x8c0 [ 73.562189][ T5007] ? generic_permission+0x1df/0x550 [ 73.567421][ T5007] ? gfs2_dir_search+0x2f0/0x2f0 [ 73.572383][ T5007] ? gfs2_permission+0x34a/0x3c0 [ 73.577345][ T5007] gfs2_dir_search+0xb2/0x2f0 [ 73.582037][ T5007] ? do_filldir_main+0x520/0x520 [ 73.586985][ T5007] ? inode_go_held+0xea/0x200 [ 73.591673][ T5007] ? gfs2_glock_wait+0x21a/0x2b0 [ 73.596648][ T5007] gfs2_lookupi+0x460/0x5d0 [ 73.601179][ T5007] ? gfs2_lookup_simple+0x180/0x180 [ 73.606404][ T5007] ? __gfs2_lookup+0xa4/0x270 [ 73.611091][ T5007] ? d_alloc_parallel+0x1262/0x13a0 [ 73.616307][ T5007] __gfs2_lookup+0xa4/0x270 [ 73.620821][ T5007] ? gfs2_atomic_open+0x230/0x230 [ 73.625859][ T5007] ? __init_waitqueue_head+0xae/0x150 [ 73.631246][ T5007] __lookup_slow+0x282/0x3e0 [ 73.635848][ T5007] ? lookup_one_len+0x2d0/0x2d0 [ 73.640724][ T5007] ? down_read+0x1b5/0x2f0 [ 73.645160][ T5007] lookup_slow+0x53/0x70 [ 73.649431][ T5007] link_path_walk+0x9c8/0xe70 [ 73.654164][ T5007] ? handle_lookup_down+0x130/0x130 [ 73.659396][ T5007] ? lockdep_hardirqs_on+0x98/0x140 [ 73.664625][ T5007] path_lookupat+0xa9/0x450 [ 73.669156][ T5007] do_o_path+0x95/0x230 [ 73.673344][ T5007] ? do_tmpfile+0x330/0x330 [ 73.677870][ T5007] ? __alloc_file+0x15a/0x230 [ 73.682566][ T5007] path_openat+0x29f0/0x3170 [ 73.687178][ T5007] ? __stack_depot_save+0x20/0x650 [ 73.692298][ T5007] ? __lock_acquire+0x1295/0x2000 [ 73.697345][ T5007] ? mark_lock+0x9a/0x340 [ 73.701689][ T5007] ? kmem_cache_alloc+0x11f/0x2e0 [ 73.706721][ T5007] ? mark_lock+0x9a/0x340 [ 73.711093][ T5007] ? __lock_acquire+0x1295/0x2000 [ 73.716154][ T5007] ? do_filp_open+0x490/0x490 [ 73.720874][ T5007] do_filp_open+0x234/0x490 [ 73.725404][ T5007] ? vfs_tmpfile+0x4a0/0x4a0 [ 73.730027][ T5007] ? _raw_spin_unlock+0x28/0x40 [ 73.734900][ T5007] ? alloc_fd+0x59c/0x640 [ 73.739261][ T5007] do_sys_openat2+0x13f/0x500 [ 73.743967][ T5007] ? print_irqtrace_events+0x220/0x220 [ 73.749442][ T5007] ? do_sys_open+0x230/0x230 [ 73.754045][ T5007] ? lockdep_hardirqs_on+0x98/0x140 [ 73.759262][ T5007] ? _raw_spin_unlock_irq+0x2e/0x50 [ 73.764472][ T5007] ? ptrace_notify+0x278/0x380 [ 73.769253][ T5007] __x64_sys_openat+0x247/0x290 [ 73.774125][ T5007] ? __ia32_sys_open+0x270/0x270 [ 73.779085][ T5007] ? syscall_enter_from_user_mode+0x32/0x230 [ 73.785088][ T5007] ? syscall_enter_from_user_mode+0x8c/0x230 [ 73.791087][ T5007] do_syscall_64+0x41/0xc0 [ 73.795523][ T5007] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 73.801430][ T5007] RIP: 0033:0x7f0100724159 [ 73.805853][ T5007] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 73.825466][ T5007] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 73.833890][ T5007] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 73.841875][ T5007] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5009] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5007] <... openat resumed>) = -1 EIO (Input/output error) [pid 5007] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5007] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5006] exit_group(0 [pid 5007] <... futex resumed>) = ? [pid 5006] <... exit_group resumed>) = ? [pid 5007] +++ exited with 0 +++ [pid 5009] <... futex resumed>) = ? [pid 5009] +++ exited with 0 +++ [pid 5006] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5006, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=33 /* 0.33 s */} --- umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./2/binderfs") = 0 [ 73.849858][ T5007] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 73.857838][ T5007] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 73.865815][ T5007] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 73.873807][ T5007] umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5010 ./strace-static-x86_64: Process 5010 attached [pid 5010] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5010] chdir("./3") = 0 [pid 5010] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5010] setpgid(0, 0) = 0 [pid 5010] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5010] write(3, "1000", 4) = 4 [pid 5010] close(3) = 0 [pid 5010] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5010] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5010] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5010] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5011], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5011 [pid 5010] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5011 attached [pid 5011] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5011] memfd_create("syzkaller", 0) = 3 [pid 5011] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5011] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5011] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5011] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5011] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5011] close(3) = 0 [pid 5011] mkdir("./file0", 0777) = 0 [ 74.297557][ T5011] loop0: detected capacity change from 0 to 32768 [ 74.309803][ T5011] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 74.318093][ T5011] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 74.328619][ T5011] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 74.337637][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 74.344427][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5011] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5011] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5011] chdir("./file0") = 0 [pid 5011] ioctl(4, LOOP_CLR_FD) = 0 [pid 5011] close(4) = 0 [pid 5011] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5010] <... futex resumed>) = 0 [pid 5010] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 74.391929][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 47ms [ 74.401205][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 74.406510][ T5011] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 74.431264][ T5011] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5011] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5010] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 74.439856][ T5011] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 74.439856][ T5011] inode = 12 2341 [ 74.439856][ T5011] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 74.459144][ T5011] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 74.468695][ T5011] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5011 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 74.479732][ T5011] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5010] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5010] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5010] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5013 attached [pid 5013] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 74.488668][ T5011] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 74.496064][ T5011] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 74.505371][ T5011] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 74.513758][ T5011] gfs2: fsid=syz:syz.0: File system withdrawn [ 74.522113][ T5011] CPU: 0 PID: 5011 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 74.532605][ T5011] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [pid 5013] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5010] <... clone resumed>, parent_tid=[5013], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5013 [pid 5010] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5013] <... futex resumed>) = 0 [pid 5010] <... futex resumed>) = 1 [pid 5013] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5010] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5013] <... openat resumed>) = -1 EIO (Input/output error) [pid 5013] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5010] <... futex resumed>) = 0 [pid 5013] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5010] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5013] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5010] <... futex resumed>) = 0 [pid 5013] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5010] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5013] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5013] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5010] <... futex resumed>) = 0 [ 74.542699][ T5011] Call Trace: [ 74.546000][ T5011] [ 74.549027][ T5011] dump_stack_lvl+0x1e7/0x2d0 [ 74.553739][ T5011] ? nf_tcp_handle_invalid+0x650/0x650 [ 74.559262][ T5011] ? panic+0x770/0x770 [ 74.563343][ T5011] ? kobject_uevent_env+0x54e/0x8e0 [ 74.568565][ T5011] gfs2_withdraw+0xf48/0x1550 [ 74.573269][ T5011] ? gfs2_lm+0x240/0x240 [ 74.577542][ T5011] ? gfs2_dirent_scan+0xb2/0x640 [ 74.582533][ T5011] ? panic+0x770/0x770 [ 74.586658][ T5011] ? gfs2_consist_inode_i+0xf5/0x110 [ 74.592350][ T5011] gfs2_dirent_scan+0x512/0x640 [ 74.597352][ T5011] ? gfs2_permission+0x268/0x3c0 [ 74.602419][ T5011] ? gfs2_dirent_search+0x8c0/0x8c0 [ 74.607654][ T5011] gfs2_dirent_search+0x30e/0x8c0 [ 74.612705][ T5011] ? gfs2_dirent_search+0x8c0/0x8c0 [ 74.618014][ T5011] ? generic_permission+0x1df/0x550 [ 74.623247][ T5011] ? gfs2_dir_search+0x2f0/0x2f0 [ 74.628209][ T5011] ? gfs2_permission+0x34a/0x3c0 [ 74.633277][ T5011] gfs2_dir_search+0xb2/0x2f0 [ 74.637967][ T5011] ? do_filldir_main+0x520/0x520 [ 74.642926][ T5011] ? inode_go_held+0xea/0x200 [ 74.647641][ T5011] ? gfs2_glock_wait+0x21a/0x2b0 [ 74.652619][ T5011] gfs2_lookupi+0x460/0x5d0 [ 74.657147][ T5011] ? gfs2_lookup_simple+0x180/0x180 [ 74.662382][ T5011] ? __gfs2_lookup+0xa4/0x270 [ 74.667077][ T5011] ? d_alloc_parallel+0x1262/0x13a0 [ 74.672331][ T5011] __gfs2_lookup+0xa4/0x270 [ 74.676887][ T5011] ? gfs2_atomic_open+0x230/0x230 [ 74.681947][ T5011] ? __init_waitqueue_head+0xae/0x150 [ 74.687420][ T5011] __lookup_slow+0x282/0x3e0 [pid 5013] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5010] exit_group(0 [pid 5013] <... futex resumed>) = ? [pid 5010] <... exit_group resumed>) = ? [pid 5013] +++ exited with 0 +++ [ 74.692041][ T5011] ? lookup_one_len+0x2d0/0x2d0 [ 74.696921][ T5011] ? down_read+0x1b5/0x2f0 [ 74.701383][ T5011] lookup_slow+0x53/0x70 [ 74.705662][ T5011] link_path_walk+0x9c8/0xe70 [ 74.710401][ T5011] ? handle_lookup_down+0x130/0x130 [ 74.715640][ T5011] ? lockdep_hardirqs_on+0x98/0x140 [ 74.720851][ T5011] path_lookupat+0xa9/0x450 [ 74.725391][ T5011] do_o_path+0x95/0x230 [ 74.729616][ T5011] ? do_tmpfile+0x330/0x330 [ 74.734156][ T5011] ? __alloc_file+0x15a/0x230 [ 74.738848][ T5011] path_openat+0x29f0/0x3170 [ 74.743557][ T5011] ? __stack_depot_save+0x20/0x650 [ 74.748699][ T5011] ? mark_lock+0x9a/0x340 [ 74.753041][ T5011] ? kmem_cache_alloc+0x11f/0x2e0 [ 74.758076][ T5011] ? mark_lock+0x9a/0x340 [ 74.762424][ T5011] ? __lock_acquire+0x1295/0x2000 [ 74.767473][ T5011] ? do_filp_open+0x490/0x490 [ 74.772198][ T5011] do_filp_open+0x234/0x490 [ 74.776716][ T5011] ? vfs_tmpfile+0x4a0/0x4a0 [ 74.781364][ T5011] ? _raw_spin_unlock+0x28/0x40 [ 74.786222][ T5011] ? alloc_fd+0x59c/0x640 [ 74.790575][ T5011] do_sys_openat2+0x13f/0x500 [ 74.795267][ T5011] ? print_irqtrace_events+0x220/0x220 [ 74.800747][ T5011] ? do_sys_open+0x230/0x230 [ 74.805353][ T5011] ? lockdep_hardirqs_on+0x98/0x140 [ 74.810567][ T5011] ? _raw_spin_unlock_irq+0x2e/0x50 [ 74.815788][ T5011] ? ptrace_notify+0x278/0x380 [ 74.820595][ T5011] __x64_sys_openat+0x247/0x290 [ 74.825481][ T5011] ? __ia32_sys_open+0x270/0x270 [ 74.830474][ T5011] ? syscall_enter_from_user_mode+0x32/0x230 [ 74.836473][ T5011] ? syscall_enter_from_user_mode+0x8c/0x230 [ 74.842470][ T5011] do_syscall_64+0x41/0xc0 [ 74.846905][ T5011] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 74.852818][ T5011] RIP: 0033:0x7f0100724159 [ 74.857269][ T5011] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 74.876945][ T5011] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 74.885379][ T5011] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5011] <... openat resumed>) = ? [pid 5011] +++ exited with 0 +++ [pid 5010] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5010, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=39 /* 0.39 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./3/binderfs") = 0 [ 74.893364][ T5011] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 74.901349][ T5011] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 74.909464][ T5011] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 74.917464][ T5011] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 74.925462][ T5011] umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5014 ./strace-static-x86_64: Process 5014 attached [pid 5014] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5014] chdir("./4") = 0 [pid 5014] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5014] setpgid(0, 0) = 0 [pid 5014] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5014] write(3, "1000", 4) = 4 [pid 5014] close(3) = 0 [pid 5014] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5014] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5014] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5014] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5014] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5015], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5015 ./strace-static-x86_64: Process 5015 attached [pid 5014] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5015] set_robust_list(0x7f01006c89e0, 24 [pid 5014] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5015] <... set_robust_list resumed>) = 0 [pid 5015] memfd_create("syzkaller", 0) = 3 [pid 5015] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5015] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5015] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5015] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5015] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5015] close(3) = 0 [pid 5015] mkdir("./file0", 0777) = 0 [ 75.339395][ T5015] loop0: detected capacity change from 0 to 32768 [ 75.352643][ T5015] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 75.360897][ T5015] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 75.370330][ T5015] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 75.379610][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 75.386799][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5015] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5015] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5015] chdir("./file0") = 0 [pid 5015] ioctl(4, LOOP_CLR_FD) = 0 [pid 5015] close(4) = 0 [pid 5015] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5015] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5014] <... futex resumed>) = 0 [pid 5014] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5014] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5015] <... futex resumed>) = 0 [ 75.434706][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 47ms [ 75.444042][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 75.449415][ T5015] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 75.471337][ T5015] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5015] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5014] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5014] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5014] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5014] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5014] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5017], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5017 [pid 5014] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5014] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5017 attached [pid 5017] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 75.480690][ T5015] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 75.480690][ T5015] inode = 12 2341 [ 75.480690][ T5015] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 75.500320][ T5015] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 75.510370][ T5015] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5015 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 75.522573][ T5015] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 75.529940][ T5017] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 75.531649][ T5015] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 75.540362][ T5017] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 75.546947][ T5015] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 75.556624][ T5017] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5015 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 75.566432][ T5015] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [pid 5017] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5014] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5014] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5014] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5014] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5014] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5018], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5018 [pid 5014] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 75.575389][ T5017] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5017 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 75.581512][ T5015] gfs2: fsid=syz:syz.0: File system withdrawn [ 75.597549][ T5017] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 75.598171][ T5015] CPU: 0 PID: 5015 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 75.616473][ T5015] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 75.626543][ T5015] Call Trace: [ 75.629831][ T5015] [pid 5014] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5018 attached [pid 5018] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5018] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5018] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5014] <... futex resumed>) = 0 [ 75.632771][ T5015] dump_stack_lvl+0x1e7/0x2d0 [ 75.637494][ T5015] ? nf_tcp_handle_invalid+0x650/0x650 [ 75.643060][ T5015] ? panic+0x770/0x770 [ 75.647244][ T5015] ? kobject_uevent_env+0x54e/0x8e0 [ 75.652496][ T5015] gfs2_withdraw+0xf48/0x1550 [ 75.657229][ T5015] ? gfs2_lm+0x240/0x240 [ 75.661513][ T5015] ? gfs2_dirent_scan+0xb2/0x640 [ 75.666478][ T5015] ? panic+0x770/0x770 [ 75.670572][ T5015] ? gfs2_consist_inode_i+0xf5/0x110 [ 75.675966][ T5015] gfs2_dirent_scan+0x512/0x640 [ 75.680923][ T5015] ? gfs2_permission+0x268/0x3c0 [ 75.685880][ T5015] ? gfs2_dirent_search+0x8c0/0x8c0 [ 75.691095][ T5015] gfs2_dirent_search+0x30e/0x8c0 [ 75.696242][ T5015] ? gfs2_dirent_search+0x8c0/0x8c0 [ 75.701504][ T5015] ? generic_permission+0x1df/0x550 [ 75.706743][ T5015] ? gfs2_dir_search+0x2f0/0x2f0 [ 75.711789][ T5015] ? gfs2_permission+0x34a/0x3c0 [ 75.716783][ T5015] gfs2_dir_search+0xb2/0x2f0 [ 75.721477][ T5015] ? do_filldir_main+0x520/0x520 [ 75.726427][ T5015] ? inode_go_held+0xea/0x200 [ 75.731115][ T5015] ? gfs2_glock_wait+0x21a/0x2b0 [ 75.736086][ T5015] gfs2_lookupi+0x460/0x5d0 [ 75.740615][ T5015] ? gfs2_lookup_simple+0x180/0x180 [ 75.745832][ T5015] ? __gfs2_lookup+0xa4/0x270 [ 75.750537][ T5015] ? d_alloc_parallel+0x1262/0x13a0 [ 75.755760][ T5015] __gfs2_lookup+0xa4/0x270 [ 75.760279][ T5015] ? gfs2_atomic_open+0x230/0x230 [ 75.765319][ T5015] ? __init_waitqueue_head+0xae/0x150 [ 75.770708][ T5015] __lookup_slow+0x282/0x3e0 [ 75.775312][ T5015] ? lookup_one_len+0x2d0/0x2d0 [ 75.780181][ T5015] ? down_read+0x1b5/0x2f0 [ 75.784619][ T5015] lookup_slow+0x53/0x70 [ 75.788883][ T5015] link_path_walk+0x9c8/0xe70 [ 75.793589][ T5015] ? handle_lookup_down+0x130/0x130 [ 75.798808][ T5015] ? lockdep_hardirqs_on+0x98/0x140 [ 75.804021][ T5015] path_lookupat+0xa9/0x450 [ 75.808559][ T5015] do_o_path+0x95/0x230 [ 75.812732][ T5015] ? do_tmpfile+0x330/0x330 [ 75.817253][ T5015] ? __alloc_file+0x15a/0x230 [ 75.821971][ T5015] path_openat+0x29f0/0x3170 [ 75.826599][ T5015] ? __stack_depot_save+0x20/0x650 [ 75.831751][ T5015] ? mark_lock+0x9a/0x340 [ 75.836210][ T5015] ? kmem_cache_alloc+0x11f/0x2e0 [ 75.841252][ T5015] ? mark_lock+0x9a/0x340 [ 75.845615][ T5015] ? __lock_acquire+0x1295/0x2000 [ 75.850660][ T5015] ? do_filp_open+0x490/0x490 [ 75.855380][ T5015] do_filp_open+0x234/0x490 [ 75.859905][ T5015] ? vfs_tmpfile+0x4a0/0x4a0 [ 75.864533][ T5015] ? _raw_spin_unlock+0x28/0x40 [ 75.869395][ T5015] ? alloc_fd+0x59c/0x640 [ 75.873782][ T5015] do_sys_openat2+0x13f/0x500 [ 75.878479][ T5015] ? print_irqtrace_events+0x220/0x220 [ 75.883960][ T5015] ? do_sys_open+0x230/0x230 [ 75.889460][ T5015] ? lockdep_hardirqs_on+0x98/0x140 [ 75.894872][ T5015] ? _raw_spin_unlock_irq+0x2e/0x50 [ 75.900089][ T5015] ? ptrace_notify+0x278/0x380 [ 75.904877][ T5015] __x64_sys_openat+0x247/0x290 [ 75.909762][ T5015] ? __ia32_sys_open+0x270/0x270 [ 75.914817][ T5015] ? syscall_enter_from_user_mode+0x32/0x230 [ 75.920909][ T5015] ? syscall_enter_from_user_mode+0x8c/0x230 [ 75.926910][ T5015] do_syscall_64+0x41/0xc0 [ 75.931355][ T5015] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 75.937261][ T5015] RIP: 0033:0x7f0100724159 [ 75.941686][ T5015] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 75.961321][ T5015] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 75.969753][ T5015] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 75.977736][ T5015] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5018] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5015] <... openat resumed>) = -1 EIO (Input/output error) [pid 5015] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5015] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5017] <... openat resumed>) = -1 EIO (Input/output error) [pid 5017] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5017] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5014] exit_group(0 [pid 5018] <... futex resumed>) = ? [pid 5017] <... futex resumed>) = ? [pid 5014] <... exit_group resumed>) = ? [pid 5018] +++ exited with 0 +++ [pid 5017] +++ exited with 0 +++ [pid 5015] <... futex resumed>) = ? [pid 5015] +++ exited with 0 +++ [pid 5014] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5014, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=43 /* 0.43 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./4/binderfs") = 0 [ 75.985719][ T5015] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 75.993700][ T5015] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 76.001678][ T5015] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 76.009675][ T5015] umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./4/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5019 ./strace-static-x86_64: Process 5019 attached [pid 5019] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5019] chdir("./5") = 0 [pid 5019] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5019] setpgid(0, 0) = 0 [pid 5019] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5019] write(3, "1000", 4) = 4 [pid 5019] close(3) = 0 [pid 5019] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5019] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5019] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5019] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5019] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5020], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5020 [pid 5019] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5019] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5020 attached [pid 5020] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5020] memfd_create("syzkaller", 0) = 3 [pid 5020] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5020] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5020] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5020] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5020] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5020] close(3) = 0 [pid 5020] mkdir("./file0", 0777) = 0 [ 76.417448][ T5020] loop0: detected capacity change from 0 to 32768 [ 76.427794][ T5020] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 76.436005][ T5020] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 76.446992][ T5020] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 76.456246][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 76.463235][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5020] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5020] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5020] chdir("./file0") = 0 [pid 5020] ioctl(4, LOOP_CLR_FD) = 0 [pid 5020] close(4) = 0 [pid 5020] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5019] <... futex resumed>) = 0 [pid 5019] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5019] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 76.507566][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 76.515150][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 76.520639][ T5020] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 76.565105][ T5020] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 76.600093][ T5020] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 76.600093][ T5020] inode = 12 2341 [pid 5020] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5019] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5019] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5019] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5019] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5019] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5022], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5022 [pid 5019] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5019] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5022 attached [pid 5022] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 76.600093][ T5020] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 76.630968][ T5022] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 76.639903][ T5022] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 76.639903][ T5022] inode = 12 2341 [ 76.639903][ T5022] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [pid 5022] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5019] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5019] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5019] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5019] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5019] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5023], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5023 [pid 5019] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5019] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5023 attached [pid 5023] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5023] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5023] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5019] <... futex resumed>) = 0 [ 76.659445][ T5020] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 76.669591][ T5020] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5020 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 76.685638][ T5022] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 76.699082][ T5020] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5022 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 76.710102][ T5022] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5020 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 76.721068][ T5020] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 76.730525][ T5022] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5022 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 76.741180][ T5020] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 76.748701][ T5022] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 76.757444][ T5020] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 76.766263][ T5020] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 76.775210][ T5020] gfs2: fsid=syz:syz.0: File system withdrawn [ 76.781525][ T5020] CPU: 1 PID: 5020 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 76.791972][ T5020] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 76.802053][ T5020] Call Trace: [ 76.805356][ T5020] [ 76.808314][ T5020] dump_stack_lvl+0x1e7/0x2d0 [ 76.813228][ T5020] ? nf_tcp_handle_invalid+0x650/0x650 [ 76.818734][ T5020] ? panic+0x770/0x770 [ 76.822840][ T5020] ? kobject_uevent_env+0x54e/0x8e0 [ 76.828100][ T5020] gfs2_withdraw+0xf48/0x1550 [ 76.832834][ T5020] ? gfs2_lm+0x240/0x240 [ 76.837112][ T5020] ? gfs2_dirent_scan+0xb2/0x640 [ 76.842086][ T5020] ? panic+0x770/0x770 [ 76.846207][ T5020] ? gfs2_consist_inode_i+0xf5/0x110 [ 76.851546][ T5020] gfs2_dirent_scan+0x512/0x640 [ 76.856436][ T5020] ? gfs2_permission+0x268/0x3c0 [ 76.861426][ T5020] ? gfs2_dirent_search+0x8c0/0x8c0 [ 76.866751][ T5020] gfs2_dirent_search+0x30e/0x8c0 [ 76.871818][ T5020] ? gfs2_dirent_search+0x8c0/0x8c0 [ 76.877053][ T5020] ? generic_permission+0x1df/0x550 [ 76.882321][ T5020] ? gfs2_dir_search+0x2f0/0x2f0 [ 76.887296][ T5020] ? gfs2_permission+0x34a/0x3c0 [ 76.892281][ T5020] gfs2_dir_search+0xb2/0x2f0 [ 76.896997][ T5020] ? do_filldir_main+0x520/0x520 [ 76.901971][ T5020] ? inode_go_held+0xea/0x200 [ 76.906686][ T5020] ? gfs2_glock_wait+0x21a/0x2b0 [ 76.911976][ T5020] gfs2_lookupi+0x460/0x5d0 [ 76.916542][ T5020] ? gfs2_lookup_simple+0x180/0x180 [ 76.921817][ T5020] ? __gfs2_lookup+0xa4/0x270 [ 76.926534][ T5020] ? d_alloc_parallel+0x1262/0x13a0 [ 76.931795][ T5020] __gfs2_lookup+0xa4/0x270 [ 76.936354][ T5020] ? gfs2_atomic_open+0x230/0x230 [ 76.941433][ T5020] ? __init_waitqueue_head+0xae/0x150 [ 76.946856][ T5020] __lookup_slow+0x282/0x3e0 [ 76.951489][ T5020] ? lookup_one_len+0x2d0/0x2d0 [ 76.956387][ T5020] ? down_read+0x1b5/0x2f0 [ 76.960849][ T5020] lookup_slow+0x53/0x70 [ 76.965129][ T5020] link_path_walk+0x9c8/0xe70 [ 76.969867][ T5020] ? handle_lookup_down+0x130/0x130 [ 76.975111][ T5020] ? lockdep_hardirqs_on+0x98/0x140 [ 76.980349][ T5020] path_lookupat+0xa9/0x450 [ 76.984895][ T5020] do_o_path+0x95/0x230 [ 76.989090][ T5020] ? do_tmpfile+0x330/0x330 [ 76.993639][ T5020] ? __alloc_file+0x15a/0x230 [ 76.998361][ T5020] path_openat+0x29f0/0x3170 [ 77.002993][ T5020] ? __stack_depot_save+0x20/0x650 [ 77.008145][ T5020] ? mark_lock+0x9a/0x340 [ 77.012516][ T5020] ? kmem_cache_alloc+0x11f/0x2e0 [ 77.017578][ T5020] ? mark_lock+0x9a/0x340 [ 77.021952][ T5020] ? __lock_acquire+0x1295/0x2000 [ 77.027017][ T5020] ? do_filp_open+0x490/0x490 [ 77.031755][ T5020] do_filp_open+0x234/0x490 [ 77.036298][ T5020] ? vfs_tmpfile+0x4a0/0x4a0 [ 77.040950][ T5020] ? _raw_spin_unlock+0x28/0x40 [ 77.045835][ T5020] ? alloc_fd+0x59c/0x640 [ 77.050217][ T5020] do_sys_openat2+0x13f/0x500 [ 77.054935][ T5020] ? print_irqtrace_events+0x220/0x220 [ 77.060443][ T5020] ? do_sys_open+0x230/0x230 [pid 5023] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5019] exit_group(0 [pid 5023] <... futex resumed>) = ? [pid 5019] <... exit_group resumed>) = ? [pid 5023] +++ exited with 0 +++ [ 77.065080][ T5020] ? lockdep_hardirqs_on+0x98/0x140 [ 77.070315][ T5020] ? _raw_spin_unlock_irq+0x2e/0x50 [ 77.075545][ T5020] ? ptrace_notify+0x278/0x380 [ 77.080357][ T5020] __x64_sys_openat+0x247/0x290 [ 77.085252][ T5020] ? __ia32_sys_open+0x270/0x270 [ 77.090234][ T5020] ? syscall_enter_from_user_mode+0x32/0x230 [ 77.096256][ T5020] ? syscall_enter_from_user_mode+0x8c/0x230 [ 77.102277][ T5020] do_syscall_64+0x41/0xc0 [ 77.106739][ T5020] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 77.112661][ T5020] RIP: 0033:0x7f0100724159 [ 77.117084][ T5020] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 77.136710][ T5020] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 77.145161][ T5020] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 77.153190][ T5020] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5022] <... openat resumed>) = ? [pid 5020] <... openat resumed>) = ? [pid 5022] +++ exited with 0 +++ [pid 5020] +++ exited with 0 +++ [pid 5019] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5019, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=42 /* 0.42 s */} --- umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./5/binderfs") = 0 [ 77.161168][ T5020] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 77.169143][ T5020] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 77.177131][ T5020] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 77.185138][ T5020] umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./5/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5024 ./strace-static-x86_64: Process 5024 attached [pid 5024] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5024] chdir("./6") = 0 [pid 5024] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5024] setpgid(0, 0) = 0 [pid 5024] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5024] write(3, "1000", 4) = 4 [pid 5024] close(3) = 0 [pid 5024] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5024] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5024] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5024] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5024] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5025], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5025 [pid 5024] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5025 attached [pid 5025] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5024] <... futex resumed>) = 0 [pid 5024] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5025] memfd_create("syzkaller", 0) = 3 [pid 5025] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5025] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5025] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5025] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5025] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5025] close(3) = 0 [pid 5025] mkdir("./file0", 0777) = 0 [ 77.563980][ T5025] loop0: detected capacity change from 0 to 32768 [ 77.576302][ T5025] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 77.584703][ T5025] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 77.595085][ T5025] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 77.603882][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 77.610743][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5025] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5025] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5025] chdir("./file0") = 0 [pid 5025] ioctl(4, LOOP_CLR_FD) = 0 [pid 5025] close(4) = 0 [pid 5025] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5024] <... futex resumed>) = 0 [pid 5024] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5024] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5025] <... futex resumed>) = 1 [ 77.655908][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 77.663539][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 77.668937][ T5025] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 77.687988][ T5025] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 77.696501][ T5025] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5025] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5024] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 77.696501][ T5025] inode = 12 2341 [ 77.696501][ T5025] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 77.715758][ T5025] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 77.725190][ T5025] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5025 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 77.735330][ T5025] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 77.743982][ T5025] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5024] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5024] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5024] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5024] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5027], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5027 [pid 5024] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 77.751726][ T5025] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 77.760970][ T5025] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 77.767771][ T5025] gfs2: fsid=syz:syz.0: File system withdrawn [ 77.773879][ T5025] CPU: 0 PID: 5025 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 77.784498][ T5025] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 77.794566][ T5025] Call Trace: [ 77.797910][ T5025] [ 77.800935][ T5025] dump_stack_lvl+0x1e7/0x2d0 [ 77.805642][ T5025] ? nf_tcp_handle_invalid+0x650/0x650 [ 77.811123][ T5025] ? panic+0x770/0x770 [ 77.815205][ T5025] ? kobject_uevent_env+0x54e/0x8e0 [ 77.820421][ T5025] gfs2_withdraw+0xf48/0x1550 [ 77.825140][ T5025] ? gfs2_lm+0x240/0x240 [ 77.829396][ T5025] ? gfs2_dirent_scan+0xb2/0x640 [ 77.834342][ T5025] ? panic+0x770/0x770 [ 77.838440][ T5025] ? gfs2_consist_inode_i+0xf5/0x110 [ 77.843744][ T5025] gfs2_dirent_scan+0x512/0x640 [ 77.848604][ T5025] ? gfs2_permission+0x268/0x3c0 [ 77.853558][ T5025] ? gfs2_dirent_search+0x8c0/0x8c0 [ 77.858767][ T5025] gfs2_dirent_search+0x30e/0x8c0 [ 77.863806][ T5025] ? gfs2_dirent_search+0x8c0/0x8c0 [ 77.869045][ T5025] ? generic_permission+0x1df/0x550 [ 77.874284][ T5025] ? gfs2_dir_search+0x2f0/0x2f0 [ 77.879283][ T5025] ? gfs2_permission+0x34a/0x3c0 [ 77.884293][ T5025] gfs2_dir_search+0xb2/0x2f0 [ 77.889006][ T5025] ? do_filldir_main+0x520/0x520 [ 77.893956][ T5025] ? inode_go_held+0xea/0x200 [ 77.898658][ T5025] ? gfs2_glock_wait+0x21a/0x2b0 [ 77.903628][ T5025] gfs2_lookupi+0x460/0x5d0 [ 77.908153][ T5025] ? gfs2_lookup_simple+0x180/0x180 [ 77.913379][ T5025] ? __gfs2_lookup+0xa4/0x270 [ 77.918064][ T5025] ? d_alloc_parallel+0x1262/0x13a0 [ 77.923282][ T5025] __gfs2_lookup+0xa4/0x270 [ 77.927796][ T5025] ? gfs2_atomic_open+0x230/0x230 [ 77.932845][ T5025] ? __init_waitqueue_head+0xae/0x150 [ 77.938239][ T5025] __lookup_slow+0x282/0x3e0 [ 77.942846][ T5025] ? lookup_one_len+0x2d0/0x2d0 [ 77.947714][ T5025] ? down_read+0x1b5/0x2f0 [ 77.952245][ T5025] lookup_slow+0x53/0x70 [ 77.956502][ T5025] link_path_walk+0x9c8/0xe70 [ 77.961211][ T5025] ? handle_lookup_down+0x130/0x130 [ 77.966429][ T5025] ? lockdep_hardirqs_on+0x98/0x140 [ 77.971639][ T5025] path_lookupat+0xa9/0x450 [ 77.976162][ T5025] do_o_path+0x95/0x230 [ 77.980338][ T5025] ? do_tmpfile+0x330/0x330 [ 77.984865][ T5025] ? __alloc_file+0x15a/0x230 [ 77.989561][ T5025] path_openat+0x29f0/0x3170 [ 77.994251][ T5025] ? __stack_depot_save+0x20/0x650 [ 77.999380][ T5025] ? mark_lock+0x9a/0x340 [ 78.003724][ T5025] ? kmem_cache_alloc+0x11f/0x2e0 [ 78.008755][ T5025] ? mark_lock+0x9a/0x340 [ 78.013106][ T5025] ? __lock_acquire+0x1295/0x2000 [ 78.018149][ T5025] ? do_filp_open+0x490/0x490 [ 78.022850][ T5025] do_filp_open+0x234/0x490 [ 78.027367][ T5025] ? vfs_tmpfile+0x4a0/0x4a0 [ 78.031987][ T5025] ? _raw_spin_unlock+0x28/0x40 [ 78.036846][ T5025] ? alloc_fd+0x59c/0x640 [ 78.041287][ T5025] do_sys_openat2+0x13f/0x500 [ 78.045982][ T5025] ? print_irqtrace_events+0x220/0x220 [ 78.051459][ T5025] ? do_sys_open+0x230/0x230 [ 78.056068][ T5025] ? lockdep_hardirqs_on+0x98/0x140 [ 78.061280][ T5025] ? _raw_spin_unlock_irq+0x2e/0x50 [ 78.066487][ T5025] ? ptrace_notify+0x278/0x380 [ 78.071274][ T5025] __x64_sys_openat+0x247/0x290 [ 78.076146][ T5025] ? __ia32_sys_open+0x270/0x270 [ 78.081108][ T5025] ? syscall_enter_from_user_mode+0x32/0x230 [ 78.087118][ T5025] ? syscall_enter_from_user_mode+0x8c/0x230 [ 78.093118][ T5025] do_syscall_64+0x41/0xc0 [ 78.097567][ T5025] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 78.103488][ T5025] RIP: 0033:0x7f0100724159 [ 78.107912][ T5025] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 78.127540][ T5025] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 78.135966][ T5025] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 78.143944][ T5025] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5024] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5024] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5027 attached [pid 5027] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5027] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5027] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5027] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5025] <... openat resumed>) = -1 EIO (Input/output error) [pid 5025] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5025] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5024] <... futex resumed>) = 0 [pid 5024] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5024] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5024] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5028 attached , parent_tid=[5028], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5028 [pid 5024] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5024] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5028] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5028] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5028] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5024] <... futex resumed>) = 0 [pid 5024] exit_group(0 [pid 5027] <... futex resumed>) = ? [pid 5024] <... exit_group resumed>) = ? [pid 5027] +++ exited with 0 +++ [pid 5025] <... futex resumed>) = ? [pid 5025] +++ exited with 0 +++ [pid 5028] <... futex resumed>) = ? [pid 5028] +++ exited with 0 +++ [pid 5024] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5024, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./6/binderfs") = 0 [ 78.151925][ T5025] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 78.159904][ T5025] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 78.167901][ T5025] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 78.175894][ T5025] umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./6/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5029 ./strace-static-x86_64: Process 5029 attached [pid 5029] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5029] chdir("./7") = 0 [pid 5029] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5029] setpgid(0, 0) = 0 [pid 5029] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5029] write(3, "1000", 4) = 4 [pid 5029] close(3) = 0 [pid 5029] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5029] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5029] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5029] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5030 attached [pid 5030] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5029] <... clone resumed>, parent_tid=[5030], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5030 [pid 5029] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5030] memfd_create("syzkaller", 0) = 3 [pid 5030] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5030] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5030] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5030] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5030] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5030] close(3) = 0 [pid 5030] mkdir("./file0", 0777) = 0 [ 78.580439][ T5030] loop0: detected capacity change from 0 to 32768 [ 78.593773][ T5030] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 78.602096][ T5030] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 78.612372][ T5030] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 78.621379][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 78.628466][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5030] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5030] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5030] chdir("./file0") = 0 [pid 5030] ioctl(4, LOOP_CLR_FD) = 0 [pid 5030] close(4) = 0 [pid 5030] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5029] <... futex resumed>) = 0 [pid 5029] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5030] <... futex resumed>) = 1 [ 78.673045][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 78.680636][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 78.685893][ T5030] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 78.711616][ T5030] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5030] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5029] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 78.727520][ T5030] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 78.727520][ T5030] inode = 12 2341 [ 78.727520][ T5030] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 78.747130][ T5030] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 78.756287][ T5030] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5030 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 78.766434][ T5030] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5029] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5029] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5029] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5032], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5032 [pid 5029] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5032 attached [pid 5032] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5032] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5032] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5029] <... futex resumed>) = 0 [pid 5029] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5029] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5032] <... futex resumed>) = 1 [pid 5032] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5032] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5029] <... futex resumed>) = 0 [pid 5032] <... futex resumed>) = 1 [ 78.775482][ T5030] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 78.783194][ T5030] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 78.792115][ T5030] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 78.798851][ T5030] gfs2: fsid=syz:syz.0: File system withdrawn [ 78.804963][ T5030] CPU: 0 PID: 5030 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 78.815428][ T5030] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 78.825528][ T5030] Call Trace: [ 78.828825][ T5030] [ 78.831782][ T5030] dump_stack_lvl+0x1e7/0x2d0 [ 78.836492][ T5030] ? nf_tcp_handle_invalid+0x650/0x650 [ 78.841981][ T5030] ? panic+0x770/0x770 [ 78.846078][ T5030] ? kobject_uevent_env+0x54e/0x8e0 [ 78.851326][ T5030] gfs2_withdraw+0xf48/0x1550 [ 78.856054][ T5030] ? gfs2_lm+0x240/0x240 [ 78.860337][ T5030] ? gfs2_dirent_scan+0xb2/0x640 [ 78.865306][ T5030] ? panic+0x770/0x770 [ 78.869408][ T5030] ? gfs2_consist_inode_i+0xf5/0x110 [ 78.875338][ T5030] gfs2_dirent_scan+0x512/0x640 [ 78.880202][ T5030] ? gfs2_permission+0x268/0x3c0 [ 78.885169][ T5030] ? gfs2_dirent_search+0x8c0/0x8c0 [ 78.890400][ T5030] gfs2_dirent_search+0x30e/0x8c0 [ 78.895463][ T5030] ? gfs2_dirent_search+0x8c0/0x8c0 [ 78.900718][ T5030] ? generic_permission+0x1df/0x550 [ 78.906043][ T5030] ? gfs2_dir_search+0x2f0/0x2f0 [ 78.911025][ T5030] ? gfs2_permission+0x34a/0x3c0 [ 78.915994][ T5030] gfs2_dir_search+0xb2/0x2f0 [ 78.920688][ T5030] ? do_filldir_main+0x520/0x520 [ 78.925638][ T5030] ? inode_go_held+0xea/0x200 [ 78.930327][ T5030] ? gfs2_glock_wait+0x21a/0x2b0 [ 78.935283][ T5030] gfs2_lookupi+0x460/0x5d0 [ 78.939815][ T5030] ? gfs2_lookup_simple+0x180/0x180 [ 78.945038][ T5030] ? __gfs2_lookup+0xa4/0x270 [ 78.949724][ T5030] ? d_alloc_parallel+0x1262/0x13a0 [ 78.954945][ T5030] __gfs2_lookup+0xa4/0x270 [ 78.959461][ T5030] ? gfs2_atomic_open+0x230/0x230 [ 78.964591][ T5030] ? __init_waitqueue_head+0xae/0x150 [ 78.969997][ T5030] __lookup_slow+0x282/0x3e0 [ 78.974603][ T5030] ? lookup_one_len+0x2d0/0x2d0 [ 78.979478][ T5030] ? down_read+0x1b5/0x2f0 [ 78.983933][ T5030] lookup_slow+0x53/0x70 [ 78.988189][ T5030] link_path_walk+0x9c8/0xe70 [ 78.992894][ T5030] ? handle_lookup_down+0x130/0x130 [ 78.998111][ T5030] ? lockdep_hardirqs_on+0x98/0x140 [ 79.003344][ T5030] path_lookupat+0xa9/0x450 [ 79.007892][ T5030] do_o_path+0x95/0x230 [ 79.012082][ T5030] ? do_tmpfile+0x330/0x330 [ 79.016608][ T5030] ? __alloc_file+0x15a/0x230 [ 79.021306][ T5030] path_openat+0x29f0/0x3170 [ 79.025913][ T5030] ? __stack_depot_save+0x20/0x650 [ 79.031038][ T5030] ? __lock_acquire+0x1295/0x2000 [ 79.036081][ T5030] ? mark_lock+0x9a/0x340 [ 79.040423][ T5030] ? kmem_cache_alloc+0x11f/0x2e0 [ 79.045455][ T5030] ? mark_lock+0x9a/0x340 [ 79.049806][ T5030] ? __lock_acquire+0x1295/0x2000 [ 79.054845][ T5030] ? do_filp_open+0x490/0x490 [ 79.059546][ T5030] do_filp_open+0x234/0x490 [ 79.064065][ T5030] ? vfs_tmpfile+0x4a0/0x4a0 [ 79.068687][ T5030] ? _raw_spin_unlock+0x28/0x40 [ 79.073545][ T5030] ? alloc_fd+0x59c/0x640 [ 79.077902][ T5030] do_sys_openat2+0x13f/0x500 [ 79.082596][ T5030] ? print_irqtrace_events+0x220/0x220 [ 79.088082][ T5030] ? do_sys_open+0x230/0x230 [ 79.092688][ T5030] ? lockdep_hardirqs_on+0x98/0x140 [ 79.097900][ T5030] ? _raw_spin_unlock_irq+0x2e/0x50 [ 79.103110][ T5030] ? ptrace_notify+0x278/0x380 [ 79.107885][ T5030] __x64_sys_openat+0x247/0x290 [ 79.112756][ T5030] ? __ia32_sys_open+0x270/0x270 [ 79.117710][ T5030] ? syscall_enter_from_user_mode+0x32/0x230 [ 79.123703][ T5030] ? syscall_enter_from_user_mode+0x8c/0x230 [ 79.129696][ T5030] do_syscall_64+0x41/0xc0 [ 79.134141][ T5030] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 79.140047][ T5030] RIP: 0033:0x7f0100724159 [ 79.144473][ T5030] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 79.164086][ T5030] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5032] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5030] <... openat resumed>) = -1 EIO (Input/output error) [pid 5030] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5030] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5029] exit_group(0 [pid 5030] <... futex resumed>) = ? [pid 5029] <... exit_group resumed>) = ? [pid 5030] +++ exited with 0 +++ [pid 5032] <... futex resumed>) = ? [pid 5032] +++ exited with 0 +++ [pid 5029] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5029, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=34 /* 0.34 s */} --- umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./7/binderfs") = 0 [ 79.172524][ T5030] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 79.180503][ T5030] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 79.188480][ T5030] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 79.196458][ T5030] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 79.204435][ T5030] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 79.212428][ T5030] umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./7/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./7/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5033 ./strace-static-x86_64: Process 5033 attached [pid 5033] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5033] chdir("./8") = 0 [pid 5033] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5033] setpgid(0, 0) = 0 [pid 5033] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5033] write(3, "1000", 4) = 4 [pid 5033] close(3) = 0 [pid 5033] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5033] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5033] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5033] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5033] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5034], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5034 ./strace-static-x86_64: Process 5034 attached [pid 5033] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5034] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5033] <... futex resumed>) = 0 [pid 5033] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5034] memfd_create("syzkaller", 0) = 3 [pid 5034] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5034] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5034] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5034] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5034] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5034] close(3) = 0 [pid 5034] mkdir("./file0", 0777) = 0 [ 79.634752][ T5034] loop0: detected capacity change from 0 to 32768 [ 79.645463][ T5034] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 79.654534][ T5034] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 79.665301][ T5034] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 79.674499][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 79.682122][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5034] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5034] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5034] chdir("./file0") = 0 [pid 5034] ioctl(4, LOOP_CLR_FD) = 0 [pid 5034] close(4) = 0 [pid 5034] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5033] <... futex resumed>) = 0 [pid 5034] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5033] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5034] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5033] <... futex resumed>) = 0 [pid 5034] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 79.730467][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 48ms [ 79.738262][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 79.744047][ T5034] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 79.759402][ T5034] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 79.767958][ T5034] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 79.767958][ T5034] inode = 12 2341 [pid 5033] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5033] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5033] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5033] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5033] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5036], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5036 [pid 5033] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5033] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5036 attached [ 79.767958][ T5034] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 79.787711][ T5034] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 79.797686][ T5034] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5034 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 79.808360][ T5034] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 79.819615][ T5034] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5036] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5036] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [ 79.827281][ T5034] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 79.836326][ T5034] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 79.843393][ T5034] gfs2: fsid=syz:syz.0: File system withdrawn [ 79.851312][ T5034] CPU: 0 PID: 5034 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 79.861796][ T5034] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 79.871872][ T5034] Call Trace: [ 79.875166][ T5034] [pid 5036] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5036] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5033] <... futex resumed>) = 0 [pid 5033] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5033] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5036] <... futex resumed>) = 0 [pid 5036] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5036] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5033] <... futex resumed>) = 0 [pid 5036] <... futex resumed>) = 1 [ 79.878117][ T5034] dump_stack_lvl+0x1e7/0x2d0 [ 79.882836][ T5034] ? nf_tcp_handle_invalid+0x650/0x650 [ 79.888308][ T5034] ? panic+0x770/0x770 [ 79.892378][ T5034] ? kobject_uevent_env+0x54e/0x8e0 [ 79.897588][ T5034] gfs2_withdraw+0xf48/0x1550 [ 79.902285][ T5034] ? gfs2_lm+0x240/0x240 [ 79.906538][ T5034] ? gfs2_dirent_scan+0xb2/0x640 [ 79.911542][ T5034] ? panic+0x770/0x770 [ 79.915693][ T5034] ? gfs2_consist_inode_i+0xf5/0x110 [ 79.921035][ T5034] gfs2_dirent_scan+0x512/0x640 [ 79.925923][ T5034] ? gfs2_permission+0x268/0x3c0 [ 79.930904][ T5034] ? gfs2_dirent_search+0x8c0/0x8c0 [ 79.936171][ T5034] gfs2_dirent_search+0x30e/0x8c0 [ 79.941236][ T5034] ? gfs2_dirent_search+0x8c0/0x8c0 [ 79.946544][ T5034] ? generic_permission+0x1df/0x550 [ 79.951774][ T5034] ? gfs2_dir_search+0x2f0/0x2f0 [ 79.956819][ T5034] ? gfs2_permission+0x34a/0x3c0 [ 79.961803][ T5034] gfs2_dir_search+0xb2/0x2f0 [ 79.966504][ T5034] ? do_filldir_main+0x520/0x520 [ 79.971494][ T5034] ? inode_go_held+0xea/0x200 [ 79.976223][ T5034] ? gfs2_glock_wait+0x21a/0x2b0 [ 79.981193][ T5034] gfs2_lookupi+0x460/0x5d0 [ 79.985740][ T5034] ? gfs2_lookup_simple+0x180/0x180 [ 79.990977][ T5034] ? __gfs2_lookup+0xa4/0x270 [ 79.995671][ T5034] ? d_alloc_parallel+0x1262/0x13a0 [ 80.000884][ T5034] __gfs2_lookup+0xa4/0x270 [ 80.005401][ T5034] ? gfs2_atomic_open+0x230/0x230 [ 80.010549][ T5034] ? __init_waitqueue_head+0xae/0x150 [ 80.015982][ T5034] __lookup_slow+0x282/0x3e0 [ 80.020614][ T5034] ? lookup_one_len+0x2d0/0x2d0 [ 80.025517][ T5034] ? down_read+0x1b5/0x2f0 [pid 5036] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5033] exit_group(0 [pid 5036] <... futex resumed>) = ? [pid 5033] <... exit_group resumed>) = ? [pid 5036] +++ exited with 0 +++ [ 80.029970][ T5034] lookup_slow+0x53/0x70 [ 80.034243][ T5034] link_path_walk+0x9c8/0xe70 [ 80.038948][ T5034] ? handle_lookup_down+0x130/0x130 [ 80.044267][ T5034] ? lockdep_hardirqs_on+0x98/0x140 [ 80.049512][ T5034] path_lookupat+0xa9/0x450 [ 80.054060][ T5034] do_o_path+0x95/0x230 [ 80.058254][ T5034] ? do_tmpfile+0x330/0x330 [ 80.062799][ T5034] ? __alloc_file+0x15a/0x230 [ 80.067491][ T5034] path_openat+0x29f0/0x3170 [ 80.072105][ T5034] ? __stack_depot_save+0x20/0x650 [ 80.077249][ T5034] ? mark_lock+0x9a/0x340 [ 80.081615][ T5034] ? kmem_cache_alloc+0x11f/0x2e0 [ 80.086653][ T5034] ? mark_lock+0x9a/0x340 [ 80.090999][ T5034] ? __lock_acquire+0x1295/0x2000 [ 80.096041][ T5034] ? do_filp_open+0x490/0x490 [ 80.100746][ T5034] do_filp_open+0x234/0x490 [ 80.105260][ T5034] ? vfs_tmpfile+0x4a0/0x4a0 [ 80.109902][ T5034] ? _raw_spin_unlock+0x28/0x40 [ 80.114797][ T5034] ? alloc_fd+0x59c/0x640 [ 80.119164][ T5034] do_sys_openat2+0x13f/0x500 [ 80.123862][ T5034] ? print_irqtrace_events+0x220/0x220 [ 80.129335][ T5034] ? do_sys_open+0x230/0x230 [ 80.133936][ T5034] ? lockdep_hardirqs_on+0x98/0x140 [ 80.139234][ T5034] ? _raw_spin_unlock_irq+0x2e/0x50 [ 80.144443][ T5034] ? ptrace_notify+0x278/0x380 [ 80.149242][ T5034] __x64_sys_openat+0x247/0x290 [ 80.154216][ T5034] ? __ia32_sys_open+0x270/0x270 [ 80.159189][ T5034] ? syscall_enter_from_user_mode+0x32/0x230 [ 80.165233][ T5034] ? syscall_enter_from_user_mode+0x8c/0x230 [ 80.171258][ T5034] do_syscall_64+0x41/0xc0 [ 80.175707][ T5034] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 80.181614][ T5034] RIP: 0033:0x7f0100724159 [ 80.186125][ T5034] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 80.205761][ T5034] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 80.214192][ T5034] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 80.222174][ T5034] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5034] <... openat resumed>) = ? [pid 5034] +++ exited with 0 +++ [pid 5033] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5033, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=37 /* 0.37 s */} --- umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./8/binderfs") = 0 [ 80.230233][ T5034] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 80.238237][ T5034] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 80.246217][ T5034] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 80.254223][ T5034] umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./8/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./8/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./8") = 0 mkdir("./9", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5037 ./strace-static-x86_64: Process 5037 attached [pid 5037] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5037] chdir("./9") = 0 [pid 5037] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5037] setpgid(0, 0) = 0 [pid 5037] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5037] write(3, "1000", 4) = 4 [pid 5037] close(3) = 0 [pid 5037] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5037] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5037] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5037] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5037] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5038 attached , parent_tid=[5038], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5038 [pid 5038] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5038] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5037] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5038] <... futex resumed>) = 0 [pid 5037] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5038] memfd_create("syzkaller", 0) = 3 [pid 5038] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5038] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5038] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5038] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5038] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5038] close(3) = 0 [pid 5038] mkdir("./file0", 0777) = 0 [ 80.646498][ T5038] loop0: detected capacity change from 0 to 32768 [ 80.658212][ T5038] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 80.666637][ T5038] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 80.676943][ T5038] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 80.686294][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 80.693539][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5038] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5038] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5038] chdir("./file0") = 0 [pid 5038] ioctl(4, LOOP_CLR_FD) = 0 [pid 5038] close(4) = 0 [pid 5038] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5037] <... futex resumed>) = 0 [pid 5037] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5037] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5038] <... futex resumed>) = 1 [ 80.739269][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 80.746831][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 80.752325][ T5038] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 80.766581][ T5038] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 80.775541][ T5038] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 80.775541][ T5038] inode = 12 2341 [pid 5038] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5037] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5037] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5037] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5037] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5037] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5040 attached , parent_tid=[5040], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5040 [pid 5040] set_robust_list(0x7f00f92a79e0, 24 [pid 5037] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5037] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5040] <... set_robust_list resumed>) = 0 [pid 5040] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5040] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5037] <... futex resumed>) = 0 [pid 5037] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5037] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5040] <... futex resumed>) = 1 [ 80.775541][ T5038] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 80.794868][ T5038] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 80.804492][ T5038] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5038 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 80.814944][ T5038] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 80.826993][ T5038] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5040] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5040] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5037] <... futex resumed>) = 0 [pid 5040] <... futex resumed>) = 1 [ 80.834853][ T5038] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 80.843770][ T5038] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 80.850488][ T5038] gfs2: fsid=syz:syz.0: File system withdrawn [ 80.856576][ T5038] CPU: 0 PID: 5038 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 80.866994][ T5038] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 80.877209][ T5038] Call Trace: [ 80.880540][ T5038] [ 80.883480][ T5038] dump_stack_lvl+0x1e7/0x2d0 [ 80.888191][ T5038] ? nf_tcp_handle_invalid+0x650/0x650 [ 80.893710][ T5038] ? panic+0x770/0x770 [ 80.897790][ T5038] ? kobject_uevent_env+0x54e/0x8e0 [ 80.903027][ T5038] gfs2_withdraw+0xf48/0x1550 [ 80.907779][ T5038] ? gfs2_lm+0x240/0x240 [ 80.912042][ T5038] ? gfs2_dirent_scan+0xb2/0x640 [ 80.916991][ T5038] ? panic+0x770/0x770 [ 80.921076][ T5038] ? gfs2_consist_inode_i+0xf5/0x110 [ 80.926396][ T5038] gfs2_dirent_scan+0x512/0x640 [ 80.931274][ T5038] ? gfs2_permission+0x268/0x3c0 [ 80.936226][ T5038] ? gfs2_dirent_search+0x8c0/0x8c0 [ 80.941458][ T5038] gfs2_dirent_search+0x30e/0x8c0 [ 80.946507][ T5038] ? gfs2_dirent_search+0x8c0/0x8c0 [ 80.951742][ T5038] ? generic_permission+0x1df/0x550 [ 80.956978][ T5038] ? gfs2_dir_search+0x2f0/0x2f0 [ 80.961986][ T5038] ? gfs2_permission+0x34a/0x3c0 [ 80.966950][ T5038] gfs2_dir_search+0xb2/0x2f0 [ 80.971641][ T5038] ? do_filldir_main+0x520/0x520 [ 80.976599][ T5038] ? inode_go_held+0xea/0x200 [ 80.981296][ T5038] ? gfs2_glock_wait+0x21a/0x2b0 [ 80.986276][ T5038] gfs2_lookupi+0x460/0x5d0 [ 80.990819][ T5038] ? gfs2_lookup_simple+0x180/0x180 [ 80.996059][ T5038] ? __gfs2_lookup+0xa4/0x270 [ 81.000758][ T5038] ? d_alloc_parallel+0x1262/0x13a0 [ 81.006425][ T5038] __gfs2_lookup+0xa4/0x270 [ 81.010948][ T5038] ? gfs2_atomic_open+0x230/0x230 [ 81.016017][ T5038] ? __init_waitqueue_head+0xae/0x150 [ 81.021412][ T5038] __lookup_slow+0x282/0x3e0 [ 81.026074][ T5038] ? lookup_one_len+0x2d0/0x2d0 [ 81.030948][ T5038] ? down_read+0x1b5/0x2f0 [ 81.035391][ T5038] lookup_slow+0x53/0x70 [ 81.039655][ T5038] link_path_walk+0x9c8/0xe70 [ 81.044358][ T5038] ? handle_lookup_down+0x130/0x130 [ 81.049577][ T5038] ? lockdep_hardirqs_on+0x98/0x140 [ 81.054804][ T5038] path_lookupat+0xa9/0x450 [ 81.059339][ T5038] do_o_path+0x95/0x230 [ 81.063510][ T5038] ? do_tmpfile+0x330/0x330 [ 81.068054][ T5038] ? __alloc_file+0x15a/0x230 [ 81.072749][ T5038] path_openat+0x29f0/0x3170 [ 81.077351][ T5038] ? __stack_depot_save+0x20/0x650 [ 81.082487][ T5038] ? mark_lock+0x9a/0x340 [ 81.086847][ T5038] ? kmem_cache_alloc+0x11f/0x2e0 [ 81.091881][ T5038] ? mark_lock+0x9a/0x340 [ 81.096228][ T5038] ? __lock_acquire+0x1295/0x2000 [ 81.101270][ T5038] ? do_filp_open+0x490/0x490 [ 81.105975][ T5038] do_filp_open+0x234/0x490 [ 81.110499][ T5038] ? vfs_tmpfile+0x4a0/0x4a0 [ 81.115142][ T5038] ? _raw_spin_unlock+0x28/0x40 [ 81.120002][ T5038] ? alloc_fd+0x59c/0x640 [ 81.124368][ T5038] do_sys_openat2+0x13f/0x500 [ 81.129061][ T5038] ? print_irqtrace_events+0x220/0x220 [ 81.134539][ T5038] ? do_sys_open+0x230/0x230 [ 81.139144][ T5038] ? lockdep_hardirqs_on+0x98/0x140 [ 81.144352][ T5038] ? _raw_spin_unlock_irq+0x2e/0x50 [ 81.149561][ T5038] ? ptrace_notify+0x278/0x380 [ 81.154352][ T5038] __x64_sys_openat+0x247/0x290 [ 81.159486][ T5038] ? __ia32_sys_open+0x270/0x270 [ 81.164616][ T5038] ? syscall_enter_from_user_mode+0x32/0x230 [ 81.170625][ T5038] ? syscall_enter_from_user_mode+0x8c/0x230 [ 81.176619][ T5038] do_syscall_64+0x41/0xc0 [ 81.181055][ T5038] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 81.186959][ T5038] RIP: 0033:0x7f0100724159 [ 81.191380][ T5038] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 81.210994][ T5038] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 81.219432][ T5038] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 81.227511][ T5038] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5040] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5038] <... openat resumed>) = -1 EIO (Input/output error) [pid 5038] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5038] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5037] exit_group(0 [pid 5038] <... futex resumed>) = ? [pid 5038] +++ exited with 0 +++ [pid 5040] <... futex resumed>) = ? [pid 5037] <... exit_group resumed>) = ? [pid 5040] +++ exited with 0 +++ [pid 5037] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5037, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=32 /* 0.32 s */} --- umount2("./9", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./9/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./9/binderfs") = 0 [ 81.235492][ T5038] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 81.243473][ T5038] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 81.251551][ T5038] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 81.259543][ T5038] umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./9/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./9/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./9") = 0 mkdir("./10", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5041 ./strace-static-x86_64: Process 5041 attached [pid 5041] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5041] chdir("./10") = 0 [pid 5041] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5041] setpgid(0, 0) = 0 [pid 5041] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5041] write(3, "1000", 4) = 4 [pid 5041] close(3) = 0 [pid 5041] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5041] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5041] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5041] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5042], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5042 [pid 5041] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5042 attached [pid 5042] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5042] memfd_create("syzkaller", 0) = 3 [pid 5042] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5042] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [ 81.608987][ T7] cfg80211: failed to load regulatory.db [pid 5042] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5042] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5042] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5042] close(3) = 0 [pid 5042] mkdir("./file0", 0777) = 0 [ 81.688401][ T5042] loop0: detected capacity change from 0 to 32768 [ 81.699549][ T5042] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 81.707833][ T5042] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 81.718533][ T5042] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 81.727740][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 81.734525][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5042] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5042] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5042] chdir("./file0") = 0 [pid 5042] ioctl(4, LOOP_CLR_FD) = 0 [pid 5042] close(4) = 0 [pid 5042] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5041] <... futex resumed>) = 0 [pid 5041] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 81.774484][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 81.782230][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 81.787540][ T5042] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 81.810288][ T5042] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5042] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5041] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5041] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5041] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5041] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5044], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5044 [pid 5041] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5044 attached [pid 5044] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 81.818884][ T5042] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 81.818884][ T5042] inode = 12 2341 [ 81.818884][ T5042] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 81.838855][ T5042] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 81.848268][ T5042] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5042 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 81.858876][ T5042] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 81.864836][ T5044] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 81.868303][ T5042] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 81.876320][ T5044] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 81.883515][ T5042] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 81.892604][ T5044] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5042 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 81.901464][ T5042] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [pid 5044] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5041] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5041] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5041] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5041] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5045], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5045 [pid 5041] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5041] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5045 attached [pid 5045] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5045] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5045] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5041] <... futex resumed>) = 0 [pid 5045] <... futex resumed>) = 1 [ 81.911221][ T5044] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5044 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 81.918347][ T5042] gfs2: fsid=syz:syz.0: File system withdrawn [ 81.934957][ T5042] CPU: 1 PID: 5042 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 81.935520][ T5044] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 81.945409][ T5042] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 81.945425][ T5042] Call Trace: [ 81.945433][ T5042] [ 81.945442][ T5042] dump_stack_lvl+0x1e7/0x2d0 [ 81.945483][ T5042] ? nf_tcp_handle_invalid+0x650/0x650 [ 81.945514][ T5042] ? panic+0x770/0x770 [ 81.945538][ T5042] ? kobject_uevent_env+0x54e/0x8e0 [ 81.945575][ T5042] gfs2_withdraw+0xf48/0x1550 [ 81.945621][ T5042] ? gfs2_lm+0x240/0x240 [ 81.945648][ T5042] ? gfs2_dirent_scan+0xb2/0x640 [ 81.945674][ T5042] ? panic+0x770/0x770 [ 81.945705][ T5042] ? gfs2_consist_inode_i+0xf5/0x110 [ 82.013320][ T5042] gfs2_dirent_scan+0x512/0x640 [ 82.018211][ T5042] ? gfs2_permission+0x268/0x3c0 [ 82.023191][ T5042] ? gfs2_dirent_search+0x8c0/0x8c0 [ 82.028418][ T5042] gfs2_dirent_search+0x30e/0x8c0 [ 82.033470][ T5042] ? gfs2_dirent_search+0x8c0/0x8c0 [ 82.038691][ T5042] ? generic_permission+0x1df/0x550 [ 82.043958][ T5042] ? gfs2_dir_search+0x2f0/0x2f0 [ 82.048934][ T5042] ? gfs2_permission+0x34a/0x3c0 [ 82.053925][ T5042] gfs2_dir_search+0xb2/0x2f0 [ 82.058618][ T5042] ? do_filldir_main+0x520/0x520 [ 82.063578][ T5042] ? inode_go_held+0xea/0x200 [ 82.068290][ T5042] ? gfs2_glock_wait+0x21a/0x2b0 [pid 5045] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [ 82.073249][ T5042] gfs2_lookupi+0x460/0x5d0 [ 82.077774][ T5042] ? gfs2_lookup_simple+0x180/0x180 [ 82.082993][ T5042] ? __gfs2_lookup+0xa4/0x270 [ 82.087678][ T5042] ? d_alloc_parallel+0x1262/0x13a0 [ 82.092893][ T5042] __gfs2_lookup+0xa4/0x270 [ 82.097410][ T5042] ? gfs2_atomic_open+0x230/0x230 [ 82.102465][ T5042] ? __init_waitqueue_head+0xae/0x150 [ 82.107969][ T5042] __lookup_slow+0x282/0x3e0 [ 82.112583][ T5042] ? lookup_one_len+0x2d0/0x2d0 [ 82.117480][ T5042] ? down_read+0x1b5/0x2f0 [ 82.121953][ T5042] lookup_slow+0x53/0x70 [pid 5041] exit_group(0 [pid 5045] <... futex resumed>) = ? [pid 5041] <... exit_group resumed>) = ? [pid 5045] +++ exited with 0 +++ [ 82.126237][ T5042] link_path_walk+0x9c8/0xe70 [ 82.130946][ T5042] ? handle_lookup_down+0x130/0x130 [ 82.136174][ T5042] ? lockdep_hardirqs_on+0x98/0x140 [ 82.141417][ T5042] path_lookupat+0xa9/0x450 [ 82.145952][ T5042] do_o_path+0x95/0x230 [ 82.150123][ T5042] ? do_tmpfile+0x330/0x330 [ 82.154640][ T5042] ? __alloc_file+0x15a/0x230 [ 82.159334][ T5042] path_openat+0x29f0/0x3170 [ 82.163956][ T5042] ? __stack_depot_save+0x20/0x650 [ 82.169101][ T5042] ? mark_lock+0x9a/0x340 [ 82.173444][ T5042] ? kmem_cache_alloc+0x11f/0x2e0 [ 82.178478][ T5042] ? mark_lock+0x9a/0x340 [ 82.182821][ T5042] ? __lock_acquire+0x1295/0x2000 [ 82.187868][ T5042] ? do_filp_open+0x490/0x490 [ 82.192597][ T5042] do_filp_open+0x234/0x490 [ 82.197113][ T5042] ? vfs_tmpfile+0x4a0/0x4a0 [ 82.201735][ T5042] ? _raw_spin_unlock+0x28/0x40 [ 82.206602][ T5042] ? alloc_fd+0x59c/0x640 [ 82.210957][ T5042] do_sys_openat2+0x13f/0x500 [ 82.215646][ T5042] ? print_irqtrace_events+0x220/0x220 [ 82.221122][ T5042] ? do_sys_open+0x230/0x230 [ 82.225730][ T5042] ? lockdep_hardirqs_on+0x98/0x140 [ 82.230940][ T5042] ? _raw_spin_unlock_irq+0x2e/0x50 [ 82.236157][ T5042] ? ptrace_notify+0x278/0x380 [ 82.240953][ T5042] __x64_sys_openat+0x247/0x290 [ 82.245888][ T5042] ? __ia32_sys_open+0x270/0x270 [ 82.250949][ T5042] ? syscall_enter_from_user_mode+0x32/0x230 [ 82.256946][ T5042] ? syscall_enter_from_user_mode+0x8c/0x230 [ 82.262952][ T5042] do_syscall_64+0x41/0xc0 [ 82.267424][ T5042] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 82.273383][ T5042] RIP: 0033:0x7f0100724159 [ 82.277849][ T5042] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 82.297583][ T5042] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 82.306046][ T5042] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 82.314061][ T5042] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5044] <... openat resumed>) = ? [pid 5042] <... openat resumed>) = ? [pid 5044] +++ exited with 0 +++ [pid 5042] +++ exited with 0 +++ [pid 5041] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5041, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=48 /* 0.48 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./10", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./10/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./10/binderfs") = 0 [ 82.322060][ T5042] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 82.330065][ T5042] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 82.338047][ T5042] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 82.346043][ T5042] umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./10/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./10/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./10") = 0 mkdir("./11", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5046 ./strace-static-x86_64: Process 5046 attached [pid 5046] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5046] chdir("./11") = 0 [pid 5046] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5046] setpgid(0, 0) = 0 [pid 5046] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5046] write(3, "1000", 4) = 4 [pid 5046] close(3) = 0 [pid 5046] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5046] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5046] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5046] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5047], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5047 [pid 5046] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5047 attached [pid 5047] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5047] memfd_create("syzkaller", 0) = 3 [pid 5047] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5047] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5047] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5047] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5047] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5047] close(3) = 0 [pid 5047] mkdir("./file0", 0777) = 0 [ 82.752983][ T5047] loop0: detected capacity change from 0 to 32768 [ 82.765077][ T5047] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 82.773343][ T5047] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 82.783362][ T5047] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 82.792179][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 82.799474][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5047] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5047] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5047] chdir("./file0") = 0 [pid 5047] ioctl(4, LOOP_CLR_FD) = 0 [pid 5047] close(4) = 0 [pid 5047] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5046] <... futex resumed>) = 0 [pid 5046] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5047] <... futex resumed>) = 1 [ 82.843960][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 82.853103][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 82.858643][ T5047] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 82.873132][ T5047] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 82.882040][ T5047] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 82.882040][ T5047] inode = 12 2341 [pid 5047] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5046] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5046] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5046] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5046] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5049 attached [pid 5049] set_robust_list(0x7f00f92a79e0, 24 [pid 5046] <... clone resumed>, parent_tid=[5049], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5049 [pid 5046] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5049] <... set_robust_list resumed>) = 0 [pid 5049] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5049] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5046] <... futex resumed>) = 0 [pid 5046] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5049] <... futex resumed>) = 1 [pid 5049] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5049] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5046] <... futex resumed>) = 0 [pid 5049] <... futex resumed>) = 1 [ 82.882040][ T5047] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 82.901930][ T5047] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 82.911595][ T5047] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5047 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 82.922332][ T5047] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 82.934496][ T5047] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 82.942278][ T5047] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 82.951556][ T5047] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 82.958990][ T5047] gfs2: fsid=syz:syz.0: File system withdrawn [ 82.965087][ T5047] CPU: 0 PID: 5047 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 82.975533][ T5047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 82.985602][ T5047] Call Trace: [ 82.988908][ T5047] [ 82.991961][ T5047] dump_stack_lvl+0x1e7/0x2d0 [ 82.996694][ T5047] ? nf_tcp_handle_invalid+0x650/0x650 [ 83.002216][ T5047] ? panic+0x770/0x770 [ 83.006313][ T5047] ? kobject_uevent_env+0x54e/0x8e0 [ 83.011547][ T5047] gfs2_withdraw+0xf48/0x1550 [ 83.016300][ T5047] ? gfs2_lm+0x240/0x240 [ 83.020561][ T5047] ? gfs2_dirent_scan+0xb2/0x640 [ 83.025530][ T5047] ? panic+0x770/0x770 [ 83.029654][ T5047] ? gfs2_consist_inode_i+0xf5/0x110 [ 83.034961][ T5047] gfs2_dirent_scan+0x512/0x640 [ 83.039826][ T5047] ? gfs2_permission+0x268/0x3c0 [ 83.044801][ T5047] ? gfs2_dirent_search+0x8c0/0x8c0 [ 83.050034][ T5047] gfs2_dirent_search+0x30e/0x8c0 [ 83.055089][ T5047] ? gfs2_dirent_search+0x8c0/0x8c0 [ 83.060337][ T5047] ? generic_permission+0x1df/0x550 [ 83.065549][ T5047] ? gfs2_dir_search+0x2f0/0x2f0 [ 83.070507][ T5047] ? gfs2_permission+0x34a/0x3c0 [ 83.075484][ T5047] gfs2_dir_search+0xb2/0x2f0 [ 83.080180][ T5047] ? do_filldir_main+0x520/0x520 [ 83.085128][ T5047] ? inode_go_held+0xea/0x200 [ 83.089819][ T5047] ? gfs2_glock_wait+0x21a/0x2b0 [ 83.094780][ T5047] gfs2_lookupi+0x460/0x5d0 [ 83.099309][ T5047] ? gfs2_lookup_simple+0x180/0x180 [ 83.104528][ T5047] ? __gfs2_lookup+0xa4/0x270 [ 83.109217][ T5047] ? d_alloc_parallel+0x1262/0x13a0 [ 83.114433][ T5047] __gfs2_lookup+0xa4/0x270 [ 83.118946][ T5047] ? gfs2_atomic_open+0x230/0x230 [ 83.123984][ T5047] ? __init_waitqueue_head+0xae/0x150 [ 83.129372][ T5047] __lookup_slow+0x282/0x3e0 [ 83.133972][ T5047] ? lookup_one_len+0x2d0/0x2d0 [ 83.138840][ T5047] ? down_read+0x1b5/0x2f0 [ 83.143277][ T5047] lookup_slow+0x53/0x70 [ 83.147532][ T5047] link_path_walk+0x9c8/0xe70 [ 83.152234][ T5047] ? handle_lookup_down+0x130/0x130 [ 83.157798][ T5047] ? lockdep_hardirqs_on+0x98/0x140 [ 83.163005][ T5047] path_lookupat+0xa9/0x450 [ 83.167524][ T5047] do_o_path+0x95/0x230 [ 83.171697][ T5047] ? do_tmpfile+0x330/0x330 [ 83.176229][ T5047] ? __alloc_file+0x15a/0x230 [ 83.180924][ T5047] path_openat+0x29f0/0x3170 [ 83.185534][ T5047] ? __stack_depot_save+0x20/0x650 [ 83.190654][ T5047] ? __lock_acquire+0x1295/0x2000 [ 83.195697][ T5047] ? mark_lock+0x9a/0x340 [ 83.200040][ T5047] ? kmem_cache_alloc+0x11f/0x2e0 [ 83.205074][ T5047] ? mark_lock+0x9a/0x340 [ 83.209422][ T5047] ? __lock_acquire+0x1295/0x2000 [ 83.214457][ T5047] ? do_filp_open+0x490/0x490 [ 83.219158][ T5047] do_filp_open+0x234/0x490 [ 83.223675][ T5047] ? vfs_tmpfile+0x4a0/0x4a0 [ 83.228292][ T5047] ? _raw_spin_unlock+0x28/0x40 [ 83.233149][ T5047] ? alloc_fd+0x59c/0x640 [ 83.237502][ T5047] do_sys_openat2+0x13f/0x500 [ 83.242196][ T5047] ? print_irqtrace_events+0x220/0x220 [ 83.247677][ T5047] ? do_sys_open+0x230/0x230 [ 83.252284][ T5047] ? lockdep_hardirqs_on+0x98/0x140 [ 83.257494][ T5047] ? _raw_spin_unlock_irq+0x2e/0x50 [ 83.262697][ T5047] ? ptrace_notify+0x278/0x380 [ 83.267472][ T5047] __x64_sys_openat+0x247/0x290 [ 83.272344][ T5047] ? __ia32_sys_open+0x270/0x270 [ 83.277299][ T5047] ? syscall_enter_from_user_mode+0x32/0x230 [ 83.283311][ T5047] ? syscall_enter_from_user_mode+0x8c/0x230 [ 83.289305][ T5047] do_syscall_64+0x41/0xc0 [ 83.293758][ T5047] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 83.299682][ T5047] RIP: 0033:0x7f0100724159 [ 83.304119][ T5047] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 83.323760][ T5047] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 83.332189][ T5047] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5049] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5047] <... openat resumed>) = -1 EIO (Input/output error) [pid 5047] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5046] exit_group(0 [pid 5049] <... futex resumed>) = ? [pid 5047] <... futex resumed>) = ? [pid 5046] <... exit_group resumed>) = ? [pid 5049] +++ exited with 0 +++ [pid 5047] +++ exited with 0 +++ [pid 5046] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5046, si_uid=0, si_status=0, si_utime=0, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./11", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./11/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./11/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./11/binderfs") = 0 [ 83.340186][ T5047] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 83.348176][ T5047] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 83.356168][ T5047] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 83.364152][ T5047] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 83.372153][ T5047] umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./11/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./11/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./11") = 0 mkdir("./12", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5050 ./strace-static-x86_64: Process 5050 attached [pid 5050] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5050] chdir("./12") = 0 [pid 5050] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5050] setpgid(0, 0) = 0 [pid 5050] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5050] write(3, "1000", 4) = 4 [pid 5050] close(3) = 0 [pid 5050] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5050] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5050] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5050] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5050] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5051 attached , parent_tid=[5051], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5051 [pid 5051] set_robust_list(0x7f01006c89e0, 24 [pid 5050] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5051] <... set_robust_list resumed>) = 0 [pid 5050] <... futex resumed>) = 0 [pid 5050] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5051] memfd_create("syzkaller", 0) = 3 [pid 5051] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5051] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5051] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5051] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5051] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5051] close(3) = 0 [pid 5051] mkdir("./file0", 0777) = 0 [ 83.779455][ T5051] loop0: detected capacity change from 0 to 32768 [ 83.792611][ T5051] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 83.801082][ T5051] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 83.810701][ T5051] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 83.819597][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 83.826470][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5051] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5051] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5051] chdir("./file0") = 0 [pid 5051] ioctl(4, LOOP_CLR_FD) = 0 [pid 5051] close(4) = 0 [pid 5051] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5050] <... futex resumed>) = 0 [pid 5051] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5050] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5051] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5050] <... futex resumed>) = 0 [ 83.870313][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 83.877963][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 83.883221][ T5051] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5051] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 83.913557][ T5051] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 83.922992][ T5051] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 83.922992][ T5051] inode = 12 2341 [ 83.922992][ T5051] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 83.942366][ T5051] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 83.951637][ T5051] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5051 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5050] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5050] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5050] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5050] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5050] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5053], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5053 [pid 5050] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5050] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5053 attached [pid 5053] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5053] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5053] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5050] <... futex resumed>) = 0 [pid 5050] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5050] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5053] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5053] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5050] <... futex resumed>) = 0 [ 83.961791][ T5051] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 83.970404][ T5051] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 83.978231][ T5051] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 83.987537][ T5051] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 83.994969][ T5051] gfs2: fsid=syz:syz.0: File system withdrawn [ 84.001745][ T5051] CPU: 0 PID: 5051 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 84.012288][ T5051] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 84.022358][ T5051] Call Trace: [ 84.025647][ T5051] [ 84.028612][ T5051] dump_stack_lvl+0x1e7/0x2d0 [ 84.033315][ T5051] ? nf_tcp_handle_invalid+0x650/0x650 [ 84.038802][ T5051] ? panic+0x770/0x770 [ 84.042900][ T5051] ? kobject_uevent_env+0x54e/0x8e0 [ 84.048120][ T5051] gfs2_withdraw+0xf48/0x1550 [ 84.052847][ T5051] ? gfs2_lm+0x240/0x240 [ 84.057145][ T5051] ? gfs2_dirent_scan+0xb2/0x640 [ 84.062129][ T5051] ? panic+0x770/0x770 [ 84.066247][ T5051] ? gfs2_consist_inode_i+0xf5/0x110 [ 84.071578][ T5051] gfs2_dirent_scan+0x512/0x640 [ 84.076460][ T5051] ? gfs2_permission+0x268/0x3c0 [ 84.081539][ T5051] ? gfs2_dirent_search+0x8c0/0x8c0 [ 84.086794][ T5051] gfs2_dirent_search+0x30e/0x8c0 [ 84.091874][ T5051] ? gfs2_dirent_search+0x8c0/0x8c0 [ 84.097120][ T5051] ? generic_permission+0x1df/0x550 [ 84.102382][ T5051] ? gfs2_dir_search+0x2f0/0x2f0 [ 84.107441][ T5051] ? gfs2_permission+0x34a/0x3c0 [ 84.112462][ T5051] gfs2_dir_search+0xb2/0x2f0 [ 84.117181][ T5051] ? do_filldir_main+0x520/0x520 [ 84.122161][ T5051] ? inode_go_held+0xea/0x200 [ 84.126856][ T5051] ? gfs2_glock_wait+0x21a/0x2b0 [ 84.132084][ T5051] gfs2_lookupi+0x460/0x5d0 [ 84.136893][ T5051] ? gfs2_lookup_simple+0x180/0x180 [ 84.142118][ T5051] ? __gfs2_lookup+0xa4/0x270 [ 84.146803][ T5051] ? d_alloc_parallel+0x1262/0x13a0 [ 84.152022][ T5051] __gfs2_lookup+0xa4/0x270 [ 84.156541][ T5051] ? gfs2_atomic_open+0x230/0x230 [ 84.161617][ T5051] ? __init_waitqueue_head+0xae/0x150 [ 84.167034][ T5051] __lookup_slow+0x282/0x3e0 [ 84.171650][ T5051] ? lookup_one_len+0x2d0/0x2d0 [ 84.176534][ T5051] ? down_read+0x1b5/0x2f0 [ 84.180976][ T5051] lookup_slow+0x53/0x70 [ 84.185239][ T5051] link_path_walk+0x9c8/0xe70 [ 84.189944][ T5051] ? handle_lookup_down+0x130/0x130 [ 84.195160][ T5051] ? lockdep_hardirqs_on+0x98/0x140 [ 84.200379][ T5051] path_lookupat+0xa9/0x450 [ 84.204904][ T5051] do_o_path+0x95/0x230 [ 84.209078][ T5051] ? do_tmpfile+0x330/0x330 [ 84.213697][ T5051] ? __alloc_file+0x15a/0x230 [ 84.218394][ T5051] path_openat+0x29f0/0x3170 [ 84.223018][ T5051] ? __stack_depot_save+0x20/0x650 [ 84.228152][ T5051] ? mark_lock+0x9a/0x340 [ 84.232494][ T5051] ? kmem_cache_alloc+0x11f/0x2e0 [ 84.237529][ T5051] ? mark_lock+0x9a/0x340 [ 84.241879][ T5051] ? __lock_acquire+0x1295/0x2000 [ 84.246915][ T5051] ? do_filp_open+0x490/0x490 [ 84.251619][ T5051] do_filp_open+0x234/0x490 [ 84.256143][ T5051] ? vfs_tmpfile+0x4a0/0x4a0 [ 84.260770][ T5051] ? _raw_spin_unlock+0x28/0x40 [ 84.265641][ T5051] ? alloc_fd+0x59c/0x640 [ 84.270004][ T5051] do_sys_openat2+0x13f/0x500 [ 84.274700][ T5051] ? print_irqtrace_events+0x220/0x220 [ 84.280180][ T5051] ? do_sys_open+0x230/0x230 [ 84.284787][ T5051] ? lockdep_hardirqs_on+0x98/0x140 [ 84.290004][ T5051] ? _raw_spin_unlock_irq+0x2e/0x50 [ 84.295233][ T5051] ? ptrace_notify+0x278/0x380 [ 84.300013][ T5051] __x64_sys_openat+0x247/0x290 [ 84.304887][ T5051] ? __ia32_sys_open+0x270/0x270 [ 84.309949][ T5051] ? syscall_enter_from_user_mode+0x32/0x230 [ 84.315945][ T5051] ? syscall_enter_from_user_mode+0x8c/0x230 [ 84.321938][ T5051] do_syscall_64+0x41/0xc0 [ 84.326461][ T5051] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 84.332367][ T5051] RIP: 0033:0x7f0100724159 [ 84.336796][ T5051] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 84.356415][ T5051] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5053] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5051] <... openat resumed>) = -1 EIO (Input/output error) [pid 5051] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5051] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5050] exit_group(0 [pid 5051] <... futex resumed>) = ? [pid 5050] <... exit_group resumed>) = ? [pid 5053] <... futex resumed>) = ? [pid 5051] +++ exited with 0 +++ [pid 5053] +++ exited with 0 +++ [pid 5050] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5050, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=30 /* 0.30 s */} --- umount2("./12", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./12/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./12/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./12/binderfs") = 0 [ 84.364842][ T5051] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 84.372825][ T5051] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 84.380804][ T5051] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 84.388782][ T5051] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 84.396781][ T5051] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 84.404782][ T5051] umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./12/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./12/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./12") = 0 mkdir("./13", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5054 ./strace-static-x86_64: Process 5054 attached [pid 5054] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5054] chdir("./13") = 0 [pid 5054] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5054] setpgid(0, 0) = 0 [pid 5054] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5054] write(3, "1000", 4) = 4 [pid 5054] close(3) = 0 [pid 5054] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5054] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5054] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5054] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5055 attached , parent_tid=[5055], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5055 [pid 5055] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5054] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5055] memfd_create("syzkaller", 0) = 3 [pid 5055] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5055] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5055] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5055] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5055] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5055] close(3) = 0 [pid 5055] mkdir("./file0", 0777) = 0 [ 84.834896][ T5055] loop0: detected capacity change from 0 to 32768 [ 84.848219][ T5055] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 84.856430][ T5055] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 84.867498][ T5055] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 84.876081][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 84.882990][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5055] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5055] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5055] chdir("./file0") = 0 [pid 5055] ioctl(4, LOOP_CLR_FD) = 0 [pid 5055] close(4) = 0 [pid 5055] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5054] <... futex resumed>) = 0 [pid 5054] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5055] <... futex resumed>) = 1 [ 84.933691][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 50ms [ 84.942083][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 84.947748][ T5055] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 84.967427][ T5055] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 84.976012][ T5055] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5055] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5054] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 84.976012][ T5055] inode = 12 2341 [ 84.976012][ T5055] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 84.995159][ T5055] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 85.004645][ T5055] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5055 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 85.015004][ T5055] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 85.023682][ T5055] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5054] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5054] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5054] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5057 attached , parent_tid=[5057], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5057 [pid 5054] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5057] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5057] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5057] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [ 85.031303][ T5055] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 85.040216][ T5055] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 85.046879][ T5055] gfs2: fsid=syz:syz.0: File system withdrawn [ 85.055273][ T5055] CPU: 0 PID: 5055 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 85.065756][ T5055] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 85.075916][ T5055] Call Trace: [ 85.079224][ T5055] [ 85.082163][ T5055] dump_stack_lvl+0x1e7/0x2d0 [ 85.086880][ T5055] ? nf_tcp_handle_invalid+0x650/0x650 [ 85.092554][ T5055] ? panic+0x770/0x770 [ 85.096648][ T5055] ? kobject_uevent_env+0x54e/0x8e0 [ 85.101869][ T5055] gfs2_withdraw+0xf48/0x1550 [ 85.106575][ T5055] ? gfs2_lm+0x240/0x240 [ 85.110839][ T5055] ? gfs2_dirent_scan+0xb2/0x640 [ 85.115805][ T5055] ? panic+0x770/0x770 [ 85.119929][ T5055] ? gfs2_consist_inode_i+0xf5/0x110 [ 85.125245][ T5055] gfs2_dirent_scan+0x512/0x640 [ 85.130121][ T5055] ? gfs2_permission+0x268/0x3c0 [ 85.135206][ T5055] ? gfs2_dirent_search+0x8c0/0x8c0 [ 85.140422][ T5055] gfs2_dirent_search+0x30e/0x8c0 [ 85.145464][ T5055] ? gfs2_dirent_search+0x8c0/0x8c0 [ 85.150693][ T5055] ? generic_permission+0x1df/0x550 [ 85.155902][ T5055] ? gfs2_dir_search+0x2f0/0x2f0 [ 85.160864][ T5055] ? gfs2_permission+0x34a/0x3c0 [ 85.165858][ T5055] gfs2_dir_search+0xb2/0x2f0 [ 85.170583][ T5055] ? do_filldir_main+0x520/0x520 [ 85.175558][ T5055] ? inode_go_held+0xea/0x200 [ 85.180270][ T5055] ? gfs2_glock_wait+0x21a/0x2b0 [ 85.185255][ T5055] gfs2_lookupi+0x460/0x5d0 [ 85.189823][ T5055] ? gfs2_lookup_simple+0x180/0x180 [ 85.195066][ T5055] ? __gfs2_lookup+0xa4/0x270 [ 85.199756][ T5055] ? d_alloc_parallel+0x1262/0x13a0 [ 85.204983][ T5055] __gfs2_lookup+0xa4/0x270 [ 85.209499][ T5055] ? gfs2_atomic_open+0x230/0x230 [ 85.214541][ T5055] ? __init_waitqueue_head+0xae/0x150 [ 85.219944][ T5055] __lookup_slow+0x282/0x3e0 [ 85.224577][ T5055] ? lookup_one_len+0x2d0/0x2d0 [ 85.229477][ T5055] ? down_read+0x1b5/0x2f0 [ 85.233941][ T5055] lookup_slow+0x53/0x70 [ 85.238228][ T5055] link_path_walk+0x9c8/0xe70 [ 85.242967][ T5055] ? handle_lookup_down+0x130/0x130 [ 85.248235][ T5055] ? lockdep_hardirqs_on+0x98/0x140 [ 85.253475][ T5055] path_lookupat+0xa9/0x450 [ 85.258027][ T5055] do_o_path+0x95/0x230 [ 85.262231][ T5055] ? do_tmpfile+0x330/0x330 [ 85.266781][ T5055] ? __alloc_file+0x15a/0x230 [ 85.271496][ T5055] path_openat+0x29f0/0x3170 [ 85.276127][ T5055] ? __stack_depot_save+0x20/0x650 [ 85.281280][ T5055] ? mark_lock+0x9a/0x340 [ 85.285648][ T5055] ? kmem_cache_alloc+0x11f/0x2e0 [ 85.290802][ T5055] ? mark_lock+0x9a/0x340 [ 85.295181][ T5055] ? __lock_acquire+0x1295/0x2000 [ 85.300256][ T5055] ? do_filp_open+0x490/0x490 [ 85.304979][ T5055] do_filp_open+0x234/0x490 [ 85.309531][ T5055] ? vfs_tmpfile+0x4a0/0x4a0 [ 85.314188][ T5055] ? _raw_spin_unlock+0x28/0x40 [ 85.319073][ T5055] ? alloc_fd+0x59c/0x640 [ 85.323465][ T5055] do_sys_openat2+0x13f/0x500 [ 85.328183][ T5055] ? print_irqtrace_events+0x220/0x220 [ 85.333696][ T5055] ? do_sys_open+0x230/0x230 [ 85.338335][ T5055] ? lockdep_hardirqs_on+0x98/0x140 [ 85.343577][ T5055] ? _raw_spin_unlock_irq+0x2e/0x50 [ 85.348811][ T5055] ? ptrace_notify+0x278/0x380 [ 85.353625][ T5055] __x64_sys_openat+0x247/0x290 [ 85.358524][ T5055] ? __ia32_sys_open+0x270/0x270 [ 85.363505][ T5055] ? syscall_enter_from_user_mode+0x32/0x230 [ 85.369523][ T5055] ? syscall_enter_from_user_mode+0x8c/0x230 [ 85.375546][ T5055] do_syscall_64+0x41/0xc0 [ 85.380010][ T5055] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 85.385950][ T5055] RIP: 0033:0x7f0100724159 [ 85.390403][ T5055] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 85.411803][ T5055] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 85.420270][ T5055] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 85.428376][ T5055] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5057] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5055] <... openat resumed>) = -1 EIO (Input/output error) [pid 5054] <... futex resumed>) = 0 [pid 5054] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5054] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5055] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5055] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5057] <... futex resumed>) = 0 [pid 5057] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5057] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5054] <... futex resumed>) = 0 [pid 5054] exit_group(0) = ? [pid 5057] +++ exited with 0 +++ [pid 5055] <... futex resumed>) = ? [pid 5055] +++ exited with 0 +++ [pid 5054] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5054, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./13", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./13/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./13/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./13/binderfs") = 0 [ 85.436390][ T5055] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 85.444403][ T5055] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 85.452417][ T5055] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 85.460450][ T5055] umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./13/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./13/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./13") = 0 mkdir("./14", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5058 ./strace-static-x86_64: Process 5058 attached [pid 5058] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5058] chdir("./14") = 0 [pid 5058] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5058] setpgid(0, 0) = 0 [pid 5058] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5058] write(3, "1000", 4) = 4 [pid 5058] close(3) = 0 [pid 5058] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5058] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5058] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5058] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5058] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5059], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5059 ./strace-static-x86_64: Process 5059 attached [pid 5058] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5059] set_robust_list(0x7f01006c89e0, 24 [pid 5058] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5059] <... set_robust_list resumed>) = 0 [pid 5059] memfd_create("syzkaller", 0) = 3 [pid 5059] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5059] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5059] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5059] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5059] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5059] close(3) = 0 [pid 5059] mkdir("./file0", 0777) = 0 [ 85.851485][ T5059] loop0: detected capacity change from 0 to 32768 [ 85.863113][ T5059] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 85.872069][ T5059] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 85.881598][ T5059] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 85.890374][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 85.897300][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5059] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5059] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5059] chdir("./file0") = 0 [pid 5059] ioctl(4, LOOP_CLR_FD) = 0 [pid 5059] close(4) = 0 [pid 5059] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5058] <... futex resumed>) = 0 [pid 5059] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5058] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5059] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5058] <... futex resumed>) = 0 [pid 5059] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 85.946072][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 48ms [ 85.953699][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 85.959083][ T5059] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 85.974171][ T5059] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 85.982812][ T5059] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 85.982812][ T5059] inode = 12 2341 [pid 5058] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5058] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5058] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5058] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5058] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5061 attached , parent_tid=[5061], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5061 [pid 5061] set_robust_list(0x7f00f92a79e0, 24 [pid 5058] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5058] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5061] <... set_robust_list resumed>) = 0 [ 85.982812][ T5059] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 86.002752][ T5059] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 86.012483][ T5059] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5059 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 86.023076][ T5059] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 86.035163][ T5059] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5061] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5061] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5061] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5058] <... futex resumed>) = 0 [ 86.043064][ T5059] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 86.052490][ T5059] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 86.059311][ T5059] gfs2: fsid=syz:syz.0: File system withdrawn [ 86.065540][ T5059] CPU: 0 PID: 5059 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 86.076006][ T5059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 86.086096][ T5059] Call Trace: [ 86.089402][ T5059] [pid 5058] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5061] <... futex resumed>) = 0 [pid 5058] <... futex resumed>) = 1 [pid 5061] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5058] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5061] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5058] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 86.092342][ T5059] dump_stack_lvl+0x1e7/0x2d0 [ 86.097042][ T5059] ? nf_tcp_handle_invalid+0x650/0x650 [ 86.102528][ T5059] ? panic+0x770/0x770 [ 86.106626][ T5059] ? kobject_uevent_env+0x54e/0x8e0 [ 86.111876][ T5059] gfs2_withdraw+0xf48/0x1550 [ 86.116615][ T5059] ? gfs2_lm+0x240/0x240 [ 86.120909][ T5059] ? gfs2_dirent_scan+0xb2/0x640 [ 86.125896][ T5059] ? panic+0x770/0x770 [ 86.129994][ T5059] ? gfs2_consist_inode_i+0xf5/0x110 [ 86.135341][ T5059] gfs2_dirent_scan+0x512/0x640 [ 86.140228][ T5059] ? gfs2_permission+0x268/0x3c0 [ 86.145190][ T5059] ? gfs2_dirent_search+0x8c0/0x8c0 [ 86.150453][ T5059] gfs2_dirent_search+0x30e/0x8c0 [ 86.155526][ T5059] ? gfs2_dirent_search+0x8c0/0x8c0 [ 86.160780][ T5059] ? generic_permission+0x1df/0x550 [ 86.166006][ T5059] ? gfs2_dir_search+0x2f0/0x2f0 [ 86.170985][ T5059] ? gfs2_permission+0x34a/0x3c0 [ 86.175957][ T5059] gfs2_dir_search+0xb2/0x2f0 [ 86.180666][ T5059] ? do_filldir_main+0x520/0x520 [ 86.185617][ T5059] ? inode_go_held+0xea/0x200 [ 86.190307][ T5059] ? gfs2_glock_wait+0x21a/0x2b0 [ 86.195262][ T5059] gfs2_lookupi+0x460/0x5d0 [ 86.199788][ T5059] ? gfs2_lookup_simple+0x180/0x180 [ 86.205007][ T5059] ? __gfs2_lookup+0xa4/0x270 [ 86.209695][ T5059] ? d_alloc_parallel+0x1262/0x13a0 [ 86.214909][ T5059] __gfs2_lookup+0xa4/0x270 [ 86.219426][ T5059] ? gfs2_atomic_open+0x230/0x230 [ 86.224469][ T5059] ? __init_waitqueue_head+0xae/0x150 [ 86.229860][ T5059] __lookup_slow+0x282/0x3e0 [ 86.234550][ T5059] ? lookup_one_len+0x2d0/0x2d0 [ 86.239429][ T5059] ? down_read+0x1b5/0x2f0 [ 86.243869][ T5059] lookup_slow+0x53/0x70 [ 86.248125][ T5059] link_path_walk+0x9c8/0xe70 [ 86.252830][ T5059] ? handle_lookup_down+0x130/0x130 [ 86.258047][ T5059] ? lockdep_hardirqs_on+0x98/0x140 [ 86.263346][ T5059] path_lookupat+0xa9/0x450 [ 86.267867][ T5059] do_o_path+0x95/0x230 [ 86.272047][ T5059] ? do_tmpfile+0x330/0x330 [ 86.276595][ T5059] ? __alloc_file+0x15a/0x230 [ 86.281288][ T5059] path_openat+0x29f0/0x3170 [ 86.285902][ T5059] ? __stack_depot_save+0x20/0x650 [ 86.291042][ T5059] ? mark_lock+0x9a/0x340 [ 86.295382][ T5059] ? kmem_cache_alloc+0x11f/0x2e0 [ 86.300415][ T5059] ? mark_lock+0x9a/0x340 [ 86.304763][ T5059] ? __lock_acquire+0x1295/0x2000 [ 86.309804][ T5059] ? do_filp_open+0x490/0x490 [ 86.314518][ T5059] do_filp_open+0x234/0x490 [ 86.319044][ T5059] ? vfs_tmpfile+0x4a0/0x4a0 [ 86.323663][ T5059] ? _raw_spin_unlock+0x28/0x40 [ 86.328526][ T5059] ? alloc_fd+0x59c/0x640 [ 86.332879][ T5059] do_sys_openat2+0x13f/0x500 [ 86.337571][ T5059] ? print_irqtrace_events+0x220/0x220 [ 86.343048][ T5059] ? do_sys_open+0x230/0x230 [ 86.347676][ T5059] ? lockdep_hardirqs_on+0x98/0x140 [ 86.352885][ T5059] ? _raw_spin_unlock_irq+0x2e/0x50 [ 86.358092][ T5059] ? ptrace_notify+0x278/0x380 [ 86.362872][ T5059] __x64_sys_openat+0x247/0x290 [ 86.367742][ T5059] ? __ia32_sys_open+0x270/0x270 [ 86.372697][ T5059] ? syscall_enter_from_user_mode+0x32/0x230 [ 86.378694][ T5059] ? syscall_enter_from_user_mode+0x8c/0x230 [ 86.384705][ T5059] do_syscall_64+0x41/0xc0 [ 86.389141][ T5059] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 86.395040][ T5059] RIP: 0033:0x7f0100724159 [ 86.399463][ T5059] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 86.419079][ T5059] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 86.427511][ T5059] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 86.435508][ T5059] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5061] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5059] <... openat resumed>) = -1 EIO (Input/output error) [pid 5059] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5059] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5058] exit_group(0 [pid 5059] <... futex resumed>) = ? [pid 5058] <... exit_group resumed>) = ? [pid 5059] +++ exited with 0 +++ [pid 5061] <... futex resumed>) = ? [pid 5061] +++ exited with 0 +++ [pid 5058] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5058, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=34 /* 0.34 s */} --- umount2("./14", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./14/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./14/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 [ 86.443523][ T5059] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 86.451521][ T5059] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 86.459497][ T5059] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 86.467494][ T5059] unlink("./14/binderfs") = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./14/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./14/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./14") = 0 mkdir("./15", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5062 ./strace-static-x86_64: Process 5062 attached [pid 5062] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5062] chdir("./15") = 0 [pid 5062] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5062] setpgid(0, 0) = 0 [pid 5062] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5062] write(3, "1000", 4) = 4 [pid 5062] close(3) = 0 [pid 5062] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5062] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5062] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5062] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5062] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5063], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5063 [pid 5062] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5063 attached ) = 0 [pid 5063] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5062] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5063] memfd_create("syzkaller", 0) = 3 [pid 5063] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5063] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5063] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5063] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5063] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5063] close(3) = 0 [pid 5063] mkdir("./file0", 0777) = 0 [ 86.926887][ T5063] loop0: detected capacity change from 0 to 32768 [ 86.937990][ T5063] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 86.946208][ T5063] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 86.957304][ T5063] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 86.966231][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 86.973228][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5063] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5063] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5063] chdir("./file0") = 0 [pid 5063] ioctl(4, LOOP_CLR_FD) = 0 [pid 5063] close(4) = 0 [pid 5063] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5062] <... futex resumed>) = 0 [pid 5063] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 87.014672][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 87.023420][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 87.028779][ T5063] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5062] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 87.062479][ T5063] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 87.076896][ T5063] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 87.076896][ T5063] inode = 12 2341 [ 87.076896][ T5063] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 87.096212][ T5063] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [pid 5062] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5062] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5062] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5062] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5062] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5065], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5065 [pid 5062] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5062] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5065 attached [pid 5065] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5065] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5065] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5062] <... futex resumed>) = 0 [pid 5062] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5062] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5065] <... futex resumed>) = 1 [pid 5065] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [ 87.105768][ T5063] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5063 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 87.116048][ T5063] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 87.124602][ T5063] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 87.132037][ T5063] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 87.140945][ T5063] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 87.149654][ T5063] gfs2: fsid=syz:syz.0: File system withdrawn [pid 5065] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5062] <... futex resumed>) = 0 [pid 5065] <... futex resumed>) = 1 [ 87.155774][ T5063] CPU: 0 PID: 5063 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 87.166230][ T5063] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 87.176329][ T5063] Call Trace: [ 87.179646][ T5063] [ 87.182582][ T5063] dump_stack_lvl+0x1e7/0x2d0 [ 87.187280][ T5063] ? nf_tcp_handle_invalid+0x650/0x650 [ 87.192755][ T5063] ? panic+0x770/0x770 [ 87.196837][ T5063] ? kobject_uevent_env+0x54e/0x8e0 [ 87.202070][ T5063] gfs2_withdraw+0xf48/0x1550 [ 87.206814][ T5063] ? gfs2_lm+0x240/0x240 [ 87.211111][ T5063] ? gfs2_dirent_scan+0xb2/0x640 [ 87.216077][ T5063] ? panic+0x770/0x770 [ 87.220161][ T5063] ? gfs2_consist_inode_i+0xf5/0x110 [ 87.225480][ T5063] gfs2_dirent_scan+0x512/0x640 [ 87.230359][ T5063] ? gfs2_permission+0x268/0x3c0 [ 87.235319][ T5063] ? gfs2_dirent_search+0x8c0/0x8c0 [ 87.240563][ T5063] gfs2_dirent_search+0x30e/0x8c0 [ 87.245605][ T5063] ? gfs2_dirent_search+0x8c0/0x8c0 [ 87.250815][ T5063] ? generic_permission+0x1df/0x550 [ 87.256034][ T5063] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5065] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5062] exit_group(0 [pid 5065] <... futex resumed>) = ? [pid 5062] <... exit_group resumed>) = ? [pid 5065] +++ exited with 0 +++ [ 87.261021][ T5063] ? gfs2_permission+0x34a/0x3c0 [ 87.266015][ T5063] gfs2_dir_search+0xb2/0x2f0 [ 87.270744][ T5063] ? do_filldir_main+0x520/0x520 [ 87.275711][ T5063] ? inode_go_held+0xea/0x200 [ 87.280398][ T5063] ? gfs2_glock_wait+0x21a/0x2b0 [ 87.285366][ T5063] gfs2_lookupi+0x460/0x5d0 [ 87.289909][ T5063] ? gfs2_lookup_simple+0x180/0x180 [ 87.295129][ T5063] ? __gfs2_lookup+0xa4/0x270 [ 87.299843][ T5063] ? d_alloc_parallel+0x1262/0x13a0 [ 87.305074][ T5063] __gfs2_lookup+0xa4/0x270 [ 87.309606][ T5063] ? gfs2_atomic_open+0x230/0x230 [ 87.314675][ T5063] ? __init_waitqueue_head+0xae/0x150 [ 87.320085][ T5063] __lookup_slow+0x282/0x3e0 [ 87.324703][ T5063] ? lookup_one_len+0x2d0/0x2d0 [ 87.329609][ T5063] ? down_read+0x1b5/0x2f0 [ 87.334059][ T5063] lookup_slow+0x53/0x70 [ 87.338309][ T5063] link_path_walk+0x9c8/0xe70 [ 87.343022][ T5063] ? handle_lookup_down+0x130/0x130 [ 87.348258][ T5063] ? lockdep_hardirqs_on+0x98/0x140 [ 87.353468][ T5063] path_lookupat+0xa9/0x450 [ 87.357986][ T5063] do_o_path+0x95/0x230 [ 87.362156][ T5063] ? do_tmpfile+0x330/0x330 [ 87.366670][ T5063] ? __alloc_file+0x15a/0x230 [ 87.371358][ T5063] path_openat+0x29f0/0x3170 [ 87.375977][ T5063] ? __stack_depot_save+0x20/0x650 [ 87.381122][ T5063] ? mark_lock+0x9a/0x340 [ 87.385464][ T5063] ? kmem_cache_alloc+0x11f/0x2e0 [ 87.390499][ T5063] ? mark_lock+0x9a/0x340 [ 87.394864][ T5063] ? __lock_acquire+0x1295/0x2000 [ 87.399929][ T5063] ? do_filp_open+0x490/0x490 [ 87.404647][ T5063] do_filp_open+0x234/0x490 [ 87.409162][ T5063] ? vfs_tmpfile+0x4a0/0x4a0 [ 87.413801][ T5063] ? _raw_spin_unlock+0x28/0x40 [ 87.418667][ T5063] ? alloc_fd+0x59c/0x640 [ 87.423024][ T5063] do_sys_openat2+0x13f/0x500 [ 87.427714][ T5063] ? print_irqtrace_events+0x220/0x220 [ 87.433194][ T5063] ? do_sys_open+0x230/0x230 [ 87.437805][ T5063] ? lockdep_hardirqs_on+0x98/0x140 [ 87.443099][ T5063] ? _raw_spin_unlock_irq+0x2e/0x50 [ 87.448313][ T5063] ? ptrace_notify+0x278/0x380 [ 87.453214][ T5063] __x64_sys_openat+0x247/0x290 [ 87.458091][ T5063] ? __ia32_sys_open+0x270/0x270 [ 87.463063][ T5063] ? syscall_enter_from_user_mode+0x32/0x230 [ 87.469054][ T5063] ? syscall_enter_from_user_mode+0x8c/0x230 [ 87.475060][ T5063] do_syscall_64+0x41/0xc0 [ 87.479532][ T5063] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 87.485459][ T5063] RIP: 0033:0x7f0100724159 [ 87.489878][ T5063] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5063] <... openat resumed>) = ? [pid 5063] +++ exited with 0 +++ [pid 5062] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5062, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=36 /* 0.36 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./15", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./15/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./15/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./15/binderfs") = 0 [ 87.509492][ T5063] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 87.517931][ T5063] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 87.526006][ T5063] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 87.533998][ T5063] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 87.541971][ T5063] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 87.549955][ T5063] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 87.557973][ T5063] umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./15/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./15/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./15") = 0 mkdir("./16", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5066 ./strace-static-x86_64: Process 5066 attached [pid 5066] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5066] chdir("./16") = 0 [pid 5066] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5066] setpgid(0, 0) = 0 [pid 5066] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5066] write(3, "1000", 4) = 4 [pid 5066] close(3) = 0 [pid 5066] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5066] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5066] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5066] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5067], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5067 [pid 5066] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5067 attached [pid 5067] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5067] memfd_create("syzkaller", 0) = 3 [pid 5067] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5067] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5067] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5067] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5067] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5067] close(3) = 0 [pid 5067] mkdir("./file0", 0777) = 0 [ 87.936123][ T5067] loop0: detected capacity change from 0 to 32768 [ 87.949491][ T5067] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 87.957775][ T5067] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 87.967910][ T5067] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 87.976636][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 87.983584][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5067] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5067] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5067] chdir("./file0") = 0 [pid 5067] ioctl(4, LOOP_CLR_FD) = 0 [pid 5067] close(4) = 0 [pid 5067] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5066] <... futex resumed>) = 0 [pid 5067] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5066] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5066] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5067] <... futex resumed>) = 0 [ 88.026075][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 88.035250][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 88.040725][ T5067] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5067] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5066] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5066] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5066] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5066] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5069], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5069 [pid 5066] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 88.074803][ T5067] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 88.087281][ T5067] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 88.087281][ T5067] inode = 12 2341 [ 88.087281][ T5067] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 88.106124][ T5067] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 88.115257][ T5067] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5067 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5066] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5069 attached [pid 5069] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 88.125813][ T5067] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 88.136200][ T5069] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 88.136228][ T5067] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 88.144733][ T5069] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 88.152928][ T5067] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5069] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5066] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5066] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5066] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5066] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5070], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5070 [pid 5066] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5070 attached [pid 5070] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5070] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5070] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5066] <... futex resumed>) = 0 [pid 5070] <... futex resumed>) = 1 [ 88.161065][ T5069] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5067 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 88.161109][ T5069] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5069 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 88.170784][ T5067] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 88.179905][ T5069] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 88.208549][ T5067] gfs2: fsid=syz:syz.0: File system withdrawn [ 88.214905][ T5067] CPU: 0 PID: 5067 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 88.225345][ T5067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 88.235433][ T5067] Call Trace: [ 88.238745][ T5067] [ 88.241709][ T5067] dump_stack_lvl+0x1e7/0x2d0 [ 88.246443][ T5067] ? nf_tcp_handle_invalid+0x650/0x650 [ 88.251955][ T5067] ? panic+0x770/0x770 [ 88.256052][ T5067] ? kobject_uevent_env+0x54e/0x8e0 [ 88.261291][ T5067] gfs2_withdraw+0xf48/0x1550 [ 88.266015][ T5067] ? gfs2_lm+0x240/0x240 [ 88.270281][ T5067] ? gfs2_dirent_scan+0xb2/0x640 [ 88.275239][ T5067] ? panic+0x770/0x770 [ 88.279329][ T5067] ? gfs2_consist_inode_i+0xf5/0x110 [ 88.284640][ T5067] gfs2_dirent_scan+0x512/0x640 [ 88.289504][ T5067] ? gfs2_permission+0x268/0x3c0 [ 88.294461][ T5067] ? gfs2_dirent_search+0x8c0/0x8c0 [ 88.299679][ T5067] gfs2_dirent_search+0x30e/0x8c0 [ 88.304716][ T5067] ? gfs2_dirent_search+0x8c0/0x8c0 [ 88.309925][ T5067] ? generic_permission+0x1df/0x550 [ 88.315150][ T5067] ? gfs2_dir_search+0x2f0/0x2f0 [ 88.320101][ T5067] ? gfs2_permission+0x34a/0x3c0 [ 88.325069][ T5067] gfs2_dir_search+0xb2/0x2f0 [ 88.329947][ T5067] ? do_filldir_main+0x520/0x520 [ 88.334895][ T5067] ? inode_go_held+0xea/0x200 [ 88.339585][ T5067] ? gfs2_glock_wait+0x21a/0x2b0 [ 88.344543][ T5067] gfs2_lookupi+0x460/0x5d0 [ 88.349065][ T5067] ? gfs2_lookup_simple+0x180/0x180 [ 88.354280][ T5067] ? __gfs2_lookup+0xa4/0x270 [ 88.358964][ T5067] ? d_alloc_parallel+0x1262/0x13a0 [ 88.364176][ T5067] __gfs2_lookup+0xa4/0x270 [ 88.368689][ T5067] ? gfs2_atomic_open+0x230/0x230 [ 88.373731][ T5067] ? __init_waitqueue_head+0xae/0x150 [ 88.379239][ T5067] __lookup_slow+0x282/0x3e0 [ 88.383877][ T5067] ? lookup_one_len+0x2d0/0x2d0 [ 88.388798][ T5067] ? down_read+0x1b5/0x2f0 [ 88.393251][ T5067] lookup_slow+0x53/0x70 [ 88.397523][ T5067] link_path_walk+0x9c8/0xe70 [ 88.402276][ T5067] ? handle_lookup_down+0x130/0x130 [ 88.407514][ T5067] ? lockdep_hardirqs_on+0x98/0x140 [ 88.412759][ T5067] path_lookupat+0xa9/0x450 [ 88.417421][ T5067] do_o_path+0x95/0x230 [ 88.421607][ T5067] ? do_tmpfile+0x330/0x330 [ 88.426150][ T5067] ? __alloc_file+0x15a/0x230 [ 88.430855][ T5067] path_openat+0x29f0/0x3170 [ 88.435470][ T5067] ? __stack_depot_save+0x20/0x650 [ 88.440603][ T5067] ? mark_lock+0x9a/0x340 [ 88.444959][ T5067] ? kmem_cache_alloc+0x11f/0x2e0 [ 88.450006][ T5067] ? mark_lock+0x9a/0x340 [ 88.454355][ T5067] ? __lock_acquire+0x1295/0x2000 [ 88.459566][ T5067] ? do_filp_open+0x490/0x490 [ 88.464276][ T5067] do_filp_open+0x234/0x490 [ 88.468798][ T5067] ? vfs_tmpfile+0x4a0/0x4a0 [ 88.473435][ T5067] ? _raw_spin_unlock+0x28/0x40 [ 88.478300][ T5067] ? alloc_fd+0x59c/0x640 [ 88.482665][ T5067] do_sys_openat2+0x13f/0x500 [ 88.487387][ T5067] ? print_irqtrace_events+0x220/0x220 [ 88.492883][ T5067] ? do_sys_open+0x230/0x230 [ 88.497511][ T5067] ? lockdep_hardirqs_on+0x98/0x140 [ 88.502736][ T5067] ? _raw_spin_unlock_irq+0x2e/0x50 [ 88.507957][ T5067] ? ptrace_notify+0x278/0x380 [ 88.512762][ T5067] __x64_sys_openat+0x247/0x290 [ 88.517638][ T5067] ? __ia32_sys_open+0x270/0x270 [ 88.522592][ T5067] ? syscall_enter_from_user_mode+0x32/0x230 [ 88.528588][ T5067] ? syscall_enter_from_user_mode+0x8c/0x230 [ 88.534582][ T5067] do_syscall_64+0x41/0xc0 [ 88.539015][ T5067] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 88.544916][ T5067] RIP: 0033:0x7f0100724159 [ 88.549340][ T5067] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 88.568957][ T5067] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5070] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5067] <... openat resumed>) = -1 EIO (Input/output error) [pid 5067] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5069] <... openat resumed>) = -1 EIO (Input/output error) [pid 5067] <... futex resumed>) = 0 [pid 5069] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5067] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5069] <... futex resumed>) = 0 [pid 5066] exit_group(0 [pid 5067] <... futex resumed>) = ? [pid 5066] <... exit_group resumed>) = ? [pid 5070] <... futex resumed>) = ? [pid 5067] +++ exited with 0 +++ [pid 5070] +++ exited with 0 +++ [pid 5069] +++ exited with 0 +++ [pid 5066] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5066, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=45 /* 0.45 s */} --- umount2("./16", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./16/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./16/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./16/binderfs") = 0 [ 88.577393][ T5067] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 88.585372][ T5067] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 88.593357][ T5067] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 88.601336][ T5067] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 88.609329][ T5067] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 88.617326][ T5067] umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./16/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./16/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./16") = 0 mkdir("./17", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5071 ./strace-static-x86_64: Process 5071 attached [pid 5071] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5071] chdir("./17") = 0 [pid 5071] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5071] setpgid(0, 0) = 0 [pid 5071] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5071] write(3, "1000", 4) = 4 [pid 5071] close(3) = 0 [pid 5071] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5071] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5071] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5071] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5071] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5072], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5072 [pid 5071] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5072 attached ) = 0 [pid 5071] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5072] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5072] memfd_create("syzkaller", 0) = 3 [pid 5072] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5072] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5072] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5072] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5072] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5072] close(3) = 0 [pid 5072] mkdir("./file0", 0777) = 0 [ 89.048276][ T5072] loop0: detected capacity change from 0 to 32768 [ 89.058792][ T5072] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 89.067364][ T5072] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 89.076578][ T5072] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 89.085457][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 89.092340][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5072] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5072] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5072] chdir("./file0") = 0 [pid 5072] ioctl(4, LOOP_CLR_FD) = 0 [pid 5072] close(4) = 0 [pid 5072] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5071] <... futex resumed>) = 0 [pid 5071] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5071] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5072] <... futex resumed>) = 1 [ 89.143253][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 50ms [ 89.150824][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 89.156095][ T5072] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 89.170145][ T5072] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 89.179104][ T5072] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 89.179104][ T5072] inode = 12 2341 [pid 5072] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5071] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5071] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5071] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5071] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5071] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5074], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5074 [pid 5071] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5071] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5074 attached [pid 5074] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5074] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5074] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [ 89.179104][ T5072] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 89.199030][ T5072] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 89.209929][ T5072] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5072 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 89.223158][ T5072] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 89.232128][ T5072] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5074] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5071] <... futex resumed>) = 0 [pid 5071] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5074] <... futex resumed>) = 0 [pid 5074] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5074] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5071] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [ 89.239702][ T5072] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 89.249146][ T5072] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 89.255948][ T5072] gfs2: fsid=syz:syz.0: File system withdrawn [ 89.262542][ T5072] CPU: 0 PID: 5072 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 89.273019][ T5072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 89.283101][ T5072] Call Trace: [ 89.286384][ T5072] [ 89.289319][ T5072] dump_stack_lvl+0x1e7/0x2d0 [ 89.294033][ T5072] ? nf_tcp_handle_invalid+0x650/0x650 [ 89.299533][ T5072] ? panic+0x770/0x770 [ 89.303612][ T5072] ? kobject_uevent_env+0x54e/0x8e0 [ 89.308863][ T5072] gfs2_withdraw+0xf48/0x1550 [ 89.313626][ T5072] ? gfs2_lm+0x240/0x240 [ 89.317915][ T5072] ? gfs2_dirent_scan+0xb2/0x640 [ 89.322883][ T5072] ? panic+0x770/0x770 [ 89.326973][ T5072] ? gfs2_consist_inode_i+0xf5/0x110 [ 89.332293][ T5072] gfs2_dirent_scan+0x512/0x640 [ 89.337363][ T5072] ? gfs2_permission+0x268/0x3c0 [ 89.342329][ T5072] ? gfs2_dirent_search+0x8c0/0x8c0 [ 89.347594][ T5072] gfs2_dirent_search+0x30e/0x8c0 [ 89.352651][ T5072] ? gfs2_dirent_search+0x8c0/0x8c0 [ 89.357888][ T5072] ? generic_permission+0x1df/0x550 [ 89.363113][ T5072] ? gfs2_dir_search+0x2f0/0x2f0 [ 89.368112][ T5072] ? gfs2_permission+0x34a/0x3c0 [ 89.373082][ T5072] gfs2_dir_search+0xb2/0x2f0 [ 89.377777][ T5072] ? do_filldir_main+0x520/0x520 [ 89.382735][ T5072] ? inode_go_held+0xea/0x200 [ 89.387522][ T5072] ? gfs2_glock_wait+0x21a/0x2b0 [ 89.392567][ T5072] gfs2_lookupi+0x460/0x5d0 [ 89.397094][ T5072] ? gfs2_lookup_simple+0x180/0x180 [ 89.402312][ T5072] ? __gfs2_lookup+0xa4/0x270 [ 89.407046][ T5072] ? d_alloc_parallel+0x1262/0x13a0 [ 89.412261][ T5072] __gfs2_lookup+0xa4/0x270 [ 89.416773][ T5072] ? gfs2_atomic_open+0x230/0x230 [ 89.421813][ T5072] ? __init_waitqueue_head+0xae/0x150 [ 89.427215][ T5072] __lookup_slow+0x282/0x3e0 [ 89.431856][ T5072] ? lookup_one_len+0x2d0/0x2d0 [ 89.436755][ T5072] ? down_read+0x1b5/0x2f0 [ 89.441292][ T5072] lookup_slow+0x53/0x70 [ 89.445553][ T5072] link_path_walk+0x9c8/0xe70 [ 89.450261][ T5072] ? handle_lookup_down+0x130/0x130 [ 89.455856][ T5072] ? lockdep_hardirqs_on+0x98/0x140 [ 89.461080][ T5072] path_lookupat+0xa9/0x450 [ 89.465604][ T5072] do_o_path+0x95/0x230 [ 89.469778][ T5072] ? do_tmpfile+0x330/0x330 [ 89.474306][ T5072] ? __alloc_file+0x15a/0x230 [ 89.479010][ T5072] path_openat+0x29f0/0x3170 [ 89.483622][ T5072] ? __stack_depot_save+0x20/0x650 [ 89.488758][ T5072] ? mark_lock+0x9a/0x340 [ 89.493118][ T5072] ? kmem_cache_alloc+0x11f/0x2e0 [ 89.498157][ T5072] ? mark_lock+0x9a/0x340 [ 89.502506][ T5072] ? __lock_acquire+0x1295/0x2000 [ 89.507547][ T5072] ? do_filp_open+0x490/0x490 [ 89.512254][ T5072] do_filp_open+0x234/0x490 [ 89.516772][ T5072] ? vfs_tmpfile+0x4a0/0x4a0 [ 89.521391][ T5072] ? _raw_spin_unlock+0x28/0x40 [ 89.526261][ T5072] ? alloc_fd+0x59c/0x640 [ 89.530621][ T5072] do_sys_openat2+0x13f/0x500 [ 89.535313][ T5072] ? print_irqtrace_events+0x220/0x220 [ 89.540790][ T5072] ? do_sys_open+0x230/0x230 [ 89.545394][ T5072] ? lockdep_hardirqs_on+0x98/0x140 [ 89.550608][ T5072] ? _raw_spin_unlock_irq+0x2e/0x50 [ 89.555815][ T5072] ? ptrace_notify+0x278/0x380 [ 89.560637][ T5072] __x64_sys_openat+0x247/0x290 [ 89.565516][ T5072] ? __ia32_sys_open+0x270/0x270 [ 89.570470][ T5072] ? syscall_enter_from_user_mode+0x32/0x230 [ 89.576464][ T5072] ? syscall_enter_from_user_mode+0x8c/0x230 [ 89.582469][ T5072] do_syscall_64+0x41/0xc0 [ 89.586906][ T5072] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 89.592811][ T5072] RIP: 0033:0x7f0100724159 [ 89.597240][ T5072] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 89.616947][ T5072] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 89.625375][ T5072] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 89.633363][ T5072] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5072] <... openat resumed>) = -1 EIO (Input/output error) [pid 5072] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5072] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5071] exit_group(0 [pid 5072] <... futex resumed>) = ? [pid 5071] <... exit_group resumed>) = ? [pid 5072] +++ exited with 0 +++ [pid 5074] <... futex resumed>) = ? [pid 5074] +++ exited with 0 +++ [pid 5071] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5071, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=34 /* 0.34 s */} --- umount2("./17", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./17/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./17/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./17/binderfs") = 0 [ 89.641347][ T5072] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 89.649339][ T5072] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 89.657340][ T5072] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 89.665335][ T5072] umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./17/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./17/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./17") = 0 mkdir("./18", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5075 ./strace-static-x86_64: Process 5075 attached [pid 5075] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5075] chdir("./18") = 0 [pid 5075] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5075] setpgid(0, 0) = 0 [pid 5075] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5075] write(3, "1000", 4) = 4 [pid 5075] close(3) = 0 [pid 5075] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5075] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5075] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5075] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5076 attached , parent_tid=[5076], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5076 [pid 5076] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5076] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5075] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5076] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5075] <... futex resumed>) = 0 [pid 5075] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5076] memfd_create("syzkaller", 0) = 3 [pid 5076] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5076] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5076] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5076] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5076] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5076] close(3) = 0 [pid 5076] mkdir("./file0", 0777) = 0 [ 90.091562][ T5076] loop0: detected capacity change from 0 to 32768 [ 90.103732][ T5076] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 90.114408][ T5076] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 90.123929][ T5076] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 90.132819][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 90.139896][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5076] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5076] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5076] chdir("./file0") = 0 [pid 5076] ioctl(4, LOOP_CLR_FD) = 0 [pid 5076] close(4) = 0 [pid 5076] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5076] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5075] <... futex resumed>) = 0 [pid 5075] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5076] <... futex resumed>) = 0 [pid 5075] <... futex resumed>) = 1 [pid 5076] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 90.182717][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 90.191922][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 90.197768][ T5076] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 90.220109][ T5076] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5075] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5075] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5075] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5075] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5078], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5078 [pid 5075] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 90.228988][ T5076] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 90.228988][ T5076] inode = 12 2341 [ 90.228988][ T5076] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 90.247894][ T5076] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 90.257314][ T5076] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5076 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 90.268294][ T5076] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5075] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5078 attached [pid 5078] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5078] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5078] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5075] <... futex resumed>) = 0 [pid 5075] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5075] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5078] <... futex resumed>) = 1 [pid 5078] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5078] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5075] <... futex resumed>) = 0 [pid 5078] <... futex resumed>) = 1 [ 90.276867][ T5076] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 90.284433][ T5076] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 90.293355][ T5076] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 90.301646][ T5076] gfs2: fsid=syz:syz.0: File system withdrawn [ 90.307872][ T5076] CPU: 0 PID: 5076 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 90.318410][ T5076] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 90.328472][ T5076] Call Trace: [ 90.331776][ T5076] [ 90.334720][ T5076] dump_stack_lvl+0x1e7/0x2d0 [ 90.339452][ T5076] ? nf_tcp_handle_invalid+0x650/0x650 [ 90.344952][ T5076] ? panic+0x770/0x770 [ 90.349065][ T5076] ? kobject_uevent_env+0x54e/0x8e0 [ 90.354322][ T5076] gfs2_withdraw+0xf48/0x1550 [ 90.359052][ T5076] ? gfs2_lm+0x240/0x240 [ 90.363306][ T5076] ? gfs2_dirent_scan+0xb2/0x640 [ 90.368252][ T5076] ? panic+0x770/0x770 [ 90.372353][ T5076] ? gfs2_consist_inode_i+0xf5/0x110 [ 90.377670][ T5076] gfs2_dirent_scan+0x512/0x640 [pid 5078] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5075] exit_group(0 [pid 5078] <... futex resumed>) = ? [pid 5075] <... exit_group resumed>) = ? [pid 5078] +++ exited with 0 +++ [ 90.382561][ T5076] ? gfs2_permission+0x268/0x3c0 [ 90.387520][ T5076] ? gfs2_dirent_search+0x8c0/0x8c0 [ 90.392762][ T5076] gfs2_dirent_search+0x30e/0x8c0 [ 90.397812][ T5076] ? gfs2_dirent_search+0x8c0/0x8c0 [ 90.403047][ T5076] ? generic_permission+0x1df/0x550 [ 90.408274][ T5076] ? gfs2_dir_search+0x2f0/0x2f0 [ 90.413263][ T5076] ? gfs2_permission+0x34a/0x3c0 [ 90.418262][ T5076] gfs2_dir_search+0xb2/0x2f0 [ 90.422975][ T5076] ? do_filldir_main+0x520/0x520 [ 90.427937][ T5076] ? inode_go_held+0xea/0x200 [ 90.432656][ T5076] ? gfs2_glock_wait+0x21a/0x2b0 [ 90.437631][ T5076] gfs2_lookupi+0x460/0x5d0 [ 90.442183][ T5076] ? gfs2_lookup_simple+0x180/0x180 [ 90.447515][ T5076] ? __gfs2_lookup+0xa4/0x270 [ 90.452235][ T5076] ? d_alloc_parallel+0x1262/0x13a0 [ 90.457470][ T5076] __gfs2_lookup+0xa4/0x270 [ 90.462031][ T5076] ? gfs2_atomic_open+0x230/0x230 [ 90.467096][ T5076] ? __init_waitqueue_head+0xae/0x150 [ 90.472497][ T5076] __lookup_slow+0x282/0x3e0 [ 90.477102][ T5076] ? lookup_one_len+0x2d0/0x2d0 [ 90.481998][ T5076] ? down_read+0x1b5/0x2f0 [ 90.486448][ T5076] lookup_slow+0x53/0x70 [ 90.490715][ T5076] link_path_walk+0x9c8/0xe70 [ 90.495419][ T5076] ? handle_lookup_down+0x130/0x130 [ 90.500646][ T5076] ? lockdep_hardirqs_on+0x98/0x140 [ 90.505875][ T5076] path_lookupat+0xa9/0x450 [ 90.510416][ T5076] do_o_path+0x95/0x230 [ 90.514591][ T5076] ? do_tmpfile+0x330/0x330 [ 90.519128][ T5076] ? __alloc_file+0x15a/0x230 [ 90.523833][ T5076] path_openat+0x29f0/0x3170 [ 90.528435][ T5076] ? __stack_depot_save+0x20/0x650 [ 90.533554][ T5076] ? __lock_acquire+0x1295/0x2000 [ 90.538607][ T5076] ? mark_lock+0x9a/0x340 [ 90.542978][ T5076] ? kmem_cache_alloc+0x11f/0x2e0 [ 90.548030][ T5076] ? mark_lock+0x9a/0x340 [ 90.552377][ T5076] ? __lock_acquire+0x1295/0x2000 [ 90.557414][ T5076] ? do_filp_open+0x490/0x490 [ 90.562115][ T5076] do_filp_open+0x234/0x490 [ 90.566652][ T5076] ? vfs_tmpfile+0x4a0/0x4a0 [ 90.571291][ T5076] ? _raw_spin_unlock+0x28/0x40 [ 90.576184][ T5076] ? alloc_fd+0x59c/0x640 [ 90.580538][ T5076] do_sys_openat2+0x13f/0x500 [ 90.585240][ T5076] ? print_irqtrace_events+0x220/0x220 [ 90.590838][ T5076] ? do_sys_open+0x230/0x230 [ 90.595483][ T5076] ? lockdep_hardirqs_on+0x98/0x140 [ 90.600709][ T5076] ? _raw_spin_unlock_irq+0x2e/0x50 [ 90.605934][ T5076] ? ptrace_notify+0x278/0x380 [ 90.610724][ T5076] __x64_sys_openat+0x247/0x290 [ 90.615620][ T5076] ? __ia32_sys_open+0x270/0x270 [ 90.620590][ T5076] ? syscall_enter_from_user_mode+0x32/0x230 [ 90.626625][ T5076] ? syscall_enter_from_user_mode+0x8c/0x230 [ 90.632630][ T5076] do_syscall_64+0x41/0xc0 [ 90.637080][ T5076] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 90.643003][ T5076] RIP: 0033:0x7f0100724159 [ 90.647456][ T5076] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 90.667103][ T5076] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 90.675558][ T5076] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5076] <... openat resumed>) = ? [pid 5076] +++ exited with 0 +++ [pid 5075] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5075, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=34 /* 0.34 s */} --- umount2("./18", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./18/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./18/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./18/binderfs") = 0 [ 90.683555][ T5076] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 90.691550][ T5076] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 90.699548][ T5076] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 90.707526][ T5076] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 90.715536][ T5076] umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./18/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./18/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./18") = 0 mkdir("./19", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5079 ./strace-static-x86_64: Process 5079 attached [pid 5079] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5079] chdir("./19") = 0 [pid 5079] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5079] setpgid(0, 0) = 0 [pid 5079] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5079] write(3, "1000", 4) = 4 [pid 5079] close(3) = 0 [pid 5079] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5079] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5079] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5079] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5080], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5080 [pid 5079] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5080 attached [pid 5080] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5080] memfd_create("syzkaller", 0) = 3 [pid 5080] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5080] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5080] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5080] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5080] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5080] close(3) = 0 [pid 5080] mkdir("./file0", 0777) = 0 [ 91.163863][ T5080] loop0: detected capacity change from 0 to 32768 [ 91.175034][ T5080] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 91.185185][ T5080] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 91.196098][ T5080] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 91.205259][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 91.212336][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5080] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5080] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5080] chdir("./file0") = 0 [pid 5080] ioctl(4, LOOP_CLR_FD) = 0 [pid 5080] close(4) = 0 [pid 5080] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5079] <... futex resumed>) = 0 [pid 5080] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5079] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5080] <... futex resumed>) = 0 [pid 5079] <... futex resumed>) = 1 [pid 5080] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 91.253663][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 91.262867][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 91.268215][ T5080] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 91.288924][ T5080] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 91.307572][ T5080] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 91.307572][ T5080] inode = 12 2341 [ 91.307572][ T5080] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 91.327109][ T5080] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 91.336604][ T5080] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5080 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 91.346907][ T5080] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5079] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5079] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5079] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5079] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5082], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5082 [pid 5079] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5082 attached [pid 5082] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5082] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5082] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5079] <... futex resumed>) = 0 [pid 5079] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5082] <... futex resumed>) = 1 [pid 5082] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5082] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5079] <... futex resumed>) = 0 [pid 5082] <... futex resumed>) = 1 [ 91.355453][ T5080] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 91.364323][ T5080] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 91.373709][ T5080] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 91.382023][ T5080] gfs2: fsid=syz:syz.0: File system withdrawn [ 91.388214][ T5080] CPU: 0 PID: 5080 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 91.398664][ T5080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 91.408732][ T5080] Call Trace: [ 91.412029][ T5080] [ 91.414991][ T5080] dump_stack_lvl+0x1e7/0x2d0 [ 91.419717][ T5080] ? nf_tcp_handle_invalid+0x650/0x650 [ 91.425205][ T5080] ? panic+0x770/0x770 [ 91.429325][ T5080] ? kobject_uevent_env+0x54e/0x8e0 [ 91.434580][ T5080] gfs2_withdraw+0xf48/0x1550 [ 91.439284][ T5080] ? gfs2_lm+0x240/0x240 [ 91.443539][ T5080] ? gfs2_dirent_scan+0xb2/0x640 [ 91.448508][ T5080] ? panic+0x770/0x770 [ 91.452626][ T5080] ? gfs2_consist_inode_i+0xf5/0x110 [ 91.457956][ T5080] gfs2_dirent_scan+0x512/0x640 [ 91.462825][ T5080] ? gfs2_permission+0x268/0x3c0 [ 91.467812][ T5080] ? gfs2_dirent_search+0x8c0/0x8c0 [ 91.473064][ T5080] gfs2_dirent_search+0x30e/0x8c0 [ 91.478136][ T5080] ? gfs2_dirent_search+0x8c0/0x8c0 [ 91.483354][ T5080] ? generic_permission+0x1df/0x550 [ 91.488676][ T5080] ? gfs2_dir_search+0x2f0/0x2f0 [ 91.493637][ T5080] ? gfs2_permission+0x34a/0x3c0 [ 91.498621][ T5080] gfs2_dir_search+0xb2/0x2f0 [ 91.503331][ T5080] ? do_filldir_main+0x520/0x520 [ 91.508282][ T5080] ? inode_go_held+0xea/0x200 [ 91.513001][ T5080] ? gfs2_glock_wait+0x21a/0x2b0 [ 91.517986][ T5080] gfs2_lookupi+0x460/0x5d0 [ 91.522532][ T5080] ? gfs2_lookup_simple+0x180/0x180 [ 91.527749][ T5080] ? __gfs2_lookup+0xa4/0x270 [ 91.532436][ T5080] ? d_alloc_parallel+0x1262/0x13a0 [ 91.537649][ T5080] __gfs2_lookup+0xa4/0x270 [ 91.542161][ T5080] ? gfs2_atomic_open+0x230/0x230 [ 91.547338][ T5080] ? __init_waitqueue_head+0xae/0x150 [ 91.552750][ T5080] __lookup_slow+0x282/0x3e0 [pid 5082] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5079] exit_group(0 [pid 5082] <... futex resumed>) = ? [pid 5079] <... exit_group resumed>) = ? [pid 5082] +++ exited with 0 +++ [ 91.557371][ T5080] ? lookup_one_len+0x2d0/0x2d0 [ 91.562251][ T5080] ? down_read+0x1b5/0x2f0 [ 91.566698][ T5080] lookup_slow+0x53/0x70 [ 91.570945][ T5080] link_path_walk+0x9c8/0xe70 [ 91.575665][ T5080] ? handle_lookup_down+0x130/0x130 [ 91.580988][ T5080] ? lockdep_hardirqs_on+0x98/0x140 [ 91.586212][ T5080] path_lookupat+0xa9/0x450 [ 91.590751][ T5080] do_o_path+0x95/0x230 [ 91.594926][ T5080] ? do_tmpfile+0x330/0x330 [ 91.599444][ T5080] ? __alloc_file+0x15a/0x230 [ 91.604161][ T5080] path_openat+0x29f0/0x3170 [ 91.608877][ T5080] ? __stack_depot_save+0x20/0x650 [ 91.614029][ T5080] ? mark_lock+0x9a/0x340 [ 91.618385][ T5080] ? kmem_cache_alloc+0x11f/0x2e0 [ 91.623417][ T5080] ? mark_lock+0x9a/0x340 [ 91.627774][ T5080] ? __lock_acquire+0x1295/0x2000 [ 91.632833][ T5080] ? do_filp_open+0x490/0x490 [ 91.637532][ T5080] do_filp_open+0x234/0x490 [ 91.642082][ T5080] ? vfs_tmpfile+0x4a0/0x4a0 [ 91.646719][ T5080] ? _raw_spin_unlock+0x28/0x40 [ 91.651590][ T5080] ? alloc_fd+0x59c/0x640 [ 91.655956][ T5080] do_sys_openat2+0x13f/0x500 [ 91.660676][ T5080] ? print_irqtrace_events+0x220/0x220 [ 91.666164][ T5080] ? do_sys_open+0x230/0x230 [ 91.670787][ T5080] ? lockdep_hardirqs_on+0x98/0x140 [ 91.676026][ T5080] ? _raw_spin_unlock_irq+0x2e/0x50 [ 91.681253][ T5080] ? ptrace_notify+0x278/0x380 [ 91.686031][ T5080] __x64_sys_openat+0x247/0x290 [ 91.690928][ T5080] ? __ia32_sys_open+0x270/0x270 [ 91.695898][ T5080] ? syscall_enter_from_user_mode+0x32/0x230 [ 91.701929][ T5080] ? syscall_enter_from_user_mode+0x8c/0x230 [ 91.707980][ T5080] do_syscall_64+0x41/0xc0 [ 91.712420][ T5080] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 91.718327][ T5080] RIP: 0033:0x7f0100724159 [ 91.722751][ T5080] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 91.742370][ T5080] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 91.750801][ T5080] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5080] <... openat resumed>) = ? [pid 5080] +++ exited with 0 +++ [pid 5079] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5079, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=31 /* 0.31 s */} --- umount2("./19", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./19/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./19/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./19/binderfs") = 0 [ 91.758796][ T5080] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 91.766793][ T5080] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 91.774868][ T5080] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 91.782856][ T5080] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 91.790866][ T5080] umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./19/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./19/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./19") = 0 mkdir("./20", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5083 ./strace-static-x86_64: Process 5083 attached [pid 5083] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5083] chdir("./20") = 0 [pid 5083] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5083] setpgid(0, 0) = 0 [pid 5083] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5083] write(3, "1000", 4) = 4 [pid 5083] close(3) = 0 [pid 5083] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5083] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5083] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5083] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5083] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5084], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5084 ./strace-static-x86_64: Process 5084 attached [pid 5083] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5083] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5084] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5084] memfd_create("syzkaller", 0) = 3 [pid 5084] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5084] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5084] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5084] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5084] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5084] close(3) = 0 [pid 5084] mkdir("./file0", 0777) = 0 [ 92.203949][ T5084] loop0: detected capacity change from 0 to 32768 [ 92.214586][ T5084] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 92.222854][ T5084] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 92.233371][ T5084] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 92.242343][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 92.249609][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5084] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5084] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5084] chdir("./file0") = 0 [pid 5084] ioctl(4, LOOP_CLR_FD) = 0 [pid 5084] close(4) = 0 [pid 5084] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5083] <... futex resumed>) = 0 [pid 5083] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5083] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5084] <... futex resumed>) = 1 [ 92.296386][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 92.305660][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 92.311154][ T5084] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 92.331818][ T5084] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5084] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5083] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5083] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5083] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5083] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5083] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5086], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5086 [pid 5083] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 92.340914][ T5084] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 92.340914][ T5084] inode = 12 2341 [ 92.340914][ T5084] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 92.360501][ T5084] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 92.370043][ T5084] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5084 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 92.380297][ T5084] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5083] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5086 attached [pid 5086] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5086] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5086] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5083] <... futex resumed>) = 0 [pid 5083] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5083] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5086] <... futex resumed>) = 1 [pid 5086] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5086] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5083] <... futex resumed>) = 0 [pid 5086] <... futex resumed>) = 1 [ 92.391224][ T5084] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 92.398694][ T5084] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 92.407652][ T5084] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 92.414271][ T5084] gfs2: fsid=syz:syz.0: File system withdrawn [ 92.420560][ T5084] CPU: 0 PID: 5084 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 92.431112][ T5084] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 92.441204][ T5084] Call Trace: [ 92.444503][ T5084] [ 92.447439][ T5084] dump_stack_lvl+0x1e7/0x2d0 [ 92.452145][ T5084] ? nf_tcp_handle_invalid+0x650/0x650 [ 92.457653][ T5084] ? panic+0x770/0x770 [ 92.461745][ T5084] ? kobject_uevent_env+0x54e/0x8e0 [ 92.466985][ T5084] gfs2_withdraw+0xf48/0x1550 [ 92.471709][ T5084] ? gfs2_lm+0x240/0x240 [ 92.475997][ T5084] ? gfs2_dirent_scan+0xb2/0x640 [ 92.480967][ T5084] ? panic+0x770/0x770 [ 92.485072][ T5084] ? gfs2_consist_inode_i+0xf5/0x110 [ 92.490398][ T5084] gfs2_dirent_scan+0x512/0x640 [ 92.495311][ T5084] ? gfs2_permission+0x268/0x3c0 [ 92.500268][ T5084] ? gfs2_dirent_search+0x8c0/0x8c0 [ 92.505573][ T5084] gfs2_dirent_search+0x30e/0x8c0 [ 92.510722][ T5084] ? gfs2_dirent_search+0x8c0/0x8c0 [ 92.515988][ T5084] ? generic_permission+0x1df/0x550 [ 92.521224][ T5084] ? gfs2_dir_search+0x2f0/0x2f0 [ 92.526183][ T5084] ? gfs2_permission+0x34a/0x3c0 [ 92.531163][ T5084] gfs2_dir_search+0xb2/0x2f0 [ 92.535863][ T5084] ? do_filldir_main+0x520/0x520 [ 92.540820][ T5084] ? inode_go_held+0xea/0x200 [ 92.545519][ T5084] ? gfs2_glock_wait+0x21a/0x2b0 [ 92.550477][ T5084] gfs2_lookupi+0x460/0x5d0 [ 92.555008][ T5084] ? gfs2_lookup_simple+0x180/0x180 [ 92.560232][ T5084] ? __gfs2_lookup+0xa4/0x270 [ 92.564918][ T5084] ? d_alloc_parallel+0x1262/0x13a0 [ 92.570131][ T5084] __gfs2_lookup+0xa4/0x270 [ 92.574646][ T5084] ? gfs2_atomic_open+0x230/0x230 [ 92.579690][ T5084] ? __init_waitqueue_head+0xae/0x150 [ 92.585080][ T5084] __lookup_slow+0x282/0x3e0 [ 92.589688][ T5084] ? lookup_one_len+0x2d0/0x2d0 [ 92.594556][ T5084] ? down_read+0x1b5/0x2f0 [ 92.599082][ T5084] lookup_slow+0x53/0x70 [ 92.603335][ T5084] link_path_walk+0x9c8/0xe70 [ 92.608038][ T5084] ? handle_lookup_down+0x130/0x130 [ 92.613357][ T5084] ? lockdep_hardirqs_on+0x98/0x140 [ 92.618567][ T5084] path_lookupat+0xa9/0x450 [ 92.623097][ T5084] do_o_path+0x95/0x230 [ 92.627272][ T5084] ? do_tmpfile+0x330/0x330 [ 92.631792][ T5084] ? __alloc_file+0x15a/0x230 [ 92.636557][ T5084] path_openat+0x29f0/0x3170 [ 92.641160][ T5084] ? __stack_depot_save+0x20/0x650 [ 92.646289][ T5084] ? mark_lock+0x9a/0x340 [ 92.650634][ T5084] ? kmem_cache_alloc+0x11f/0x2e0 [ 92.655670][ T5084] ? mark_lock+0x9a/0x340 [ 92.660021][ T5084] ? __lock_acquire+0x1295/0x2000 [ 92.665072][ T5084] ? do_filp_open+0x490/0x490 [ 92.669775][ T5084] do_filp_open+0x234/0x490 [ 92.674293][ T5084] ? vfs_tmpfile+0x4a0/0x4a0 [ 92.678929][ T5084] ? _raw_spin_unlock+0x28/0x40 [ 92.683790][ T5084] ? alloc_fd+0x59c/0x640 [ 92.688153][ T5084] do_sys_openat2+0x13f/0x500 [ 92.692845][ T5084] ? print_irqtrace_events+0x220/0x220 [ 92.698320][ T5084] ? do_sys_open+0x230/0x230 [ 92.702926][ T5084] ? lockdep_hardirqs_on+0x98/0x140 [ 92.708137][ T5084] ? _raw_spin_unlock_irq+0x2e/0x50 [ 92.713351][ T5084] ? ptrace_notify+0x278/0x380 [ 92.718142][ T5084] __x64_sys_openat+0x247/0x290 [ 92.723050][ T5084] ? __ia32_sys_open+0x270/0x270 [ 92.728014][ T5084] ? syscall_enter_from_user_mode+0x32/0x230 [ 92.734026][ T5084] ? syscall_enter_from_user_mode+0x8c/0x230 [ 92.740035][ T5084] do_syscall_64+0x41/0xc0 [ 92.744477][ T5084] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 92.750419][ T5084] RIP: 0033:0x7f0100724159 [ 92.754841][ T5084] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 92.774456][ T5084] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 92.782880][ T5084] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5086] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5084] <... openat resumed>) = -1 EIO (Input/output error) [pid 5084] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5084] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5083] exit_group(0 [pid 5084] <... futex resumed>) = ? [pid 5084] +++ exited with 0 +++ [pid 5083] <... exit_group resumed>) = ? [pid 5086] <... futex resumed>) = ? [pid 5086] +++ exited with 0 +++ [pid 5083] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5083, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=37 /* 0.37 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./20", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./20/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./20/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./20/binderfs") = 0 [ 92.790859][ T5084] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 92.798843][ T5084] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 92.806820][ T5084] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 92.814802][ T5084] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 92.822798][ T5084] umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./20/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./20/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./20") = 0 mkdir("./21", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5087 ./strace-static-x86_64: Process 5087 attached [pid 5087] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5087] chdir("./21") = 0 [pid 5087] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5087] setpgid(0, 0) = 0 [pid 5087] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5087] write(3, "1000", 4) = 4 [pid 5087] close(3) = 0 [pid 5087] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5087] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5087] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5087] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5087] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5088], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5088 ./strace-static-x86_64: Process 5088 attached [pid 5087] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5088] set_robust_list(0x7f01006c89e0, 24 [pid 5087] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5088] <... set_robust_list resumed>) = 0 [pid 5088] memfd_create("syzkaller", 0) = 3 [pid 5088] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5088] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5088] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5088] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5088] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5088] close(3) = 0 [pid 5088] mkdir("./file0", 0777) = 0 [ 93.212004][ T5088] loop0: detected capacity change from 0 to 32768 [ 93.222776][ T5088] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 93.231346][ T5088] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 93.241670][ T5088] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 93.250631][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 93.257762][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5088] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5088] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5088] chdir("./file0") = 0 [pid 5088] ioctl(4, LOOP_CLR_FD) = 0 [pid 5088] close(4) = 0 [pid 5088] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5087] <... futex resumed>) = 0 [pid 5087] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5087] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 93.301081][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 93.308646][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 93.313899][ T5088] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 93.338134][ T5088] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5088] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5087] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5087] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5087] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5087] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5087] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5090], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5090 [pid 5087] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5087] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5090 attached [pid 5090] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5090] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [ 93.347455][ T5088] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 93.347455][ T5088] inode = 12 2341 [ 93.347455][ T5088] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 93.366589][ T5088] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 93.375849][ T5088] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5088 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 93.386021][ T5088] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 93.394558][ T5088] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5090] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5087] <... futex resumed>) = 0 [pid 5087] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5087] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5090] <... futex resumed>) = 1 [pid 5090] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5090] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5087] <... futex resumed>) = 0 [pid 5090] <... futex resumed>) = 1 [ 93.402629][ T5088] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 93.412299][ T5088] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 93.421329][ T5088] gfs2: fsid=syz:syz.0: File system withdrawn [ 93.428066][ T5088] CPU: 0 PID: 5088 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 93.438506][ T5088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 93.448563][ T5088] Call Trace: [ 93.451857][ T5088] [ 93.454789][ T5088] dump_stack_lvl+0x1e7/0x2d0 [ 93.459485][ T5088] ? nf_tcp_handle_invalid+0x650/0x650 [ 93.464957][ T5088] ? panic+0x770/0x770 [ 93.469029][ T5088] ? kobject_uevent_env+0x54e/0x8e0 [ 93.474240][ T5088] gfs2_withdraw+0xf48/0x1550 [ 93.478959][ T5088] ? gfs2_lm+0x240/0x240 [ 93.483215][ T5088] ? gfs2_dirent_scan+0xb2/0x640 [ 93.488155][ T5088] ? panic+0x770/0x770 [ 93.492233][ T5088] ? gfs2_consist_inode_i+0xf5/0x110 [ 93.497544][ T5088] gfs2_dirent_scan+0x512/0x640 [ 93.502412][ T5088] ? gfs2_permission+0x268/0x3c0 [ 93.507375][ T5088] ? gfs2_dirent_search+0x8c0/0x8c0 [ 93.512592][ T5088] gfs2_dirent_search+0x30e/0x8c0 [ 93.517645][ T5088] ? gfs2_dirent_search+0x8c0/0x8c0 [ 93.522870][ T5088] ? generic_permission+0x1df/0x550 [ 93.528081][ T5088] ? gfs2_dir_search+0x2f0/0x2f0 [ 93.533046][ T5088] ? gfs2_permission+0x34a/0x3c0 [ 93.538007][ T5088] gfs2_dir_search+0xb2/0x2f0 [ 93.542714][ T5088] ? do_filldir_main+0x520/0x520 [ 93.547662][ T5088] ? inode_go_held+0xea/0x200 [ 93.552368][ T5088] ? gfs2_glock_wait+0x21a/0x2b0 [ 93.557367][ T5088] gfs2_lookupi+0x460/0x5d0 [ 93.561904][ T5088] ? gfs2_lookup_simple+0x180/0x180 [ 93.567136][ T5088] ? __gfs2_lookup+0xa4/0x270 [ 93.571843][ T5088] ? d_alloc_parallel+0x1262/0x13a0 [ 93.577050][ T5088] __gfs2_lookup+0xa4/0x270 [ 93.581563][ T5088] ? gfs2_atomic_open+0x230/0x230 [ 93.586592][ T5088] ? __init_waitqueue_head+0xae/0x150 [ 93.591991][ T5088] __lookup_slow+0x282/0x3e0 [ 93.596591][ T5088] ? lookup_one_len+0x2d0/0x2d0 [ 93.601460][ T5088] ? down_read+0x1b5/0x2f0 [ 93.605886][ T5088] lookup_slow+0x53/0x70 [ 93.610152][ T5088] link_path_walk+0x9c8/0xe70 [ 93.614972][ T5088] ? handle_lookup_down+0x130/0x130 [ 93.620199][ T5088] ? lockdep_hardirqs_on+0x98/0x140 [ 93.625414][ T5088] path_lookupat+0xa9/0x450 [ 93.629939][ T5088] do_o_path+0x95/0x230 [ 93.634109][ T5088] ? do_tmpfile+0x330/0x330 [ 93.638618][ T5088] ? __alloc_file+0x15a/0x230 [ 93.643299][ T5088] path_openat+0x29f0/0x3170 [ 93.647899][ T5088] ? __stack_depot_save+0x20/0x650 [ 93.653017][ T5088] ? __lock_acquire+0x1295/0x2000 [ 93.658052][ T5088] ? mark_lock+0x9a/0x340 [ 93.662394][ T5088] ? kmem_cache_alloc+0x11f/0x2e0 [ 93.667422][ T5088] ? mark_lock+0x9a/0x340 [ 93.671762][ T5088] ? __lock_acquire+0x1295/0x2000 [ 93.676796][ T5088] ? do_filp_open+0x490/0x490 [ 93.681491][ T5088] do_filp_open+0x234/0x490 [ 93.686001][ T5088] ? vfs_tmpfile+0x4a0/0x4a0 [ 93.690622][ T5088] ? _raw_spin_unlock+0x28/0x40 [ 93.695482][ T5088] ? alloc_fd+0x59c/0x640 [ 93.699835][ T5088] do_sys_openat2+0x13f/0x500 [ 93.704517][ T5088] ? print_irqtrace_events+0x220/0x220 [ 93.709997][ T5088] ? do_sys_open+0x230/0x230 [ 93.714620][ T5088] ? lockdep_hardirqs_on+0x98/0x140 [ 93.719825][ T5088] ? _raw_spin_unlock_irq+0x2e/0x50 [ 93.725023][ T5088] ? ptrace_notify+0x278/0x380 [ 93.729806][ T5088] __x64_sys_openat+0x247/0x290 [ 93.734667][ T5088] ? __ia32_sys_open+0x270/0x270 [ 93.739623][ T5088] ? syscall_enter_from_user_mode+0x32/0x230 [ 93.745616][ T5088] ? syscall_enter_from_user_mode+0x8c/0x230 [ 93.751615][ T5088] do_syscall_64+0x41/0xc0 [ 93.756043][ T5088] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 93.761997][ T5088] RIP: 0033:0x7f0100724159 [ 93.766438][ T5088] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 93.786073][ T5088] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 93.794510][ T5088] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5090] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5088] <... openat resumed>) = -1 EIO (Input/output error) [pid 5088] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5088] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5087] exit_group(0 [pid 5090] <... futex resumed>) = ? [pid 5087] <... exit_group resumed>) = ? [pid 5090] +++ exited with 0 +++ [pid 5088] <... futex resumed>) = ? [pid 5088] +++ exited with 0 +++ [pid 5087] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5087, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=31 /* 0.31 s */} --- umount2("./21", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./21/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./21/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./21/binderfs") = 0 [ 93.802486][ T5088] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 93.810492][ T5088] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 93.818467][ T5088] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 93.826438][ T5088] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 93.834428][ T5088] umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./21/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./21/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./21") = 0 mkdir("./22", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5091 ./strace-static-x86_64: Process 5091 attached [pid 5091] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5091] chdir("./22") = 0 [pid 5091] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5091] setpgid(0, 0) = 0 [pid 5091] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5091] write(3, "1000", 4) = 4 [pid 5091] close(3) = 0 [pid 5091] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5091] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5091] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5091] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5092], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5092 [pid 5091] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5092 attached [pid 5092] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5092] memfd_create("syzkaller", 0) = 3 [pid 5092] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5092] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5092] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5092] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5092] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5092] close(3) = 0 [pid 5092] mkdir("./file0", 0777) = 0 [ 94.257316][ T5092] loop0: detected capacity change from 0 to 32768 [ 94.268160][ T5092] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 94.276682][ T5092] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 94.287737][ T5092] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 94.296324][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 94.303283][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5092] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5092] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5092] chdir("./file0") = 0 [pid 5092] ioctl(4, LOOP_CLR_FD) = 0 [pid 5092] close(4) = 0 [pid 5092] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5091] <... futex resumed>) = 0 [pid 5092] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5091] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 94.348932][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 94.356504][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 94.361842][ T5092] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 94.385817][ T5092] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 94.394895][ T5092] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 94.394895][ T5092] inode = 12 2341 [ 94.394895][ T5092] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 94.414265][ T5092] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 94.424002][ T5092] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5092 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 94.434578][ T5092] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5091] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5091] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5091] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5091] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5094], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5094 [pid 5091] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5091] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5094 attached [pid 5094] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5094] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5094] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5091] <... futex resumed>) = 0 [pid 5094] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5094] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5091] <... futex resumed>) = 0 [pid 5094] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5091] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5094] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5094] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5091] <... futex resumed>) = 0 [ 94.443228][ T5092] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 94.450815][ T5092] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 94.459836][ T5092] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 94.466471][ T5092] gfs2: fsid=syz:syz.0: File system withdrawn [ 94.472962][ T5092] CPU: 0 PID: 5092 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 94.483600][ T5092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 94.493776][ T5092] Call Trace: [ 94.497071][ T5092] [ 94.500012][ T5092] dump_stack_lvl+0x1e7/0x2d0 [ 94.504825][ T5092] ? nf_tcp_handle_invalid+0x650/0x650 [ 94.510544][ T5092] ? panic+0x770/0x770 [ 94.514655][ T5092] ? kobject_uevent_env+0x54e/0x8e0 [ 94.519910][ T5092] gfs2_withdraw+0xf48/0x1550 [ 94.524636][ T5092] ? gfs2_lm+0x240/0x240 [ 94.528920][ T5092] ? gfs2_dirent_scan+0xb2/0x640 [ 94.533901][ T5092] ? panic+0x770/0x770 [ 94.538007][ T5092] ? gfs2_consist_inode_i+0xf5/0x110 [ 94.543620][ T5092] gfs2_dirent_scan+0x512/0x640 [ 94.548635][ T5092] ? gfs2_permission+0x268/0x3c0 [ 94.553604][ T5092] ? gfs2_dirent_search+0x8c0/0x8c0 [ 94.558844][ T5092] gfs2_dirent_search+0x30e/0x8c0 [ 94.563992][ T5092] ? gfs2_dirent_search+0x8c0/0x8c0 [ 94.569228][ T5092] ? generic_permission+0x1df/0x550 [ 94.574464][ T5092] ? gfs2_dir_search+0x2f0/0x2f0 [ 94.579429][ T5092] ? gfs2_permission+0x34a/0x3c0 [ 94.584456][ T5092] gfs2_dir_search+0xb2/0x2f0 [ 94.589170][ T5092] ? do_filldir_main+0x520/0x520 [ 94.594130][ T5092] ? inode_go_held+0xea/0x200 [pid 5094] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5091] exit_group(0 [pid 5094] <... futex resumed>) = ? [pid 5091] <... exit_group resumed>) = ? [pid 5094] +++ exited with 0 +++ [ 94.598867][ T5092] ? gfs2_glock_wait+0x21a/0x2b0 [ 94.603843][ T5092] gfs2_lookupi+0x460/0x5d0 [ 94.608379][ T5092] ? gfs2_lookup_simple+0x180/0x180 [ 94.613593][ T5092] ? __gfs2_lookup+0xa4/0x270 [ 94.618288][ T5092] ? d_alloc_parallel+0x1262/0x13a0 [ 94.623520][ T5092] __gfs2_lookup+0xa4/0x270 [ 94.628078][ T5092] ? gfs2_atomic_open+0x230/0x230 [ 94.633139][ T5092] ? __init_waitqueue_head+0xae/0x150 [ 94.638541][ T5092] __lookup_slow+0x282/0x3e0 [ 94.643143][ T5092] ? lookup_one_len+0x2d0/0x2d0 [ 94.648022][ T5092] ? down_read+0x1b5/0x2f0 [ 94.652457][ T5092] lookup_slow+0x53/0x70 [ 94.656707][ T5092] link_path_walk+0x9c8/0xe70 [ 94.661407][ T5092] ? handle_lookup_down+0x130/0x130 [ 94.666633][ T5092] ? lockdep_hardirqs_on+0x98/0x140 [ 94.671864][ T5092] path_lookupat+0xa9/0x450 [ 94.676401][ T5092] do_o_path+0x95/0x230 [ 94.680587][ T5092] ? do_tmpfile+0x330/0x330 [ 94.685102][ T5092] ? __alloc_file+0x15a/0x230 [ 94.689792][ T5092] path_openat+0x29f0/0x3170 [ 94.694413][ T5092] ? __stack_depot_save+0x20/0x650 [ 94.699557][ T5092] ? mark_lock+0x9a/0x340 [ 94.703908][ T5092] ? kmem_cache_alloc+0x11f/0x2e0 [ 94.708965][ T5092] ? mark_lock+0x9a/0x340 [ 94.713362][ T5092] ? __lock_acquire+0x1295/0x2000 [ 94.718401][ T5092] ? do_filp_open+0x490/0x490 [ 94.723119][ T5092] do_filp_open+0x234/0x490 [ 94.727654][ T5092] ? vfs_tmpfile+0x4a0/0x4a0 [ 94.732306][ T5092] ? _raw_spin_unlock+0x28/0x40 [ 94.737175][ T5092] ? alloc_fd+0x59c/0x640 [ 94.741563][ T5092] do_sys_openat2+0x13f/0x500 [ 94.746277][ T5092] ? print_irqtrace_events+0x220/0x220 [ 94.751862][ T5092] ? do_sys_open+0x230/0x230 [ 94.756480][ T5092] ? lockdep_hardirqs_on+0x98/0x140 [ 94.761720][ T5092] ? _raw_spin_unlock_irq+0x2e/0x50 [ 94.767138][ T5092] ? ptrace_notify+0x278/0x380 [ 94.771949][ T5092] __x64_sys_openat+0x247/0x290 [ 94.776824][ T5092] ? __ia32_sys_open+0x270/0x270 [ 94.781802][ T5092] ? syscall_enter_from_user_mode+0x32/0x230 [ 94.787821][ T5092] ? syscall_enter_from_user_mode+0x8c/0x230 [ 94.793817][ T5092] do_syscall_64+0x41/0xc0 [ 94.798263][ T5092] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 94.804198][ T5092] RIP: 0033:0x7f0100724159 [ 94.808625][ T5092] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 94.828282][ T5092] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 94.836710][ T5092] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5092] <... openat resumed>) = ? [pid 5092] +++ exited with 0 +++ [pid 5091] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5091, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./22", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./22/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./22/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./22/binderfs") = 0 [ 94.844690][ T5092] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 94.852673][ T5092] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 94.860651][ T5092] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 94.868643][ T5092] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 94.876652][ T5092] umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./22/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./22/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./22") = 0 mkdir("./23", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5095 ./strace-static-x86_64: Process 5095 attached [pid 5095] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5095] chdir("./23") = 0 [pid 5095] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5095] setpgid(0, 0) = 0 [pid 5095] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5095] write(3, "1000", 4) = 4 [pid 5095] close(3) = 0 [pid 5095] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5095] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5095] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5095] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5095] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5096 attached , parent_tid=[5096], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5096 [pid 5095] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5095] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5096] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5096] memfd_create("syzkaller", 0) = 3 [pid 5096] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5096] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5096] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5096] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5096] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5096] close(3) = 0 [pid 5096] mkdir("./file0", 0777) = 0 [ 95.273108][ T5096] loop0: detected capacity change from 0 to 32768 [ 95.285261][ T5096] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 95.293573][ T5096] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 95.304409][ T5096] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 95.313154][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 95.320506][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5096] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5096] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5096] chdir("./file0") = 0 [pid 5096] ioctl(4, LOOP_CLR_FD) = 0 [pid 5096] close(4) = 0 [pid 5096] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5095] <... futex resumed>) = 0 [pid 5096] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5095] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 95.358062][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 95.367394][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 95.372686][ T5096] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5095] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 95.400278][ T5096] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 95.408962][ T5096] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 95.408962][ T5096] inode = 12 2341 [ 95.408962][ T5096] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 95.428025][ T5096] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 95.437111][ T5096] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5096 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5095] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5095] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5095] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5095] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5098], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5098 [pid 5095] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5095] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5098 attached [pid 5098] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5098] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5098] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5095] <... futex resumed>) = 0 [pid 5098] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5095] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5098] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5095] <... futex resumed>) = 0 [pid 5098] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5095] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5098] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5098] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5095] <... futex resumed>) = 0 [ 95.447752][ T5096] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 95.456226][ T5096] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 95.463575][ T5096] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 95.472477][ T5096] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 95.479165][ T5096] gfs2: fsid=syz:syz.0: File system withdrawn [ 95.485364][ T5096] CPU: 0 PID: 5096 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 95.496163][ T5096] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 95.506248][ T5096] Call Trace: [ 95.509539][ T5096] [ 95.512478][ T5096] dump_stack_lvl+0x1e7/0x2d0 [ 95.517188][ T5096] ? nf_tcp_handle_invalid+0x650/0x650 [ 95.522678][ T5096] ? panic+0x770/0x770 [ 95.526763][ T5096] ? kobject_uevent_env+0x54e/0x8e0 [ 95.531984][ T5096] gfs2_withdraw+0xf48/0x1550 [ 95.536693][ T5096] ? gfs2_lm+0x240/0x240 [ 95.540951][ T5096] ? gfs2_dirent_scan+0xb2/0x640 [ 95.545900][ T5096] ? panic+0x770/0x770 [ 95.549999][ T5096] ? gfs2_consist_inode_i+0xf5/0x110 [ 95.555303][ T5096] gfs2_dirent_scan+0x512/0x640 [ 95.560166][ T5096] ? gfs2_permission+0x268/0x3c0 [ 95.565122][ T5096] ? gfs2_dirent_search+0x8c0/0x8c0 [ 95.570338][ T5096] gfs2_dirent_search+0x30e/0x8c0 [ 95.575450][ T5096] ? gfs2_dirent_search+0x8c0/0x8c0 [ 95.580684][ T5096] ? generic_permission+0x1df/0x550 [ 95.585931][ T5096] ? gfs2_dir_search+0x2f0/0x2f0 [ 95.590916][ T5096] ? gfs2_permission+0x34a/0x3c0 [ 95.595884][ T5096] gfs2_dir_search+0xb2/0x2f0 [ 95.600586][ T5096] ? do_filldir_main+0x520/0x520 [ 95.605540][ T5096] ? inode_go_held+0xea/0x200 [ 95.610316][ T5096] ? gfs2_glock_wait+0x21a/0x2b0 [ 95.615281][ T5096] gfs2_lookupi+0x460/0x5d0 [ 95.619818][ T5096] ? gfs2_lookup_simple+0x180/0x180 [ 95.625037][ T5096] ? __gfs2_lookup+0xa4/0x270 [ 95.629723][ T5096] ? d_alloc_parallel+0x1262/0x13a0 [ 95.634970][ T5096] __gfs2_lookup+0xa4/0x270 [ 95.639512][ T5096] ? gfs2_atomic_open+0x230/0x230 [ 95.644569][ T5096] ? __init_waitqueue_head+0xae/0x150 [ 95.649976][ T5096] __lookup_slow+0x282/0x3e0 [ 95.654582][ T5096] ? lookup_one_len+0x2d0/0x2d0 [ 95.659454][ T5096] ? down_read+0x1b5/0x2f0 [ 95.663922][ T5096] lookup_slow+0x53/0x70 [ 95.668198][ T5096] link_path_walk+0x9c8/0xe70 [ 95.672909][ T5096] ? handle_lookup_down+0x130/0x130 [ 95.678133][ T5096] ? lockdep_hardirqs_on+0x98/0x140 [ 95.683365][ T5096] path_lookupat+0xa9/0x450 [ 95.687887][ T5096] do_o_path+0x95/0x230 [ 95.692072][ T5096] ? do_tmpfile+0x330/0x330 [ 95.696589][ T5096] ? __alloc_file+0x15a/0x230 [ 95.701284][ T5096] path_openat+0x29f0/0x3170 [ 95.705895][ T5096] ? __stack_depot_save+0x20/0x650 [ 95.711199][ T5096] ? mark_lock+0x9a/0x340 [ 95.715541][ T5096] ? kmem_cache_alloc+0x11f/0x2e0 [ 95.720588][ T5096] ? mark_lock+0x9a/0x340 [ 95.724949][ T5096] ? __lock_acquire+0x1295/0x2000 [ 95.729993][ T5096] ? do_filp_open+0x490/0x490 [ 95.734699][ T5096] do_filp_open+0x234/0x490 [ 95.739218][ T5096] ? vfs_tmpfile+0x4a0/0x4a0 [ 95.743840][ T5096] ? _raw_spin_unlock+0x28/0x40 [ 95.748701][ T5096] ? alloc_fd+0x59c/0x640 [ 95.753204][ T5096] do_sys_openat2+0x13f/0x500 [ 95.757946][ T5096] ? print_irqtrace_events+0x220/0x220 [ 95.763445][ T5096] ? do_sys_open+0x230/0x230 [ 95.768087][ T5096] ? lockdep_hardirqs_on+0x98/0x140 [ 95.773326][ T5096] ? _raw_spin_unlock_irq+0x2e/0x50 [ 95.778535][ T5096] ? ptrace_notify+0x278/0x380 [ 95.783328][ T5096] __x64_sys_openat+0x247/0x290 [ 95.788201][ T5096] ? __ia32_sys_open+0x270/0x270 [ 95.793156][ T5096] ? syscall_enter_from_user_mode+0x32/0x230 [ 95.799153][ T5096] ? syscall_enter_from_user_mode+0x8c/0x230 [ 95.805148][ T5096] do_syscall_64+0x41/0xc0 [ 95.809582][ T5096] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 95.815490][ T5096] RIP: 0033:0x7f0100724159 [ 95.819918][ T5096] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 95.839535][ T5096] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5098] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5096] <... openat resumed>) = -1 EIO (Input/output error) [pid 5096] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5095] exit_group(0 [pid 5096] <... futex resumed>) = 230 [pid 5098] <... futex resumed>) = ? [pid 5095] <... exit_group resumed>) = ? [pid 5098] +++ exited with 0 +++ [pid 5096] +++ exited with 0 +++ [pid 5095] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5095, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- umount2("./23", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./23/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./23/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./23/binderfs") = 0 [ 95.847979][ T5096] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 95.855996][ T5096] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 95.863991][ T5096] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 95.871978][ T5096] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 95.880137][ T5096] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 95.888136][ T5096] umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./23/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./23/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./23") = 0 mkdir("./24", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5099 ./strace-static-x86_64: Process 5099 attached [pid 5099] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5099] chdir("./24") = 0 [pid 5099] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5099] setpgid(0, 0) = 0 [pid 5099] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5099] write(3, "1000", 4) = 4 [pid 5099] close(3) = 0 [pid 5099] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5099] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5099] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5099] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5099] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5100 attached [pid 5100] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5100] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5099] <... clone resumed>, parent_tid=[5100], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5100 [pid 5099] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5100] <... futex resumed>) = 0 [pid 5099] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5100] memfd_create("syzkaller", 0) = 3 [pid 5100] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5100] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5100] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5100] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5100] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5100] close(3) = 0 [pid 5100] mkdir("./file0", 0777) = 0 [ 96.288332][ T5100] loop0: detected capacity change from 0 to 32768 [ 96.300684][ T5100] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 96.310700][ T5100] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 96.320926][ T5100] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 96.330366][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 96.337323][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [ 96.378390][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [pid 5100] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5100] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5100] chdir("./file0") = 0 [pid 5100] ioctl(4, LOOP_CLR_FD) = 0 [pid 5100] close(4) = 0 [pid 5100] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5099] <... futex resumed>) = 0 [pid 5099] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5099] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5100] <... futex resumed>) = 1 [ 96.387611][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 96.393118][ T5100] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 96.420855][ T5100] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5100] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5099] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 96.433881][ T5100] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 96.433881][ T5100] inode = 12 2341 [ 96.433881][ T5100] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 96.453754][ T5100] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 96.463158][ T5100] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5100 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 96.473896][ T5100] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5099] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5099] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5099] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5099] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5102], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5102 [pid 5099] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5099] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5102 attached [pid 5102] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5102] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5102] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5099] <... futex resumed>) = 0 [pid 5099] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5099] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5102] <... futex resumed>) = 1 [pid 5102] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5102] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5099] <... futex resumed>) = 0 [pid 5102] <... futex resumed>) = 1 [ 96.482808][ T5100] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 96.492085][ T5100] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 96.504548][ T5100] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 96.512952][ T5100] gfs2: fsid=syz:syz.0: File system withdrawn [ 96.519115][ T5100] CPU: 0 PID: 5100 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 96.529582][ T5100] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 96.539664][ T5100] Call Trace: [ 96.543229][ T5100] [ 96.546195][ T5100] dump_stack_lvl+0x1e7/0x2d0 [ 96.550920][ T5100] ? nf_tcp_handle_invalid+0x650/0x650 [ 96.556428][ T5100] ? panic+0x770/0x770 [ 96.560542][ T5100] ? kobject_uevent_env+0x54e/0x8e0 [ 96.565788][ T5100] gfs2_withdraw+0xf48/0x1550 [ 96.570509][ T5100] ? gfs2_lm+0x240/0x240 [ 96.574809][ T5100] ? gfs2_dirent_scan+0xb2/0x640 [ 96.579768][ T5100] ? panic+0x770/0x770 [ 96.583873][ T5100] ? gfs2_consist_inode_i+0xf5/0x110 [ 96.589205][ T5100] gfs2_dirent_scan+0x512/0x640 [ 96.594099][ T5100] ? gfs2_permission+0x268/0x3c0 [ 96.599175][ T5100] ? gfs2_dirent_search+0x8c0/0x8c0 [ 96.604415][ T5100] gfs2_dirent_search+0x30e/0x8c0 [ 96.609492][ T5100] ? gfs2_dirent_search+0x8c0/0x8c0 [ 96.615099][ T5100] ? generic_permission+0x1df/0x550 [ 96.620334][ T5100] ? gfs2_dir_search+0x2f0/0x2f0 [ 96.625298][ T5100] ? gfs2_permission+0x34a/0x3c0 [ 96.630269][ T5100] gfs2_dir_search+0xb2/0x2f0 [ 96.634969][ T5100] ? do_filldir_main+0x520/0x520 [ 96.640361][ T5100] ? inode_go_held+0xea/0x200 [ 96.646202][ T5100] ? gfs2_glock_wait+0x21a/0x2b0 [ 96.651180][ T5100] gfs2_lookupi+0x460/0x5d0 [ 96.655728][ T5100] ? gfs2_lookup_simple+0x180/0x180 [ 96.661052][ T5100] ? __gfs2_lookup+0xa4/0x270 [ 96.665772][ T5100] ? d_alloc_parallel+0x1262/0x13a0 [ 96.671001][ T5100] __gfs2_lookup+0xa4/0x270 [ 96.675526][ T5100] ? gfs2_atomic_open+0x230/0x230 [ 96.680577][ T5100] ? __init_waitqueue_head+0xae/0x150 [ 96.685997][ T5100] __lookup_slow+0x282/0x3e0 [ 96.690636][ T5100] ? lookup_one_len+0x2d0/0x2d0 [ 96.695519][ T5100] ? down_read+0x1b5/0x2f0 [ 96.699982][ T5100] lookup_slow+0x53/0x70 [ 96.704240][ T5100] link_path_walk+0x9c8/0xe70 [ 96.708946][ T5100] ? handle_lookup_down+0x130/0x130 [ 96.714164][ T5100] ? lockdep_hardirqs_on+0x98/0x140 [ 96.719377][ T5100] path_lookupat+0xa9/0x450 [ 96.723895][ T5100] do_o_path+0x95/0x230 [ 96.728074][ T5100] ? do_tmpfile+0x330/0x330 [ 96.732607][ T5100] ? __alloc_file+0x15a/0x230 [ 96.737386][ T5100] path_openat+0x29f0/0x3170 [ 96.741989][ T5100] ? __stack_depot_save+0x20/0x650 [ 96.747117][ T5100] ? mark_lock+0x9a/0x340 [ 96.751480][ T5100] ? kmem_cache_alloc+0x11f/0x2e0 [ 96.756522][ T5100] ? mark_lock+0x9a/0x340 [ 96.760870][ T5100] ? __lock_acquire+0x1295/0x2000 [ 96.765907][ T5100] ? do_filp_open+0x490/0x490 [ 96.770619][ T5100] do_filp_open+0x234/0x490 [ 96.775135][ T5100] ? vfs_tmpfile+0x4a0/0x4a0 [ 96.779760][ T5100] ? _raw_spin_unlock+0x28/0x40 [ 96.784634][ T5100] ? alloc_fd+0x59c/0x640 [ 96.788990][ T5100] do_sys_openat2+0x13f/0x500 [ 96.793681][ T5100] ? print_irqtrace_events+0x220/0x220 [ 96.799162][ T5100] ? do_sys_open+0x230/0x230 [ 96.803767][ T5100] ? lockdep_hardirqs_on+0x98/0x140 [ 96.808976][ T5100] ? _raw_spin_unlock_irq+0x2e/0x50 [ 96.814181][ T5100] ? ptrace_notify+0x278/0x380 [ 96.818956][ T5100] __x64_sys_openat+0x247/0x290 [ 96.823826][ T5100] ? __ia32_sys_open+0x270/0x270 [ 96.828786][ T5100] ? syscall_enter_from_user_mode+0x32/0x230 [ 96.834780][ T5100] ? syscall_enter_from_user_mode+0x8c/0x230 [ 96.840781][ T5100] do_syscall_64+0x41/0xc0 [ 96.845214][ T5100] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 96.851123][ T5100] RIP: 0033:0x7f0100724159 [ 96.855556][ T5100] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 96.875223][ T5100] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5102] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5100] <... openat resumed>) = -1 EIO (Input/output error) [pid 5100] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5100] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5099] exit_group(0 [pid 5100] <... futex resumed>) = ? [pid 5099] <... exit_group resumed>) = ? [pid 5102] <... futex resumed>) = ? [pid 5100] +++ exited with 0 +++ [pid 5102] +++ exited with 0 +++ [pid 5099] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5099, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=38 /* 0.38 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./24", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./24/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./24/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./24/binderfs") = 0 [ 96.883683][ T5100] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 96.891672][ T5100] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 96.899659][ T5100] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 96.907652][ T5100] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 96.915642][ T5100] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 96.923651][ T5100] umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./24/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./24/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./24") = 0 mkdir("./25", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5103 ./strace-static-x86_64: Process 5103 attached [pid 5103] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5103] chdir("./25") = 0 [pid 5103] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5103] setpgid(0, 0) = 0 [pid 5103] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5103] write(3, "1000", 4) = 4 [pid 5103] close(3) = 0 [pid 5103] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5103] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5103] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5103] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5103] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5104], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5104 [pid 5103] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5104 attached [pid 5103] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5104] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5104] memfd_create("syzkaller", 0) = 3 [pid 5104] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5104] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5104] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5104] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5104] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5104] close(3) = 0 [pid 5104] mkdir("./file0", 0777) = 0 [ 97.337400][ T5104] loop0: detected capacity change from 0 to 32768 [ 97.347798][ T5104] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 97.356014][ T5104] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 97.366284][ T5104] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 97.375235][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 97.382267][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5104] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5104] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5104] chdir("./file0") = 0 [pid 5104] ioctl(4, LOOP_CLR_FD) = 0 [pid 5104] close(4) = 0 [pid 5104] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5103] <... futex resumed>) = 0 [pid 5103] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5103] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5104] <... futex resumed>) = 1 [ 97.422682][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 97.430322][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 97.435610][ T5104] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 97.461545][ T5104] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5104] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5103] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5103] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5103] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5103] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5103] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5106], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5106 ./strace-static-x86_64: Process 5106 attached [pid 5103] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 97.470046][ T5104] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 97.470046][ T5104] inode = 12 2341 [ 97.470046][ T5104] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 97.488884][ T5104] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 97.498340][ T5104] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5104 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 97.509054][ T5104] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5103] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5106] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5106] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5106] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5106] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5103] <... futex resumed>) = 0 [pid 5103] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5103] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5106] <... futex resumed>) = 0 [pid 5106] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5106] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5103] <... futex resumed>) = 0 [pid 5106] <... futex resumed>) = 1 [ 97.520922][ T5104] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 97.528338][ T5104] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 97.537223][ T5104] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 97.543855][ T5104] gfs2: fsid=syz:syz.0: File system withdrawn [ 97.550104][ T5104] CPU: 0 PID: 5104 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 97.560578][ T5104] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 97.570671][ T5104] Call Trace: [ 97.573966][ T5104] [ 97.576923][ T5104] dump_stack_lvl+0x1e7/0x2d0 [ 97.581646][ T5104] ? nf_tcp_handle_invalid+0x650/0x650 [ 97.587163][ T5104] ? panic+0x770/0x770 [ 97.591262][ T5104] ? kobject_uevent_env+0x54e/0x8e0 [ 97.596507][ T5104] gfs2_withdraw+0xf48/0x1550 [ 97.601253][ T5104] ? gfs2_lm+0x240/0x240 [ 97.605522][ T5104] ? gfs2_dirent_scan+0xb2/0x640 [ 97.610486][ T5104] ? panic+0x770/0x770 [ 97.614598][ T5104] ? gfs2_consist_inode_i+0xf5/0x110 [ 97.619906][ T5104] gfs2_dirent_scan+0x512/0x640 [ 97.624776][ T5104] ? gfs2_permission+0x268/0x3c0 [ 97.629766][ T5104] ? gfs2_dirent_search+0x8c0/0x8c0 [ 97.635043][ T5104] gfs2_dirent_search+0x30e/0x8c0 [ 97.640123][ T5104] ? gfs2_dirent_search+0x8c0/0x8c0 [ 97.645376][ T5104] ? generic_permission+0x1df/0x550 [ 97.650601][ T5104] ? gfs2_dir_search+0x2f0/0x2f0 [ 97.655568][ T5104] ? gfs2_permission+0x34a/0x3c0 [ 97.660541][ T5104] gfs2_dir_search+0xb2/0x2f0 [ 97.665250][ T5104] ? do_filldir_main+0x520/0x520 [ 97.670204][ T5104] ? inode_go_held+0xea/0x200 [ 97.674897][ T5104] ? gfs2_glock_wait+0x21a/0x2b0 [ 97.679855][ T5104] gfs2_lookupi+0x460/0x5d0 [ 97.684388][ T5104] ? gfs2_lookup_simple+0x180/0x180 [ 97.689643][ T5104] ? __gfs2_lookup+0xa4/0x270 [ 97.694356][ T5104] ? d_alloc_parallel+0x1262/0x13a0 [ 97.699578][ T5104] __gfs2_lookup+0xa4/0x270 [ 97.704096][ T5104] ? gfs2_atomic_open+0x230/0x230 [ 97.709161][ T5104] ? __init_waitqueue_head+0xae/0x150 [ 97.714578][ T5104] __lookup_slow+0x282/0x3e0 [ 97.719208][ T5104] ? lookup_one_len+0x2d0/0x2d0 [ 97.724085][ T5104] ? down_read+0x1b5/0x2f0 [ 97.728554][ T5104] lookup_slow+0x53/0x70 [ 97.732812][ T5104] link_path_walk+0x9c8/0xe70 [ 97.737519][ T5104] ? handle_lookup_down+0x130/0x130 [ 97.742746][ T5104] ? lockdep_hardirqs_on+0x98/0x140 [ 97.747959][ T5104] path_lookupat+0xa9/0x450 [ 97.752480][ T5104] do_o_path+0x95/0x230 [ 97.756656][ T5104] ? do_tmpfile+0x330/0x330 [ 97.761177][ T5104] ? __alloc_file+0x15a/0x230 [ 97.765874][ T5104] path_openat+0x29f0/0x3170 [ 97.770503][ T5104] ? __stack_depot_save+0x20/0x650 [ 97.775632][ T5104] ? mark_lock+0x9a/0x340 [ 97.779976][ T5104] ? kmem_cache_alloc+0x11f/0x2e0 [ 97.785009][ T5104] ? mark_lock+0x9a/0x340 [ 97.789358][ T5104] ? __lock_acquire+0x1295/0x2000 [ 97.794397][ T5104] ? do_filp_open+0x490/0x490 [ 97.799113][ T5104] do_filp_open+0x234/0x490 [ 97.803634][ T5104] ? vfs_tmpfile+0x4a0/0x4a0 [ 97.808257][ T5104] ? _raw_spin_unlock+0x28/0x40 [ 97.813118][ T5104] ? alloc_fd+0x59c/0x640 [ 97.817475][ T5104] do_sys_openat2+0x13f/0x500 [ 97.822183][ T5104] ? print_irqtrace_events+0x220/0x220 [ 97.827747][ T5104] ? do_sys_open+0x230/0x230 [ 97.832352][ T5104] ? lockdep_hardirqs_on+0x98/0x140 [ 97.837587][ T5104] ? _raw_spin_unlock_irq+0x2e/0x50 [ 97.842829][ T5104] ? ptrace_notify+0x278/0x380 [ 97.847637][ T5104] __x64_sys_openat+0x247/0x290 [ 97.852528][ T5104] ? __ia32_sys_open+0x270/0x270 [ 97.857512][ T5104] ? syscall_enter_from_user_mode+0x32/0x230 [ 97.863515][ T5104] ? syscall_enter_from_user_mode+0x8c/0x230 [ 97.869509][ T5104] do_syscall_64+0x41/0xc0 [ 97.873968][ T5104] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 97.879875][ T5104] RIP: 0033:0x7f0100724159 [ 97.884300][ T5104] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 97.903915][ T5104] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 97.912343][ T5104] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5106] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5104] <... openat resumed>) = -1 EIO (Input/output error) [pid 5104] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5104] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5103] exit_group(0 [pid 5104] <... futex resumed>) = ? [pid 5103] <... exit_group resumed>) = ? [pid 5106] <... futex resumed>) = ? [pid 5104] +++ exited with 0 +++ [pid 5106] +++ exited with 0 +++ [pid 5103] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5103, si_uid=0, si_status=0, si_utime=0, si_stime=39 /* 0.39 s */} --- umount2("./25", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./25/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./25/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./25/binderfs") = 0 [ 97.920327][ T5104] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 97.928304][ T5104] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 97.936294][ T5104] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 97.944274][ T5104] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 97.952270][ T5104] umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./25/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./25/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./25") = 0 mkdir("./26", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5107 ./strace-static-x86_64: Process 5107 attached [pid 5107] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5107] chdir("./26") = 0 [pid 5107] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5107] setpgid(0, 0) = 0 [pid 5107] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5107] write(3, "1000", 4) = 4 [pid 5107] close(3) = 0 [pid 5107] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5107] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5107] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5107] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5107] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5108 attached , parent_tid=[5108], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5108 [pid 5108] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5108] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5107] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5108] <... futex resumed>) = 0 [pid 5107] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5108] memfd_create("syzkaller", 0) = 3 [pid 5108] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5108] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5108] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5108] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5108] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5108] close(3) = 0 [pid 5108] mkdir("./file0", 0777) = 0 [ 98.365792][ T5108] loop0: detected capacity change from 0 to 32768 [ 98.376347][ T5108] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 98.384614][ T5108] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 98.394132][ T5108] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 98.402931][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 98.410048][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5108] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5108] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5108] chdir("./file0") = 0 [pid 5108] ioctl(4, LOOP_CLR_FD) = 0 [pid 5108] close(4) = 0 [pid 5108] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5107] <... futex resumed>) = 0 [pid 5108] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5107] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 98.458043][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 47ms [ 98.465627][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 98.471422][ T5108] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 98.502353][ T5108] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 98.511491][ T5108] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 98.511491][ T5108] inode = 12 2341 [ 98.511491][ T5108] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 98.530664][ T5108] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 98.540765][ T5108] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5108 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5107] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5107] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5107] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5107] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5107] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5110], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5110 [pid 5107] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5107] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5110 attached [pid 5110] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5110] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5110] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5107] <... futex resumed>) = 0 [pid 5107] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5110] <... futex resumed>) = 1 [pid 5107] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5110] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5110] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5107] <... futex resumed>) = 0 [ 98.552892][ T5108] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 98.561560][ T5108] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 98.569100][ T5108] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 98.578310][ T5108] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 98.584955][ T5108] gfs2: fsid=syz:syz.0: File system withdrawn [ 98.591451][ T5108] CPU: 0 PID: 5108 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 98.601902][ T5108] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 98.611982][ T5108] Call Trace: [ 98.615280][ T5108] [ 98.618245][ T5108] dump_stack_lvl+0x1e7/0x2d0 [ 98.622981][ T5108] ? nf_tcp_handle_invalid+0x650/0x650 [ 98.628477][ T5108] ? panic+0x770/0x770 [ 98.632570][ T5108] ? kobject_uevent_env+0x54e/0x8e0 [ 98.637789][ T5108] gfs2_withdraw+0xf48/0x1550 [ 98.642546][ T5108] ? gfs2_lm+0x240/0x240 [ 98.646805][ T5108] ? gfs2_dirent_scan+0xb2/0x640 [ 98.651758][ T5108] ? panic+0x770/0x770 [ 98.655852][ T5108] ? gfs2_consist_inode_i+0xf5/0x110 [ 98.661162][ T5108] gfs2_dirent_scan+0x512/0x640 [ 98.666208][ T5108] ? gfs2_permission+0x268/0x3c0 [ 98.671165][ T5108] ? gfs2_dirent_search+0x8c0/0x8c0 [ 98.676378][ T5108] gfs2_dirent_search+0x30e/0x8c0 [ 98.681420][ T5108] ? gfs2_dirent_search+0x8c0/0x8c0 [ 98.686629][ T5108] ? generic_permission+0x1df/0x550 [ 98.691841][ T5108] ? gfs2_dir_search+0x2f0/0x2f0 [ 98.696790][ T5108] ? gfs2_permission+0x34a/0x3c0 [ 98.701755][ T5108] gfs2_dir_search+0xb2/0x2f0 [ 98.706446][ T5108] ? do_filldir_main+0x520/0x520 [ 98.711394][ T5108] ? inode_go_held+0xea/0x200 [ 98.716107][ T5108] ? gfs2_glock_wait+0x21a/0x2b0 [ 98.721065][ T5108] gfs2_lookupi+0x460/0x5d0 [ 98.725590][ T5108] ? gfs2_lookup_simple+0x180/0x180 [ 98.730807][ T5108] ? __gfs2_lookup+0xa4/0x270 [ 98.735491][ T5108] ? d_alloc_parallel+0x1262/0x13a0 [ 98.740719][ T5108] __gfs2_lookup+0xa4/0x270 [ 98.745234][ T5108] ? gfs2_atomic_open+0x230/0x230 [ 98.750292][ T5108] ? __init_waitqueue_head+0xae/0x150 [ 98.755701][ T5108] __lookup_slow+0x282/0x3e0 [ 98.760327][ T5108] ? lookup_one_len+0x2d0/0x2d0 [ 98.765205][ T5108] ? down_read+0x1b5/0x2f0 [ 98.769646][ T5108] lookup_slow+0x53/0x70 [ 98.773922][ T5108] link_path_walk+0x9c8/0xe70 [ 98.778627][ T5108] ? handle_lookup_down+0x130/0x130 [ 98.783848][ T5108] ? lockdep_hardirqs_on+0x98/0x140 [ 98.789060][ T5108] path_lookupat+0xa9/0x450 [ 98.793577][ T5108] do_o_path+0x95/0x230 [ 98.797750][ T5108] ? do_tmpfile+0x330/0x330 [ 98.802275][ T5108] ? __alloc_file+0x15a/0x230 [ 98.807144][ T5108] path_openat+0x29f0/0x3170 [ 98.811754][ T5108] ? __stack_depot_save+0x20/0x650 [ 98.816885][ T5108] ? mark_lock+0x9a/0x340 [ 98.821231][ T5108] ? kmem_cache_alloc+0x11f/0x2e0 [ 98.826268][ T5108] ? mark_lock+0x9a/0x340 [ 98.830629][ T5108] ? __lock_acquire+0x1295/0x2000 [ 98.835673][ T5108] ? do_filp_open+0x490/0x490 [ 98.840466][ T5108] do_filp_open+0x234/0x490 [ 98.844989][ T5108] ? vfs_tmpfile+0x4a0/0x4a0 [ 98.849615][ T5108] ? _raw_spin_unlock+0x28/0x40 [ 98.854486][ T5108] ? alloc_fd+0x59c/0x640 [ 98.858851][ T5108] do_sys_openat2+0x13f/0x500 [ 98.863596][ T5108] ? print_irqtrace_events+0x220/0x220 [ 98.869089][ T5108] ? do_sys_open+0x230/0x230 [ 98.873704][ T5108] ? lockdep_hardirqs_on+0x98/0x140 [ 98.878918][ T5108] ? _raw_spin_unlock_irq+0x2e/0x50 [ 98.884128][ T5108] ? ptrace_notify+0x278/0x380 [ 98.888919][ T5108] __x64_sys_openat+0x247/0x290 [ 98.893802][ T5108] ? __ia32_sys_open+0x270/0x270 [ 98.898781][ T5108] ? syscall_enter_from_user_mode+0x32/0x230 [ 98.904778][ T5108] ? syscall_enter_from_user_mode+0x8c/0x230 [ 98.910783][ T5108] do_syscall_64+0x41/0xc0 [ 98.915218][ T5108] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 98.921148][ T5108] RIP: 0033:0x7f0100724159 [ 98.925678][ T5108] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 98.945311][ T5108] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5110] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5108] <... openat resumed>) = -1 EIO (Input/output error) [pid 5108] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5108] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5107] exit_group(0 [pid 5108] <... futex resumed>) = ? [pid 5107] <... exit_group resumed>) = ? [pid 5108] +++ exited with 0 +++ [pid 5110] <... futex resumed>) = ? [pid 5110] +++ exited with 0 +++ [pid 5107] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5107, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=36 /* 0.36 s */} --- umount2("./26", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./26/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./26/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./26/binderfs") = 0 [ 98.953764][ T5108] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 98.961878][ T5108] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 98.969865][ T5108] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 98.977843][ T5108] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 98.985837][ T5108] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 98.993837][ T5108] umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./26/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./26/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./26") = 0 mkdir("./27", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5111 ./strace-static-x86_64: Process 5111 attached [pid 5111] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5111] chdir("./27") = 0 [pid 5111] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5111] setpgid(0, 0) = 0 [pid 5111] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5111] write(3, "1000", 4) = 4 [pid 5111] close(3) = 0 [pid 5111] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5111] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5111] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5111] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5111] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5112], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5112 [pid 5111] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5111] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5112 attached [pid 5112] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5112] memfd_create("syzkaller", 0) = 3 [pid 5112] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5112] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5112] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5112] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5112] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5112] close(3) = 0 [pid 5112] mkdir("./file0", 0777) = 0 [ 99.386403][ T5112] loop0: detected capacity change from 0 to 32768 [ 99.398160][ T5112] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 99.406712][ T5112] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 99.416324][ T5112] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 99.425078][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 99.432152][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5112] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5112] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5112] chdir("./file0") = 0 [pid 5112] ioctl(4, LOOP_CLR_FD) = 0 [pid 5112] close(4) = 0 [pid 5112] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5111] <... futex resumed>) = 0 [pid 5112] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5111] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5112] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5111] <... futex resumed>) = 0 [pid 5112] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 99.477035][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 99.485485][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 99.491036][ T5112] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 99.511204][ T5112] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 99.520017][ T5112] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 99.520017][ T5112] inode = 12 2341 [ 99.520017][ T5112] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 99.539195][ T5112] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 99.548609][ T5112] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5112 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 99.559435][ T5112] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 99.568689][ T5112] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5111] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5111] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5111] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5111] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5111] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5114], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5114 [pid 5111] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5111] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5114 attached [pid 5114] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5114] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5114] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5111] <... futex resumed>) = 0 [pid 5111] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5111] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5114] <... futex resumed>) = 1 [pid 5114] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5114] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5111] <... futex resumed>) = 0 [pid 5114] <... futex resumed>) = 1 [ 99.576289][ T5112] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 99.585624][ T5112] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 99.593384][ T5112] gfs2: fsid=syz:syz.0: File system withdrawn [ 99.600630][ T5112] CPU: 1 PID: 5112 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 99.611111][ T5112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 99.621191][ T5112] Call Trace: [ 99.624517][ T5112] [ 99.627499][ T5112] dump_stack_lvl+0x1e7/0x2d0 [ 99.632253][ T5112] ? nf_tcp_handle_invalid+0x650/0x650 [ 99.637817][ T5112] ? panic+0x770/0x770 [ 99.641941][ T5112] ? kobject_uevent_env+0x54e/0x8e0 [ 99.647196][ T5112] gfs2_withdraw+0xf48/0x1550 [ 99.651947][ T5112] ? gfs2_lm+0x240/0x240 [ 99.656228][ T5112] ? gfs2_dirent_scan+0xb2/0x640 [ 99.661201][ T5112] ? panic+0x770/0x770 [ 99.665306][ T5112] ? gfs2_consist_inode_i+0xf5/0x110 [ 99.670648][ T5112] gfs2_dirent_scan+0x512/0x640 [ 99.675521][ T5112] ? gfs2_permission+0x268/0x3c0 [ 99.680496][ T5112] ? gfs2_dirent_search+0x8c0/0x8c0 [ 99.685718][ T5112] gfs2_dirent_search+0x30e/0x8c0 [ 99.690762][ T5112] ? gfs2_dirent_search+0x8c0/0x8c0 [ 99.696088][ T5112] ? generic_permission+0x1df/0x550 [ 99.701345][ T5112] ? gfs2_dir_search+0x2f0/0x2f0 [ 99.706313][ T5112] ? gfs2_permission+0x34a/0x3c0 [ 99.711283][ T5112] gfs2_dir_search+0xb2/0x2f0 [ 99.715977][ T5112] ? do_filldir_main+0x520/0x520 [ 99.720934][ T5112] ? inode_go_held+0xea/0x200 [ 99.725625][ T5112] ? gfs2_glock_wait+0x21a/0x2b0 [ 99.730581][ T5112] gfs2_lookupi+0x460/0x5d0 [ 99.735104][ T5112] ? gfs2_lookup_simple+0x180/0x180 [ 99.740343][ T5112] ? __gfs2_lookup+0xa4/0x270 [ 99.745028][ T5112] ? d_alloc_parallel+0x1262/0x13a0 [ 99.750253][ T5112] __gfs2_lookup+0xa4/0x270 [ 99.754781][ T5112] ? gfs2_atomic_open+0x230/0x230 [ 99.759836][ T5112] ? __init_waitqueue_head+0xae/0x150 [ 99.765232][ T5112] __lookup_slow+0x282/0x3e0 [ 99.769853][ T5112] ? lookup_one_len+0x2d0/0x2d0 [ 99.774739][ T5112] ? down_read+0x1b5/0x2f0 [ 99.779178][ T5112] lookup_slow+0x53/0x70 [ 99.783467][ T5112] link_path_walk+0x9c8/0xe70 [ 99.788184][ T5112] ? handle_lookup_down+0x130/0x130 [ 99.793446][ T5112] ? lockdep_hardirqs_on+0x98/0x140 [ 99.798664][ T5112] path_lookupat+0xa9/0x450 [ 99.803199][ T5112] do_o_path+0x95/0x230 [ 99.807640][ T5112] ? do_tmpfile+0x330/0x330 [ 99.812273][ T5112] ? __alloc_file+0x15a/0x230 [ 99.817001][ T5112] path_openat+0x29f0/0x3170 [ 99.821693][ T5112] ? __stack_depot_save+0x20/0x650 [ 99.826842][ T5112] ? mark_lock+0x9a/0x340 [ 99.831246][ T5112] ? kmem_cache_alloc+0x11f/0x2e0 [ 99.836482][ T5112] ? mark_lock+0x9a/0x340 [ 99.840883][ T5112] ? __lock_acquire+0x1295/0x2000 [ 99.845948][ T5112] ? do_filp_open+0x490/0x490 [ 99.850655][ T5112] do_filp_open+0x234/0x490 [ 99.855189][ T5112] ? vfs_tmpfile+0x4a0/0x4a0 [ 99.859817][ T5112] ? _raw_spin_unlock+0x28/0x40 [ 99.864681][ T5112] ? alloc_fd+0x59c/0x640 [ 99.869056][ T5112] do_sys_openat2+0x13f/0x500 [ 99.873762][ T5112] ? print_irqtrace_events+0x220/0x220 [ 99.879333][ T5112] ? do_sys_open+0x230/0x230 [ 99.883969][ T5112] ? lockdep_hardirqs_on+0x98/0x140 [ 99.889217][ T5112] ? _raw_spin_unlock_irq+0x2e/0x50 [ 99.894438][ T5112] ? ptrace_notify+0x278/0x380 [ 99.899322][ T5112] __x64_sys_openat+0x247/0x290 [ 99.904252][ T5112] ? __ia32_sys_open+0x270/0x270 [ 99.909252][ T5112] ? syscall_enter_from_user_mode+0x32/0x230 [ 99.915393][ T5112] ? syscall_enter_from_user_mode+0x8c/0x230 [ 99.921443][ T5112] do_syscall_64+0x41/0xc0 [ 99.925902][ T5112] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 99.931819][ T5112] RIP: 0033:0x7f0100724159 [ 99.936270][ T5112] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 99.955996][ T5112] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 99.964434][ T5112] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5114] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5112] <... openat resumed>) = -1 EIO (Input/output error) [pid 5112] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5112] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5111] exit_group(0 [pid 5114] <... futex resumed>) = ? [pid 5112] <... futex resumed>) = ? [pid 5111] <... exit_group resumed>) = ? [pid 5114] +++ exited with 0 +++ [pid 5112] +++ exited with 0 +++ [pid 5111] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5111, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=34 /* 0.34 s */} --- umount2("./27", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./27/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./27/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./27/binderfs") = 0 [ 99.972504][ T5112] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 99.980482][ T5112] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 99.988479][ T5112] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 99.996455][ T5112] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 100.004457][ T5112] umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./27/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./27/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./27") = 0 mkdir("./28", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5115 ./strace-static-x86_64: Process 5115 attached [pid 5115] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5115] chdir("./28") = 0 [pid 5115] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5115] setpgid(0, 0) = 0 [pid 5115] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5115] write(3, "1000", 4) = 4 [pid 5115] close(3) = 0 [pid 5115] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5115] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5115] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5115] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5115] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5116 attached , parent_tid=[5116], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5116 [pid 5116] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5116] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5115] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5116] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5115] <... futex resumed>) = 0 [pid 5115] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5116] memfd_create("syzkaller", 0) = 3 [pid 5116] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5116] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5116] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5116] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5116] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5116] close(3) = 0 [pid 5116] mkdir("./file0", 0777) = 0 [ 100.401570][ T5116] loop0: detected capacity change from 0 to 32768 [ 100.424108][ T5116] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 100.432534][ T5116] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 100.442902][ T5116] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 100.452120][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 100.459084][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5116] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5116] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5116] chdir("./file0") = 0 [pid 5116] ioctl(4, LOOP_CLR_FD) = 0 [pid 5116] close(4) = 0 [pid 5116] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5115] <... futex resumed>) = 0 [pid 5116] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 100.497126][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 100.504776][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 100.510216][ T5116] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5115] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 100.538829][ T5116] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 100.548233][ T5116] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 100.548233][ T5116] inode = 12 2341 [ 100.548233][ T5116] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 100.567684][ T5116] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 100.577017][ T5116] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5116 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5115] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5115] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5115] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5115] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5115] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5119], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5119 [pid 5115] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 100.587304][ T5116] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 100.595776][ T5116] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 100.603108][ T5116] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 100.612352][ T5116] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 100.619103][ T5116] gfs2: fsid=syz:syz.0: File system withdrawn [ 100.625255][ T5116] CPU: 0 PID: 5116 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 100.635718][ T5116] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 100.645803][ T5116] Call Trace: [ 100.649106][ T5116] [ 100.652073][ T5116] dump_stack_lvl+0x1e7/0x2d0 [ 100.656820][ T5116] ? nf_tcp_handle_invalid+0x650/0x650 [ 100.662321][ T5116] ? panic+0x770/0x770 [ 100.666443][ T5116] ? kobject_uevent_env+0x54e/0x8e0 [ 100.671708][ T5116] gfs2_withdraw+0xf48/0x1550 [ 100.676419][ T5116] ? gfs2_lm+0x240/0x240 [ 100.680710][ T5116] ? gfs2_dirent_scan+0xb2/0x640 [ 100.685742][ T5116] ? panic+0x770/0x770 [ 100.689844][ T5116] ? gfs2_consist_inode_i+0xf5/0x110 [ 100.695166][ T5116] gfs2_dirent_scan+0x512/0x640 [ 100.700045][ T5116] ? gfs2_permission+0x268/0x3c0 [ 100.705008][ T5116] ? gfs2_dirent_search+0x8c0/0x8c0 [ 100.710223][ T5116] gfs2_dirent_search+0x30e/0x8c0 [ 100.715273][ T5116] ? gfs2_dirent_search+0x8c0/0x8c0 [ 100.720600][ T5116] ? generic_permission+0x1df/0x550 [ 100.725832][ T5116] ? gfs2_dir_search+0x2f0/0x2f0 [ 100.730791][ T5116] ? gfs2_permission+0x34a/0x3c0 [ 100.735762][ T5116] gfs2_dir_search+0xb2/0x2f0 [ 100.740458][ T5116] ? do_filldir_main+0x520/0x520 [ 100.745413][ T5116] ? inode_go_held+0xea/0x200 [ 100.750106][ T5116] ? gfs2_glock_wait+0x21a/0x2b0 [ 100.755065][ T5116] gfs2_lookupi+0x460/0x5d0 [ 100.759608][ T5116] ? gfs2_lookup_simple+0x180/0x180 [ 100.764837][ T5116] ? __gfs2_lookup+0xa4/0x270 [ 100.769526][ T5116] ? d_alloc_parallel+0x1262/0x13a0 [ 100.774745][ T5116] __gfs2_lookup+0xa4/0x270 [ 100.779264][ T5116] ? gfs2_atomic_open+0x230/0x230 [ 100.784309][ T5116] ? __init_waitqueue_head+0xae/0x150 [ 100.789730][ T5116] __lookup_slow+0x282/0x3e0 [ 100.794347][ T5116] ? lookup_one_len+0x2d0/0x2d0 [ 100.799222][ T5116] ? down_read+0x1b5/0x2f0 [ 100.803659][ T5116] lookup_slow+0x53/0x70 [ 100.807915][ T5116] link_path_walk+0x9c8/0xe70 [ 100.812620][ T5116] ? handle_lookup_down+0x130/0x130 [ 100.817839][ T5116] ? lockdep_hardirqs_on+0x98/0x140 [ 100.823049][ T5116] path_lookupat+0xa9/0x450 [ 100.827576][ T5116] do_o_path+0x95/0x230 [ 100.831751][ T5116] ? do_tmpfile+0x330/0x330 [ 100.836273][ T5116] ? __alloc_file+0x15a/0x230 [ 100.840970][ T5116] path_openat+0x29f0/0x3170 [ 100.845602][ T5116] ? __stack_depot_save+0x20/0x650 [ 100.850836][ T5116] ? __lock_acquire+0x1295/0x2000 [ 100.855899][ T5116] ? mark_lock+0x9a/0x340 [ 100.860248][ T5116] ? kmem_cache_alloc+0x11f/0x2e0 [ 100.865288][ T5116] ? mark_lock+0x9a/0x340 [ 100.869659][ T5116] ? __lock_acquire+0x1295/0x2000 [ 100.874699][ T5116] ? do_filp_open+0x490/0x490 [ 100.879412][ T5116] do_filp_open+0x234/0x490 [ 100.883932][ T5116] ? vfs_tmpfile+0x4a0/0x4a0 [ 100.888556][ T5116] ? _raw_spin_unlock+0x28/0x40 [ 100.893415][ T5116] ? alloc_fd+0x59c/0x640 [ 100.897792][ T5116] do_sys_openat2+0x13f/0x500 [ 100.902498][ T5116] ? print_irqtrace_events+0x220/0x220 [ 100.907974][ T5116] ? do_sys_open+0x230/0x230 [ 100.912593][ T5116] ? lockdep_hardirqs_on+0x98/0x140 [ 100.917808][ T5116] ? _raw_spin_unlock_irq+0x2e/0x50 [ 100.923014][ T5116] ? ptrace_notify+0x278/0x380 [ 100.927822][ T5116] __x64_sys_openat+0x247/0x290 [ 100.932696][ T5116] ? __ia32_sys_open+0x270/0x270 [ 100.937654][ T5116] ? syscall_enter_from_user_mode+0x32/0x230 [ 100.943660][ T5116] ? syscall_enter_from_user_mode+0x8c/0x230 [ 100.949655][ T5116] do_syscall_64+0x41/0xc0 [ 100.954089][ T5116] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 100.960107][ T5116] RIP: 0033:0x7f0100724159 [ 100.964575][ T5116] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5115] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5119 attached ) = -1 ETIMEDOUT (Connection timed out) [pid 5119] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5119] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5115] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5119] <... openat resumed>) = -1 EIO (Input/output error) [pid 5119] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5115] <... futex resumed>) = 0 [pid 5119] <... futex resumed>) = 0 [pid 5119] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5115] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5115] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5115] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5120], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5120 [pid 5115] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5115] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5120 attached [pid 5120] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5120] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5120] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5115] <... futex resumed>) = 0 [pid 5120] <... futex resumed>) = 1 [pid 5120] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5116] <... openat resumed>) = -1 EIO (Input/output error) [pid 5116] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5115] exit_group(0 [pid 5120] <... futex resumed>) = ? [pid 5119] <... futex resumed>) = ? [pid 5115] <... exit_group resumed>) = ? [pid 5120] +++ exited with 0 +++ [pid 5119] +++ exited with 0 +++ [pid 5116] +++ exited with 0 +++ [pid 5115] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5115, si_uid=0, si_status=0, si_utime=0, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./28", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./28/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./28/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./28/binderfs") = 0 [ 100.984218][ T5116] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 100.992651][ T5116] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 101.000633][ T5116] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 101.008618][ T5116] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 101.016609][ T5116] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 101.024607][ T5116] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 101.032602][ T5116] umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./28/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./28/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./28") = 0 mkdir("./29", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5121 ./strace-static-x86_64: Process 5121 attached [pid 5121] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5121] chdir("./29") = 0 [pid 5121] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5121] setpgid(0, 0) = 0 [pid 5121] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5121] write(3, "1000", 4) = 4 [pid 5121] close(3) = 0 [pid 5121] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5121] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5121] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5121] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5121] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5122], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5122 [pid 5121] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5122 attached ) = 0 [pid 5121] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5122] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5122] memfd_create("syzkaller", 0) = 3 [pid 5122] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5122] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5122] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5122] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5122] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5122] close(3) = 0 [pid 5122] mkdir("./file0", 0777) = 0 [ 101.471752][ T5122] loop0: detected capacity change from 0 to 32768 [ 101.494589][ T5122] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 101.503195][ T5122] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 101.513945][ T5122] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 101.522946][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 101.529927][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5122] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5122] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5122] chdir("./file0") = 0 [pid 5122] ioctl(4, LOOP_CLR_FD) = 0 [pid 5122] close(4) = 0 [pid 5122] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5121] <... futex resumed>) = 0 [pid 5121] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5121] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5122] <... futex resumed>) = 1 [ 101.569103][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 101.576913][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 101.582389][ T5122] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 101.597366][ T5122] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 101.606272][ T5122] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 101.606272][ T5122] inode = 12 2341 [pid 5122] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5121] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5121] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5121] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [ 101.606272][ T5122] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 101.625559][ T5122] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 101.635298][ T5122] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5122 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 101.645726][ T5122] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 101.654313][ T5122] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5121] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5121] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5125], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5125 [pid 5121] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5121] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5125 attached [ 101.661636][ T5122] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 101.670514][ T5122] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 101.677120][ T5122] gfs2: fsid=syz:syz.0: File system withdrawn [ 101.683456][ T5122] CPU: 0 PID: 5122 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 101.693905][ T5122] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 101.703971][ T5122] Call Trace: [ 101.707269][ T5122] [ 101.710233][ T5122] dump_stack_lvl+0x1e7/0x2d0 ) = -1 ETIMEDOUT (Connection timed out) [pid 5121] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5121] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5121] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5121] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5126], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5126 [pid 5121] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5121] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5126 attached [pid 5126] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5126] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5126] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5121] <... futex resumed>) = 0 [pid 5126] <... futex resumed>) = 1 [ 101.714945][ T5122] ? nf_tcp_handle_invalid+0x650/0x650 [ 101.720434][ T5122] ? panic+0x770/0x770 [ 101.724527][ T5122] ? kobject_uevent_env+0x54e/0x8e0 [ 101.729790][ T5122] gfs2_withdraw+0xf48/0x1550 [ 101.734557][ T5122] ? gfs2_lm+0x240/0x240 [ 101.738863][ T5122] ? gfs2_dirent_scan+0xb2/0x640 [ 101.743870][ T5122] ? panic+0x770/0x770 [ 101.747967][ T5122] ? gfs2_consist_inode_i+0xf5/0x110 [ 101.753289][ T5122] gfs2_dirent_scan+0x512/0x640 [ 101.758268][ T5122] ? gfs2_permission+0x268/0x3c0 [ 101.763239][ T5122] ? gfs2_dirent_search+0x8c0/0x8c0 [ 101.768477][ T5122] gfs2_dirent_search+0x30e/0x8c0 [ 101.773532][ T5122] ? gfs2_dirent_search+0x8c0/0x8c0 [ 101.778784][ T5122] ? generic_permission+0x1df/0x550 [ 101.784015][ T5122] ? gfs2_dir_search+0x2f0/0x2f0 [ 101.788971][ T5122] ? gfs2_permission+0x34a/0x3c0 [ 101.793943][ T5122] gfs2_dir_search+0xb2/0x2f0 [ 101.798638][ T5122] ? do_filldir_main+0x520/0x520 [ 101.803632][ T5122] ? inode_go_held+0xea/0x200 [ 101.808358][ T5122] ? gfs2_glock_wait+0x21a/0x2b0 [ 101.813334][ T5122] gfs2_lookupi+0x460/0x5d0 [ 101.817869][ T5122] ? gfs2_lookup_simple+0x180/0x180 [ 101.823091][ T5122] ? __gfs2_lookup+0xa4/0x270 [ 101.827779][ T5122] ? d_alloc_parallel+0x1262/0x13a0 [ 101.832994][ T5122] __gfs2_lookup+0xa4/0x270 [ 101.837513][ T5122] ? gfs2_atomic_open+0x230/0x230 [ 101.842555][ T5122] ? __init_waitqueue_head+0xae/0x150 [ 101.847947][ T5122] __lookup_slow+0x282/0x3e0 [ 101.852552][ T5122] ? lookup_one_len+0x2d0/0x2d0 [ 101.857422][ T5122] ? down_read+0x1b5/0x2f0 [ 101.861860][ T5122] lookup_slow+0x53/0x70 [ 101.866122][ T5122] link_path_walk+0x9c8/0xe70 [ 101.870854][ T5122] ? handle_lookup_down+0x130/0x130 [ 101.876115][ T5122] ? lockdep_hardirqs_on+0x98/0x140 [ 101.881430][ T5122] path_lookupat+0xa9/0x450 [ 101.885957][ T5122] do_o_path+0x95/0x230 [ 101.890134][ T5122] ? do_tmpfile+0x330/0x330 [ 101.894675][ T5122] ? __alloc_file+0x15a/0x230 [ 101.899371][ T5122] path_openat+0x29f0/0x3170 [ 101.903977][ T5122] ? __stack_depot_save+0x20/0x650 [ 101.909191][ T5122] ? __lock_acquire+0x1295/0x2000 [ 101.914247][ T5122] ? mark_lock+0x9a/0x340 [ 101.918593][ T5122] ? kmem_cache_alloc+0x11f/0x2e0 [ 101.923632][ T5122] ? mark_lock+0x9a/0x340 [ 101.928006][ T5122] ? __lock_acquire+0x1295/0x2000 [ 101.933153][ T5122] ? do_filp_open+0x490/0x490 [ 101.937880][ T5122] do_filp_open+0x234/0x490 [ 101.942399][ T5122] ? vfs_tmpfile+0x4a0/0x4a0 [ 101.947044][ T5122] ? _raw_spin_unlock+0x28/0x40 [ 101.951932][ T5122] ? alloc_fd+0x59c/0x640 [ 101.956307][ T5122] do_sys_openat2+0x13f/0x500 [ 101.961014][ T5122] ? print_irqtrace_events+0x220/0x220 [ 101.966495][ T5122] ? do_sys_open+0x230/0x230 [ 101.971193][ T5122] ? lockdep_hardirqs_on+0x98/0x140 [ 101.976409][ T5122] ? _raw_spin_unlock_irq+0x2e/0x50 [ 101.981620][ T5122] ? ptrace_notify+0x278/0x380 [ 101.986495][ T5122] __x64_sys_openat+0x247/0x290 [ 101.991404][ T5122] ? __ia32_sys_open+0x270/0x270 [ 101.996376][ T5122] ? syscall_enter_from_user_mode+0x32/0x230 [ 102.002377][ T5122] ? syscall_enter_from_user_mode+0x8c/0x230 [ 102.008378][ T5122] do_syscall_64+0x41/0xc0 [ 102.012818][ T5122] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 102.018728][ T5122] RIP: 0033:0x7f0100724159 [ 102.023156][ T5122] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 102.042778][ T5122] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 102.051240][ T5122] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 102.059220][ T5122] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5126] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5125] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5125] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5125] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5125] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5122] <... openat resumed>) = -1 EIO (Input/output error) [pid 5122] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5121] exit_group(0 [pid 5122] <... futex resumed>) = 0 [pid 5122] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5125] <... futex resumed>) = ? [pid 5121] <... exit_group resumed>) = ? [pid 5125] +++ exited with 0 +++ [pid 5126] <... futex resumed>) = ? [pid 5126] +++ exited with 0 +++ [pid 5122] <... futex resumed>) = ? [pid 5122] +++ exited with 0 +++ [pid 5121] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5121, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./29", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./29/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./29/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 [ 102.067202][ T5122] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 102.075233][ T5122] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 102.083252][ T5122] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 102.091262][ T5122] unlink("./29/binderfs") = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./29/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./29/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./29") = 0 mkdir("./30", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5129 ./strace-static-x86_64: Process 5129 attached [pid 5129] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5129] chdir("./30") = 0 [pid 5129] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5129] setpgid(0, 0) = 0 [pid 5129] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5129] write(3, "1000", 4) = 4 [pid 5129] close(3) = 0 [pid 5129] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5129] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5129] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5129] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5129] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5130], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5130 [pid 5129] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5129] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5130 attached [pid 5130] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5130] memfd_create("syzkaller", 0) = 3 [pid 5130] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5130] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5130] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5130] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5130] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5130] close(3) = 0 [pid 5130] mkdir("./file0", 0777) = 0 [ 102.583478][ T5130] loop0: detected capacity change from 0 to 32768 [ 102.594724][ T5130] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 102.603507][ T5130] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 102.614535][ T5130] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 102.623660][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 102.631193][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5130] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5130] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5130] chdir("./file0") = 0 [pid 5130] ioctl(4, LOOP_CLR_FD) = 0 [pid 5130] close(4) = 0 [pid 5130] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5129] <... futex resumed>) = 0 [pid 5130] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5129] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5130] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5129] <... futex resumed>) = 0 [pid 5130] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 102.668487][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 102.677393][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 102.682728][ T5130] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 102.697739][ T5130] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 102.706228][ T5130] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 102.706228][ T5130] inode = 12 2341 [pid 5129] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5129] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5129] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5129] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5129] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5133], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5133 [pid 5129] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5129] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5133 attached [pid 5133] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5133] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [ 102.706228][ T5130] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 102.726572][ T5130] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 102.736000][ T5130] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5130 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 102.746265][ T5130] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 102.755047][ T5130] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5133] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5129] <... futex resumed>) = 0 [pid 5129] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5129] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5133] <... futex resumed>) = 1 [pid 5133] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5133] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5129] <... futex resumed>) = 0 [pid 5133] <... futex resumed>) = 1 [ 102.762454][ T5130] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 102.771359][ T5130] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 102.779719][ T5130] gfs2: fsid=syz:syz.0: File system withdrawn [ 102.785815][ T5130] CPU: 0 PID: 5130 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 102.796257][ T5130] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 102.806326][ T5130] Call Trace: [ 102.809628][ T5130] [ 102.812590][ T5130] dump_stack_lvl+0x1e7/0x2d0 [ 102.817298][ T5130] ? nf_tcp_handle_invalid+0x650/0x650 [ 102.822795][ T5130] ? panic+0x770/0x770 [ 102.826926][ T5130] ? kobject_uevent_env+0x54e/0x8e0 [ 102.832180][ T5130] gfs2_withdraw+0xf48/0x1550 [ 102.836907][ T5130] ? gfs2_lm+0x240/0x240 [ 102.841176][ T5130] ? gfs2_dirent_scan+0xb2/0x640 [ 102.846159][ T5130] ? panic+0x770/0x770 [ 102.850270][ T5130] ? gfs2_consist_inode_i+0xf5/0x110 [ 102.855590][ T5130] gfs2_dirent_scan+0x512/0x640 [ 102.860490][ T5130] ? gfs2_permission+0x268/0x3c0 [ 102.865446][ T5130] ? gfs2_dirent_search+0x8c0/0x8c0 [ 102.870673][ T5130] gfs2_dirent_search+0x30e/0x8c0 [ 102.875711][ T5130] ? gfs2_dirent_search+0x8c0/0x8c0 [ 102.881082][ T5130] ? generic_permission+0x1df/0x550 [ 102.886303][ T5130] ? gfs2_dir_search+0x2f0/0x2f0 [ 102.891273][ T5130] ? gfs2_permission+0x34a/0x3c0 [ 102.896252][ T5130] gfs2_dir_search+0xb2/0x2f0 [ 102.900963][ T5130] ? do_filldir_main+0x520/0x520 [ 102.905921][ T5130] ? inode_go_held+0xea/0x200 [ 102.910617][ T5130] ? gfs2_glock_wait+0x21a/0x2b0 [ 102.915580][ T5130] gfs2_lookupi+0x460/0x5d0 [ 102.920108][ T5130] ? gfs2_lookup_simple+0x180/0x180 [ 102.925350][ T5130] ? __gfs2_lookup+0xa4/0x270 [ 102.930151][ T5130] ? d_alloc_parallel+0x1262/0x13a0 [ 102.935382][ T5130] __gfs2_lookup+0xa4/0x270 [ 102.939904][ T5130] ? gfs2_atomic_open+0x230/0x230 [ 102.944948][ T5130] ? __init_waitqueue_head+0xae/0x150 [ 102.950344][ T5130] __lookup_slow+0x282/0x3e0 [ 102.954955][ T5130] ? lookup_one_len+0x2d0/0x2d0 [ 102.959850][ T5130] ? __rcu_read_unlock+0x96/0x100 [ 102.964904][ T5130] ? down_read+0x1b5/0x2f0 [ 102.969429][ T5130] lookup_slow+0x53/0x70 [ 102.973684][ T5130] link_path_walk+0x9c8/0xe70 [ 102.978386][ T5130] ? handle_lookup_down+0x130/0x130 [ 102.983621][ T5130] ? lockdep_hardirqs_on+0x98/0x140 [ 102.988835][ T5130] path_lookupat+0xa9/0x450 [ 102.993355][ T5130] do_o_path+0x95/0x230 [ 102.997531][ T5130] ? do_tmpfile+0x330/0x330 [ 103.002048][ T5130] ? __alloc_file+0x15a/0x230 [ 103.006739][ T5130] path_openat+0x29f0/0x3170 [ 103.011344][ T5130] ? __stack_depot_save+0x20/0x650 [ 103.016473][ T5130] ? mark_lock+0x9a/0x340 [ 103.020837][ T5130] ? kmem_cache_alloc+0x11f/0x2e0 [ 103.025874][ T5130] ? mark_lock+0x9a/0x340 [ 103.030229][ T5130] ? __lock_acquire+0x1295/0x2000 [ 103.035267][ T5130] ? do_filp_open+0x490/0x490 [ 103.039991][ T5130] do_filp_open+0x234/0x490 [ 103.044509][ T5130] ? vfs_tmpfile+0x4a0/0x4a0 [ 103.049130][ T5130] ? _raw_spin_unlock+0x28/0x40 [ 103.053990][ T5130] ? alloc_fd+0x59c/0x640 [ 103.058346][ T5130] do_sys_openat2+0x13f/0x500 [ 103.063037][ T5130] ? print_irqtrace_events+0x220/0x220 [ 103.068513][ T5130] ? do_sys_open+0x230/0x230 [ 103.073137][ T5130] ? lockdep_hardirqs_on+0x98/0x140 [ 103.078353][ T5130] ? _raw_spin_unlock_irq+0x2e/0x50 [ 103.083558][ T5130] ? ptrace_notify+0x278/0x380 [ 103.088346][ T5130] __x64_sys_openat+0x247/0x290 [ 103.093214][ T5130] ? __ia32_sys_open+0x270/0x270 [ 103.098184][ T5130] ? syscall_enter_from_user_mode+0x32/0x230 [ 103.104180][ T5130] ? syscall_enter_from_user_mode+0x8c/0x230 [ 103.110177][ T5130] do_syscall_64+0x41/0xc0 [ 103.114617][ T5130] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 103.120613][ T5130] RIP: 0033:0x7f0100724159 [ 103.125039][ T5130] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 103.144654][ T5130] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 103.153078][ T5130] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 103.161059][ T5130] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5133] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5130] <... openat resumed>) = -1 EIO (Input/output error) [pid 5130] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5129] exit_group(0) = ? [pid 5133] <... futex resumed>) = ? [pid 5133] +++ exited with 0 +++ [pid 5130] <... futex resumed>) = ? [pid 5130] +++ exited with 0 +++ [pid 5129] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5129, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./30", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./30/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./30/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./30/binderfs") = 0 [ 103.169128][ T5130] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 103.177117][ T5130] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 103.185112][ T5130] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 103.193107][ T5130] umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./30/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./30/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./30") = 0 mkdir("./31", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5135 ./strace-static-x86_64: Process 5135 attached [pid 5135] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5135] chdir("./31") = 0 [pid 5135] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5135] setpgid(0, 0) = 0 [pid 5135] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5135] write(3, "1000", 4) = 4 [pid 5135] close(3) = 0 [pid 5135] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5135] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5135] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5135] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5135] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5136 attached , parent_tid=[5136], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5136 [pid 5135] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5135] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5136] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5136] memfd_create("syzkaller", 0) = 3 [pid 5136] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5136] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5136] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5136] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5136] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5136] close(3) = 0 [pid 5136] mkdir("./file0", 0777) = 0 [ 103.605668][ T5136] loop0: detected capacity change from 0 to 32768 [ 103.617085][ T5136] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 103.625855][ T5136] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 103.635844][ T5136] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 103.645031][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 103.652042][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5136] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5136] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5136] chdir("./file0") = 0 [pid 5136] ioctl(4, LOOP_CLR_FD) = 0 [pid 5136] close(4) = 0 [pid 5136] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5135] <... futex resumed>) = 0 [pid 5136] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5135] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5136] <... futex resumed>) = 0 [pid 5135] <... futex resumed>) = 1 [pid 5136] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 103.695308][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 103.703766][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 103.709245][ T5136] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 103.728928][ T5136] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 103.738245][ T5136] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5135] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5135] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5135] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5135] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [ 103.738245][ T5136] inode = 12 2341 [ 103.738245][ T5136] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 103.757354][ T5136] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 103.766757][ T5136] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5136 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 103.777738][ T5136] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5135] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5138], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5138 [pid 5135] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5135] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5138 attached [pid 5138] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5138] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5135] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5135] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5135] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5135] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [ 103.789461][ T5136] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 103.800076][ T5136] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 103.808994][ T5136] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 103.815993][ T5136] gfs2: fsid=syz:syz.0: File system withdrawn [ 103.823216][ T5136] CPU: 0 PID: 5136 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 103.833705][ T5136] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [pid 5135] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5139], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5139 [pid 5135] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5135] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5139 attached [pid 5139] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5139] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5139] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5135] <... futex resumed>) = 0 [pid 5139] <... futex resumed>) = 1 [ 103.843789][ T5136] Call Trace: [ 103.847110][ T5136] [ 103.850082][ T5136] dump_stack_lvl+0x1e7/0x2d0 [ 103.854823][ T5136] ? nf_tcp_handle_invalid+0x650/0x650 [ 103.860348][ T5136] ? panic+0x770/0x770 [ 103.864462][ T5136] ? kobject_uevent_env+0x54e/0x8e0 [ 103.869686][ T5136] gfs2_withdraw+0xf48/0x1550 [ 103.874407][ T5136] ? gfs2_lm+0x240/0x240 [ 103.878676][ T5136] ? gfs2_dirent_scan+0xb2/0x640 [ 103.883629][ T5136] ? panic+0x770/0x770 [ 103.887715][ T5136] ? gfs2_consist_inode_i+0xf5/0x110 [ 103.893052][ T5136] gfs2_dirent_scan+0x512/0x640 [ 103.897915][ T5136] ? gfs2_permission+0x268/0x3c0 [ 103.902877][ T5136] ? gfs2_dirent_search+0x8c0/0x8c0 [ 103.908101][ T5136] gfs2_dirent_search+0x30e/0x8c0 [ 103.913228][ T5136] ? gfs2_dirent_search+0x8c0/0x8c0 [ 103.918437][ T5136] ? generic_permission+0x1df/0x550 [ 103.923648][ T5136] ? gfs2_dir_search+0x2f0/0x2f0 [ 103.928601][ T5136] ? gfs2_permission+0x34a/0x3c0 [ 103.933568][ T5136] gfs2_dir_search+0xb2/0x2f0 [ 103.938258][ T5136] ? do_filldir_main+0x520/0x520 [ 103.943214][ T5136] ? inode_go_held+0xea/0x200 [ 103.947903][ T5136] ? gfs2_glock_wait+0x21a/0x2b0 [ 103.952861][ T5136] gfs2_lookupi+0x460/0x5d0 [ 103.957560][ T5136] ? gfs2_lookup_simple+0x180/0x180 [ 103.962790][ T5136] ? __gfs2_lookup+0xa4/0x270 [ 103.967480][ T5136] ? d_alloc_parallel+0x1262/0x13a0 [ 103.972704][ T5136] __gfs2_lookup+0xa4/0x270 [ 103.977307][ T5136] ? gfs2_atomic_open+0x230/0x230 [ 103.982346][ T5136] ? __init_waitqueue_head+0xae/0x150 [ 103.987736][ T5136] __lookup_slow+0x282/0x3e0 [ 103.992337][ T5136] ? lookup_one_len+0x2d0/0x2d0 [ 103.997206][ T5136] ? down_read+0x1b5/0x2f0 [ 104.001652][ T5136] lookup_slow+0x53/0x70 [ 104.005904][ T5136] link_path_walk+0x9c8/0xe70 [ 104.010623][ T5136] ? handle_lookup_down+0x130/0x130 [ 104.015842][ T5136] ? lockdep_hardirqs_on+0x98/0x140 [ 104.021058][ T5136] path_lookupat+0xa9/0x450 [ 104.025592][ T5136] do_o_path+0x95/0x230 [ 104.030179][ T5136] ? do_tmpfile+0x330/0x330 [ 104.034697][ T5136] ? __alloc_file+0x15a/0x230 [ 104.039404][ T5136] path_openat+0x29f0/0x3170 [ 104.044011][ T5136] ? __stack_depot_save+0x20/0x650 [ 104.049142][ T5136] ? mark_lock+0x9a/0x340 [ 104.053484][ T5136] ? kmem_cache_alloc+0x11f/0x2e0 [ 104.058519][ T5136] ? mark_lock+0x9a/0x340 [ 104.062866][ T5136] ? __lock_acquire+0x1295/0x2000 [ 104.067904][ T5136] ? do_filp_open+0x490/0x490 [ 104.072613][ T5136] do_filp_open+0x234/0x490 [ 104.077132][ T5136] ? vfs_tmpfile+0x4a0/0x4a0 [ 104.081760][ T5136] ? _raw_spin_unlock+0x28/0x40 [ 104.086621][ T5136] ? alloc_fd+0x59c/0x640 [ 104.090978][ T5136] do_sys_openat2+0x13f/0x500 [ 104.095668][ T5136] ? print_irqtrace_events+0x220/0x220 [ 104.101142][ T5136] ? do_sys_open+0x230/0x230 [ 104.105756][ T5136] ? lockdep_hardirqs_on+0x98/0x140 [ 104.110965][ T5136] ? _raw_spin_unlock_irq+0x2e/0x50 [ 104.116173][ T5136] ? ptrace_notify+0x278/0x380 [ 104.120954][ T5136] __x64_sys_openat+0x247/0x290 [ 104.125820][ T5136] ? __ia32_sys_open+0x270/0x270 [ 104.130952][ T5136] ? syscall_enter_from_user_mode+0x32/0x230 [ 104.136946][ T5136] ? syscall_enter_from_user_mode+0x8c/0x230 [ 104.142941][ T5136] do_syscall_64+0x41/0xc0 [ 104.147378][ T5136] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 104.153283][ T5136] RIP: 0033:0x7f0100724159 [ 104.157710][ T5136] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 104.177326][ T5136] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 104.185754][ T5136] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5139] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5138] <... openat resumed>) = -1 EIO (Input/output error) [pid 5136] <... openat resumed>) = -1 EIO (Input/output error) [pid 5138] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5136] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5135] exit_group(0 [pid 5136] <... futex resumed>) = ? [pid 5135] <... exit_group resumed>) = ? [pid 5138] <... futex resumed>) = ? [pid 5136] +++ exited with 0 +++ [pid 5139] <... futex resumed>) = ? [pid 5138] +++ exited with 0 +++ [pid 5139] +++ exited with 0 +++ [pid 5135] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5135, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=28 /* 0.28 s */} --- umount2("./31", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./31/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./31/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./31/binderfs") = 0 [ 104.193737][ T5136] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 104.201714][ T5136] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 104.209690][ T5136] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 104.217680][ T5136] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 104.225675][ T5136] umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./31/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./31/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./31") = 0 mkdir("./32", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5140 ./strace-static-x86_64: Process 5140 attached [pid 5140] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5140] chdir("./32") = 0 [pid 5140] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5140] setpgid(0, 0) = 0 [pid 5140] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5140] write(3, "1000", 4) = 4 [pid 5140] close(3) = 0 [pid 5140] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5140] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5140] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5140] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5140] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5141 attached , parent_tid=[5141], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5141 [pid 5140] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5141] set_robust_list(0x7f01006c89e0, 24 [pid 5140] <... futex resumed>) = 0 [pid 5140] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5141] <... set_robust_list resumed>) = 0 [pid 5141] memfd_create("syzkaller", 0) = 3 [pid 5141] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5141] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5141] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5141] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5141] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5141] close(3) = 0 [pid 5141] mkdir("./file0", 0777) = 0 [ 104.606692][ T5141] loop0: detected capacity change from 0 to 32768 [ 104.618054][ T5141] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 104.626307][ T5141] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 104.636674][ T5141] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 104.645663][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 104.652954][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5141] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5141] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5141] chdir("./file0") = 0 [pid 5141] ioctl(4, LOOP_CLR_FD) = 0 [pid 5141] close(4) = 0 [pid 5141] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5140] <... futex resumed>) = 0 [pid 5141] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5140] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5141] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5140] <... futex resumed>) = 0 [pid 5141] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 104.693414][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 104.701201][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 104.706529][ T5141] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 104.728219][ T5141] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5140] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 104.737427][ T5141] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 104.737427][ T5141] inode = 12 2341 [ 104.737427][ T5141] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 104.756694][ T5141] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 104.766421][ T5141] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5141 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 104.776805][ T5141] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 104.785529][ T5141] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5140] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5140] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5140] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5140] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5143], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5143 [pid 5140] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5140] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5143 attached [pid 5143] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 104.793187][ T5141] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 104.802431][ T5141] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 104.809599][ T5141] gfs2: fsid=syz:syz.0: File system withdrawn [ 104.815850][ T5141] CPU: 0 PID: 5141 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 104.826317][ T5141] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 104.836474][ T5141] Call Trace: [ 104.839762][ T5141] [ 104.842705][ T5141] dump_stack_lvl+0x1e7/0x2d0 [ 104.847407][ T5141] ? nf_tcp_handle_invalid+0x650/0x650 [ 104.852913][ T5141] ? panic+0x770/0x770 [ 104.857010][ T5141] ? kobject_uevent_env+0x54e/0x8e0 [ 104.862245][ T5141] gfs2_withdraw+0xf48/0x1550 [ 104.866970][ T5141] ? gfs2_lm+0x240/0x240 [ 104.871321][ T5141] ? gfs2_dirent_scan+0xb2/0x640 [ 104.876314][ T5141] ? panic+0x770/0x770 [ 104.880402][ T5141] ? gfs2_consist_inode_i+0xf5/0x110 [ 104.885711][ T5141] gfs2_dirent_scan+0x512/0x640 [ 104.890590][ T5141] ? gfs2_permission+0x268/0x3c0 [ 104.895561][ T5141] ? gfs2_dirent_search+0x8c0/0x8c0 [ 104.900834][ T5141] gfs2_dirent_search+0x30e/0x8c0 [ 104.905891][ T5141] ? gfs2_dirent_search+0x8c0/0x8c0 [ 104.911116][ T5141] ? generic_permission+0x1df/0x550 [ 104.916335][ T5141] ? gfs2_dir_search+0x2f0/0x2f0 [ 104.921431][ T5141] ? gfs2_permission+0x34a/0x3c0 [ 104.926437][ T5141] gfs2_dir_search+0xb2/0x2f0 [ 104.931260][ T5141] ? do_filldir_main+0x520/0x520 [ 104.936238][ T5141] ? inode_go_held+0xea/0x200 [ 104.940971][ T5141] ? gfs2_glock_wait+0x21a/0x2b0 [ 104.946059][ T5141] gfs2_lookupi+0x460/0x5d0 [ 104.950662][ T5141] ? gfs2_lookup_simple+0x180/0x180 [ 104.956109][ T5141] ? __gfs2_lookup+0xa4/0x270 [ 104.960815][ T5141] ? d_alloc_parallel+0x1262/0x13a0 [ 104.966110][ T5141] __gfs2_lookup+0xa4/0x270 [ 104.970690][ T5141] ? gfs2_atomic_open+0x230/0x230 [ 104.976049][ T5141] ? __init_waitqueue_head+0xae/0x150 [ 104.981845][ T5141] __lookup_slow+0x282/0x3e0 [ 104.986675][ T5141] ? lookup_one_len+0x2d0/0x2d0 [ 104.991780][ T5141] ? down_read+0x1b5/0x2f0 [ 104.996270][ T5141] lookup_slow+0x53/0x70 [ 105.000677][ T5141] link_path_walk+0x9c8/0xe70 [ 105.005527][ T5141] ? handle_lookup_down+0x130/0x130 [ 105.010805][ T5141] ? lockdep_hardirqs_on+0x98/0x140 [ 105.016251][ T5141] path_lookupat+0xa9/0x450 [ 105.021161][ T5141] do_o_path+0x95/0x230 [ 105.025504][ T5141] ? do_tmpfile+0x330/0x330 [ 105.030227][ T5141] ? __alloc_file+0x15a/0x230 [ 105.035614][ T5141] path_openat+0x29f0/0x3170 [ 105.040442][ T5141] ? __stack_depot_save+0x20/0x650 [ 105.045604][ T5141] ? mark_lock+0x9a/0x340 [ 105.049996][ T5141] ? kmem_cache_alloc+0x11f/0x2e0 [ 105.055060][ T5141] ? mark_lock+0x9a/0x340 [ 105.059448][ T5141] ? __lock_acquire+0x1295/0x2000 [ 105.064508][ T5141] ? do_filp_open+0x490/0x490 [ 105.069248][ T5141] do_filp_open+0x234/0x490 [ 105.073813][ T5141] ? vfs_tmpfile+0x4a0/0x4a0 [ 105.078556][ T5141] ? _raw_spin_unlock+0x28/0x40 [ 105.083442][ T5141] ? alloc_fd+0x59c/0x640 [ 105.087805][ T5141] do_sys_openat2+0x13f/0x500 [ 105.092860][ T5141] ? print_irqtrace_events+0x220/0x220 [ 105.098342][ T5141] ? do_sys_open+0x230/0x230 [ 105.102952][ T5141] ? lockdep_hardirqs_on+0x98/0x140 [ 105.108164][ T5141] ? _raw_spin_unlock_irq+0x2e/0x50 [ 105.113371][ T5141] ? ptrace_notify+0x278/0x380 [ 105.118174][ T5141] __x64_sys_openat+0x247/0x290 [ 105.123051][ T5141] ? __ia32_sys_open+0x270/0x270 [ 105.128016][ T5141] ? syscall_enter_from_user_mode+0x32/0x230 [ 105.134541][ T5141] ? syscall_enter_from_user_mode+0x8c/0x230 [ 105.140542][ T5141] do_syscall_64+0x41/0xc0 [ 105.145065][ T5141] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 105.150972][ T5141] RIP: 0033:0x7f0100724159 [ 105.155416][ T5141] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 105.175034][ T5141] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 105.183461][ T5141] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5143] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5140] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5143] <... openat resumed>) = -1 EIO (Input/output error) [pid 5141] <... openat resumed>) = -1 EIO (Input/output error) [pid 5140] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5143] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5141] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5143] <... futex resumed>) = 0 [pid 5141] <... futex resumed>) = 0 [pid 5143] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5141] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5140] <... futex resumed>) = 0 [pid 5140] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5140] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5140] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5144 attached , parent_tid=[5144], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5144 [pid 5140] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5140] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5144] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5144] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5144] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5140] <... futex resumed>) = 0 [pid 5140] exit_group(0 [pid 5143] <... futex resumed>) = ? [pid 5141] <... futex resumed>) = ? [pid 5140] <... exit_group resumed>) = ? [pid 5143] +++ exited with 0 +++ [pid 5141] +++ exited with 0 +++ [pid 5144] <... futex resumed>) = ? [pid 5144] +++ exited with 0 +++ [pid 5140] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5140, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./32", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./32", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./32/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./32/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./32/binderfs") = 0 [ 105.191442][ T5141] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 105.199420][ T5141] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 105.207488][ T5141] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 105.215481][ T5141] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 105.223499][ T5141] umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./32/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./32/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./32/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./32") = 0 mkdir("./33", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5145 ./strace-static-x86_64: Process 5145 attached [pid 5145] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5145] chdir("./33") = 0 [pid 5145] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5145] setpgid(0, 0) = 0 [pid 5145] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5145] write(3, "1000", 4) = 4 [pid 5145] close(3) = 0 [pid 5145] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5145] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5145] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5145] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5145] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5146], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5146 [pid 5145] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5145] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5146 attached [pid 5146] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5146] memfd_create("syzkaller", 0) = 3 [pid 5146] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5146] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5146] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5146] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5146] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5146] close(3) = 0 [pid 5146] mkdir("./file0", 0777) = 0 [ 105.604096][ T5146] loop0: detected capacity change from 0 to 32768 [ 105.616136][ T5146] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 105.624537][ T5146] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 105.634703][ T5146] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 105.643902][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 105.650841][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5146] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5146] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5146] chdir("./file0") = 0 [pid 5146] ioctl(4, LOOP_CLR_FD) = 0 [pid 5146] close(4) = 0 [pid 5146] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5145] <... futex resumed>) = 0 [pid 5145] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5145] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5146] <... futex resumed>) = 1 [ 105.688040][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 105.696413][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 105.701863][ T5146] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 105.719877][ T5146] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 105.728788][ T5146] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5146] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5145] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5145] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5145] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5145] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5145] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5148 attached , parent_tid=[5148], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5148 [pid 5145] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5145] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5148] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 105.728788][ T5146] inode = 12 2341 [ 105.728788][ T5146] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 105.748614][ T5146] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 105.758175][ T5146] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5146 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 105.768605][ T5146] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 105.780185][ T5146] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5148] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5148] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5145] <... futex resumed>) = 0 [pid 5145] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5145] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5148] <... futex resumed>) = 1 [pid 5148] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5148] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5145] <... futex resumed>) = 0 [pid 5148] <... futex resumed>) = 1 [ 105.787829][ T5146] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 105.796665][ T5146] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 105.804414][ T5146] gfs2: fsid=syz:syz.0: File system withdrawn [ 105.810811][ T5146] CPU: 0 PID: 5146 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 105.821267][ T5146] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 105.831366][ T5146] Call Trace: [ 105.834689][ T5146] [ 105.837667][ T5146] dump_stack_lvl+0x1e7/0x2d0 [ 105.842396][ T5146] ? nf_tcp_handle_invalid+0x650/0x650 [ 105.847890][ T5146] ? panic+0x770/0x770 [ 105.852013][ T5146] ? kobject_uevent_env+0x54e/0x8e0 [ 105.857274][ T5146] gfs2_withdraw+0xf48/0x1550 [ 105.862010][ T5146] ? gfs2_lm+0x240/0x240 [ 105.866294][ T5146] ? gfs2_dirent_scan+0xb2/0x640 [ 105.871262][ T5146] ? panic+0x770/0x770 [ 105.875459][ T5146] ? gfs2_consist_inode_i+0xf5/0x110 [ 105.880786][ T5146] gfs2_dirent_scan+0x512/0x640 [ 105.885654][ T5146] ? gfs2_permission+0x268/0x3c0 [ 105.890638][ T5146] ? gfs2_dirent_search+0x8c0/0x8c0 [ 105.895876][ T5146] gfs2_dirent_search+0x30e/0x8c0 [ 105.900944][ T5146] ? gfs2_dirent_search+0x8c0/0x8c0 [ 105.906194][ T5146] ? generic_permission+0x1df/0x550 [ 105.911412][ T5146] ? gfs2_dir_search+0x2f0/0x2f0 [ 105.916365][ T5146] ? gfs2_permission+0x34a/0x3c0 [ 105.921349][ T5146] gfs2_dir_search+0xb2/0x2f0 [ 105.926049][ T5146] ? do_filldir_main+0x520/0x520 [ 105.931011][ T5146] ? inode_go_held+0xea/0x200 [ 105.935707][ T5146] ? gfs2_glock_wait+0x21a/0x2b0 [ 105.940666][ T5146] gfs2_lookupi+0x460/0x5d0 [ 105.945193][ T5146] ? gfs2_lookup_simple+0x180/0x180 [ 105.950415][ T5146] ? __gfs2_lookup+0xa4/0x270 [ 105.955115][ T5146] ? d_alloc_parallel+0x1262/0x13a0 [ 105.960329][ T5146] __gfs2_lookup+0xa4/0x270 [ 105.964862][ T5146] ? gfs2_atomic_open+0x230/0x230 [ 105.969940][ T5146] ? __init_waitqueue_head+0xae/0x150 [ 105.975343][ T5146] __lookup_slow+0x282/0x3e0 [ 105.979948][ T5146] ? lookup_one_len+0x2d0/0x2d0 [ 105.984822][ T5146] ? down_read+0x1b5/0x2f0 [ 105.989283][ T5146] lookup_slow+0x53/0x70 [ 105.993538][ T5146] link_path_walk+0x9c8/0xe70 [ 105.998343][ T5146] ? handle_lookup_down+0x130/0x130 [ 106.003563][ T5146] ? lockdep_hardirqs_on+0x98/0x140 [ 106.008778][ T5146] path_lookupat+0xa9/0x450 [ 106.013302][ T5146] do_o_path+0x95/0x230 [ 106.017565][ T5146] ? do_tmpfile+0x330/0x330 [ 106.022088][ T5146] ? __alloc_file+0x15a/0x230 [ 106.026955][ T5146] path_openat+0x29f0/0x3170 [ 106.031563][ T5146] ? __stack_depot_save+0x20/0x650 [ 106.036686][ T5146] ? __lock_acquire+0x1295/0x2000 [ 106.041727][ T5146] ? mark_lock+0x9a/0x340 [ 106.046071][ T5146] ? kmem_cache_alloc+0x11f/0x2e0 [ 106.051105][ T5146] ? mark_lock+0x9a/0x340 [ 106.055450][ T5146] ? __lock_acquire+0x1295/0x2000 [ 106.060487][ T5146] ? do_filp_open+0x490/0x490 [ 106.065193][ T5146] do_filp_open+0x234/0x490 [ 106.069714][ T5146] ? vfs_tmpfile+0x4a0/0x4a0 [ 106.074333][ T5146] ? _raw_spin_unlock+0x28/0x40 [ 106.079194][ T5146] ? alloc_fd+0x59c/0x640 [ 106.083565][ T5146] do_sys_openat2+0x13f/0x500 [ 106.088261][ T5146] ? print_irqtrace_events+0x220/0x220 [ 106.093738][ T5146] ? do_sys_open+0x230/0x230 [ 106.098367][ T5146] ? lockdep_hardirqs_on+0x98/0x140 [ 106.104277][ T5146] ? _raw_spin_unlock_irq+0x2e/0x50 [ 106.109483][ T5146] ? ptrace_notify+0x278/0x380 [ 106.114274][ T5146] __x64_sys_openat+0x247/0x290 [ 106.119143][ T5146] ? __ia32_sys_open+0x270/0x270 [ 106.124101][ T5146] ? syscall_enter_from_user_mode+0x32/0x230 [ 106.130098][ T5146] ? syscall_enter_from_user_mode+0x8c/0x230 [ 106.136098][ T5146] do_syscall_64+0x41/0xc0 [ 106.140534][ T5146] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 106.146440][ T5146] RIP: 0033:0x7f0100724159 [ 106.150868][ T5146] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 106.170483][ T5146] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 106.179004][ T5146] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5148] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5146] <... openat resumed>) = -1 EIO (Input/output error) [pid 5146] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5146] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5145] exit_group(0 [pid 5146] <... futex resumed>) = ? [pid 5146] +++ exited with 0 +++ [pid 5145] <... exit_group resumed>) = ? [pid 5148] <... futex resumed>) = ? [pid 5148] +++ exited with 0 +++ [pid 5145] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5145, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=34 /* 0.34 s */} --- umount2("./33", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./33/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./33/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./33/binderfs") = 0 [ 106.186986][ T5146] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 106.194985][ T5146] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 106.202969][ T5146] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 106.210951][ T5146] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 106.218951][ T5146] umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./33/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./33/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./33") = 0 mkdir("./34", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5149 attached [pid 5149] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5149] chdir("./34") = 0 [pid 4995] <... clone resumed>, child_tidptr=0x5555565ea5d0) = 5149 [pid 5149] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5149] setpgid(0, 0) = 0 [pid 5149] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5149] write(3, "1000", 4) = 4 [pid 5149] close(3) = 0 [pid 5149] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5149] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5149] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5149] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5149] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5150], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5150 ./strace-static-x86_64: Process 5150 attached [pid 5149] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5149] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5150] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5150] memfd_create("syzkaller", 0) = 3 [pid 5150] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5150] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5150] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5150] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5150] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5150] close(3) = 0 [pid 5150] mkdir("./file0", 0777) = 0 [ 106.635623][ T5150] loop0: detected capacity change from 0 to 32768 [ 106.656825][ T5150] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 106.666809][ T5150] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 106.676585][ T5150] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 106.685737][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 106.692590][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5150] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5150] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5150] chdir("./file0") = 0 [pid 5150] ioctl(4, LOOP_CLR_FD) = 0 [pid 5150] close(4) = 0 [pid 5150] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5149] <... futex resumed>) = 0 [pid 5149] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5150] <... futex resumed>) = 1 [pid 5149] <... futex resumed>) = 0 [pid 5150] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 106.728991][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 106.738613][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 106.743884][ T5150] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 106.763210][ T5150] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 106.772349][ T5150] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 106.772349][ T5150] inode = 12 2341 [ 106.772349][ T5150] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 106.791325][ T5150] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 106.800499][ T5150] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5150 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 106.811162][ T5150] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 106.819703][ T5150] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5149] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5149] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5149] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5149] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5149] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5152], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5152 [pid 5149] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5149] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5152 attached [pid 5152] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5152] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5152] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5149] <... futex resumed>) = 0 [pid 5149] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5149] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5152] <... futex resumed>) = 1 [pid 5152] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5152] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5149] <... futex resumed>) = 0 [pid 5152] <... futex resumed>) = 1 [ 106.827216][ T5150] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 106.836399][ T5150] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 106.843121][ T5150] gfs2: fsid=syz:syz.0: File system withdrawn [ 106.849325][ T5150] CPU: 0 PID: 5150 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 106.859789][ T5150] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 106.869878][ T5150] Call Trace: [ 106.873168][ T5150] [ 106.876127][ T5150] dump_stack_lvl+0x1e7/0x2d0 [ 106.880865][ T5150] ? nf_tcp_handle_invalid+0x650/0x650 [ 106.886364][ T5150] ? panic+0x770/0x770 [ 106.890451][ T5150] ? kobject_uevent_env+0x54e/0x8e0 [ 106.895678][ T5150] gfs2_withdraw+0xf48/0x1550 [ 106.900424][ T5150] ? gfs2_lm+0x240/0x240 [ 106.904690][ T5150] ? gfs2_dirent_scan+0xb2/0x640 [ 106.909747][ T5150] ? panic+0x770/0x770 [ 106.913838][ T5150] ? gfs2_consist_inode_i+0xf5/0x110 [ 106.919159][ T5150] gfs2_dirent_scan+0x512/0x640 [ 106.924060][ T5150] ? gfs2_permission+0x268/0x3c0 [ 106.929027][ T5150] ? gfs2_dirent_search+0x8c0/0x8c0 [ 106.934246][ T5150] gfs2_dirent_search+0x30e/0x8c0 [ 106.939318][ T5150] ? gfs2_dirent_search+0x8c0/0x8c0 [ 106.944560][ T5150] ? generic_permission+0x1df/0x550 [ 106.949799][ T5150] ? gfs2_dir_search+0x2f0/0x2f0 [ 106.954773][ T5150] ? gfs2_permission+0x34a/0x3c0 [ 106.959740][ T5150] gfs2_dir_search+0xb2/0x2f0 [ 106.964434][ T5150] ? do_filldir_main+0x520/0x520 [ 106.969384][ T5150] ? inode_go_held+0xea/0x200 [ 106.974079][ T5150] ? gfs2_glock_wait+0x21a/0x2b0 [ 106.979051][ T5150] gfs2_lookupi+0x460/0x5d0 [ 106.983581][ T5150] ? gfs2_lookup_simple+0x180/0x180 [ 106.988814][ T5150] ? __gfs2_lookup+0xa4/0x270 [ 106.993503][ T5150] ? d_alloc_parallel+0x1262/0x13a0 [ 106.998717][ T5150] __gfs2_lookup+0xa4/0x270 [ 107.003230][ T5150] ? gfs2_atomic_open+0x230/0x230 [ 107.008272][ T5150] ? __init_waitqueue_head+0xae/0x150 [ 107.013670][ T5150] __lookup_slow+0x282/0x3e0 [ 107.018272][ T5150] ? lookup_one_len+0x2d0/0x2d0 [ 107.023149][ T5150] ? down_read+0x1b5/0x2f0 [ 107.027587][ T5150] lookup_slow+0x53/0x70 [ 107.031839][ T5150] link_path_walk+0x9c8/0xe70 [ 107.036543][ T5150] ? handle_lookup_down+0x130/0x130 [ 107.041765][ T5150] ? lockdep_hardirqs_on+0x98/0x140 [ 107.046975][ T5150] path_lookupat+0xa9/0x450 [ 107.051493][ T5150] do_o_path+0x95/0x230 [ 107.055663][ T5150] ? do_tmpfile+0x330/0x330 [ 107.060178][ T5150] ? __alloc_file+0x15a/0x230 [ 107.064868][ T5150] path_openat+0x29f0/0x3170 [ 107.069476][ T5150] ? __stack_depot_save+0x20/0x650 [ 107.074606][ T5150] ? mark_lock+0x9a/0x340 [ 107.078952][ T5150] ? kmem_cache_alloc+0x11f/0x2e0 [ 107.083999][ T5150] ? mark_lock+0x9a/0x340 [ 107.088357][ T5150] ? __lock_acquire+0x1295/0x2000 [ 107.093396][ T5150] ? do_filp_open+0x490/0x490 [ 107.098100][ T5150] do_filp_open+0x234/0x490 [ 107.102616][ T5150] ? vfs_tmpfile+0x4a0/0x4a0 [ 107.107235][ T5150] ? _raw_spin_unlock+0x28/0x40 [ 107.112092][ T5150] ? alloc_fd+0x59c/0x640 [ 107.116445][ T5150] do_sys_openat2+0x13f/0x500 [ 107.121134][ T5150] ? print_irqtrace_events+0x220/0x220 [ 107.126607][ T5150] ? do_sys_open+0x230/0x230 [ 107.131210][ T5150] ? lockdep_hardirqs_on+0x98/0x140 [ 107.136417][ T5150] ? _raw_spin_unlock_irq+0x2e/0x50 [ 107.141623][ T5150] ? ptrace_notify+0x278/0x380 [ 107.146405][ T5150] __x64_sys_openat+0x247/0x290 [ 107.151272][ T5150] ? __ia32_sys_open+0x270/0x270 [ 107.156228][ T5150] ? syscall_enter_from_user_mode+0x32/0x230 [ 107.162238][ T5150] ? syscall_enter_from_user_mode+0x8c/0x230 [ 107.168247][ T5150] do_syscall_64+0x41/0xc0 [ 107.172685][ T5150] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 107.178590][ T5150] RIP: 0033:0x7f0100724159 [ 107.183016][ T5150] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 107.202728][ T5150] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 107.211172][ T5150] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 107.219154][ T5150] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5152] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5150] <... openat resumed>) = -1 EIO (Input/output error) [pid 5150] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5149] exit_group(0 [pid 5152] <... futex resumed>) = ? [pid 5149] <... exit_group resumed>) = ? [pid 5152] +++ exited with 0 +++ [pid 5150] <... futex resumed>) = ? [pid 5150] +++ exited with 0 +++ [pid 5149] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5149, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./34", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./34", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./34/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./34/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./34/binderfs") = 0 [ 107.227131][ T5150] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 107.235116][ T5150] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 107.243094][ T5150] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 107.251106][ T5150] umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./34/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./34/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./34/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./34") = 0 mkdir("./35", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5153 ./strace-static-x86_64: Process 5153 attached [pid 5153] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5153] chdir("./35") = 0 [pid 5153] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5153] setpgid(0, 0) = 0 [pid 5153] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5153] write(3, "1000", 4) = 4 [pid 5153] close(3) = 0 [pid 5153] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5153] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5153] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5153] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5153] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5154], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5154 [pid 5153] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5153] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5154 attached [pid 5154] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5154] memfd_create("syzkaller", 0) = 3 [pid 5154] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5154] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5154] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5154] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5154] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5154] close(3) = 0 [pid 5154] mkdir("./file0", 0777) = 0 [ 107.672169][ T5154] loop0: detected capacity change from 0 to 32768 [ 107.684344][ T5154] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 107.693392][ T5154] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 107.704522][ T5154] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 107.713521][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 107.720937][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5154] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5154] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5154] chdir("./file0") = 0 [pid 5154] ioctl(4, LOOP_CLR_FD) = 0 [pid 5154] close(4) = 0 [pid 5154] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5153] <... futex resumed>) = 0 [pid 5154] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5153] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5154] <... futex resumed>) = 0 [pid 5153] <... futex resumed>) = 1 [pid 5154] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 107.770092][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 49ms [ 107.779839][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 107.785080][ T5154] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 107.813526][ T5154] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 107.822783][ T5154] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 107.822783][ T5154] inode = 12 2341 [ 107.822783][ T5154] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 107.842138][ T5154] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 107.851590][ T5154] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5154 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5153] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5153] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5153] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5153] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5153] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5156], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5156 [pid 5153] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5153] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5156 attached [pid 5156] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5156] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5156] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5153] <... futex resumed>) = 0 [pid 5153] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5153] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5156] <... futex resumed>) = 1 [pid 5156] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5156] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5153] <... futex resumed>) = 0 [pid 5156] <... futex resumed>) = 1 [ 107.861912][ T5154] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 107.870500][ T5154] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 107.878037][ T5154] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 107.887016][ T5154] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 107.896007][ T5154] gfs2: fsid=syz:syz.0: File system withdrawn [ 107.902674][ T5154] CPU: 1 PID: 5154 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 107.913110][ T5154] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 107.923183][ T5154] Call Trace: [ 107.926480][ T5154] [ 107.929431][ T5154] dump_stack_lvl+0x1e7/0x2d0 [ 107.934158][ T5154] ? nf_tcp_handle_invalid+0x650/0x650 [ 107.939631][ T5154] ? panic+0x770/0x770 [ 107.943706][ T5154] ? kobject_uevent_env+0x54e/0x8e0 [ 107.948949][ T5154] gfs2_withdraw+0xf48/0x1550 [ 107.953679][ T5154] ? gfs2_lm+0x240/0x240 [ 107.957956][ T5154] ? gfs2_dirent_scan+0xb2/0x640 [ 107.962918][ T5154] ? panic+0x770/0x770 [ 107.967008][ T5154] ? gfs2_consist_inode_i+0xf5/0x110 [ 107.972313][ T5154] gfs2_dirent_scan+0x512/0x640 [ 107.977182][ T5154] ? gfs2_permission+0x268/0x3c0 [ 107.982148][ T5154] ? gfs2_dirent_search+0x8c0/0x8c0 [ 107.987365][ T5154] gfs2_dirent_search+0x30e/0x8c0 [ 107.992406][ T5154] ? gfs2_dirent_search+0x8c0/0x8c0 [ 107.997615][ T5154] ? generic_permission+0x1df/0x550 [ 108.002826][ T5154] ? gfs2_dir_search+0x2f0/0x2f0 [ 108.007776][ T5154] ? gfs2_permission+0x34a/0x3c0 [ 108.012735][ T5154] gfs2_dir_search+0xb2/0x2f0 [ 108.017430][ T5154] ? do_filldir_main+0x520/0x520 [ 108.022381][ T5154] ? inode_go_held+0xea/0x200 [ 108.027068][ T5154] ? gfs2_glock_wait+0x21a/0x2b0 [ 108.032026][ T5154] gfs2_lookupi+0x460/0x5d0 [ 108.036552][ T5154] ? gfs2_lookup_simple+0x180/0x180 [ 108.041772][ T5154] ? __gfs2_lookup+0xa4/0x270 [ 108.046458][ T5154] ? d_alloc_parallel+0x1262/0x13a0 [ 108.051673][ T5154] __gfs2_lookup+0xa4/0x270 [ 108.056184][ T5154] ? gfs2_atomic_open+0x230/0x230 [ 108.061225][ T5154] ? __init_waitqueue_head+0xae/0x150 [ 108.066615][ T5154] __lookup_slow+0x282/0x3e0 [ 108.071219][ T5154] ? lookup_one_len+0x2d0/0x2d0 [ 108.076094][ T5154] ? down_read+0x1b5/0x2f0 [ 108.080556][ T5154] lookup_slow+0x53/0x70 [ 108.084812][ T5154] link_path_walk+0x9c8/0xe70 [ 108.089514][ T5154] ? handle_lookup_down+0x130/0x130 [ 108.094736][ T5154] ? lockdep_hardirqs_on+0x98/0x140 [ 108.099951][ T5154] path_lookupat+0xa9/0x450 [ 108.104469][ T5154] do_o_path+0x95/0x230 [ 108.108646][ T5154] ? do_tmpfile+0x330/0x330 [ 108.113161][ T5154] ? __alloc_file+0x15a/0x230 [ 108.117854][ T5154] path_openat+0x29f0/0x3170 [ 108.122461][ T5154] ? __stack_depot_save+0x20/0x650 [ 108.127591][ T5154] ? mark_lock+0x9a/0x340 [ 108.131935][ T5154] ? kmem_cache_alloc+0x11f/0x2e0 [ 108.136966][ T5154] ? mark_lock+0x9a/0x340 [ 108.141316][ T5154] ? __lock_acquire+0x1295/0x2000 [ 108.146442][ T5154] ? do_filp_open+0x490/0x490 [ 108.151154][ T5154] do_filp_open+0x234/0x490 [ 108.155670][ T5154] ? vfs_tmpfile+0x4a0/0x4a0 [ 108.160301][ T5154] ? _raw_spin_unlock+0x28/0x40 [ 108.165163][ T5154] ? alloc_fd+0x59c/0x640 [ 108.169521][ T5154] do_sys_openat2+0x13f/0x500 [ 108.174215][ T5154] ? print_irqtrace_events+0x220/0x220 [ 108.179693][ T5154] ? do_sys_open+0x230/0x230 [ 108.184299][ T5154] ? lockdep_hardirqs_on+0x98/0x140 [ 108.189523][ T5154] ? _raw_spin_unlock_irq+0x2e/0x50 [ 108.194730][ T5154] ? ptrace_notify+0x278/0x380 [ 108.199509][ T5154] __x64_sys_openat+0x247/0x290 [ 108.204377][ T5154] ? __ia32_sys_open+0x270/0x270 [ 108.209334][ T5154] ? syscall_enter_from_user_mode+0x32/0x230 [ 108.215327][ T5154] ? syscall_enter_from_user_mode+0x8c/0x230 [ 108.221323][ T5154] do_syscall_64+0x41/0xc0 [ 108.225756][ T5154] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 108.231660][ T5154] RIP: 0033:0x7f0100724159 [ 108.236087][ T5154] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 108.255706][ T5154] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5156] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5154] <... openat resumed>) = -1 EIO (Input/output error) [pid 5154] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5154] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5153] exit_group(0) = ? [pid 5156] <... futex resumed>) = ? [pid 5154] <... futex resumed>) = ? [pid 5154] +++ exited with 0 +++ [pid 5156] +++ exited with 0 +++ [pid 5153] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5153, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=29 /* 0.29 s */} --- umount2("./35", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./35/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./35/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./35/binderfs") = 0 [ 108.264134][ T5154] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 108.272118][ T5154] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 108.280118][ T5154] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 108.288115][ T5154] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 108.296096][ T5154] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 108.304106][ T5154] umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./35/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./35/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./35") = 0 mkdir("./36", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5157 ./strace-static-x86_64: Process 5157 attached [pid 5157] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5157] chdir("./36") = 0 [pid 5157] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5157] setpgid(0, 0) = 0 [pid 5157] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5157] write(3, "1000", 4) = 4 [pid 5157] close(3) = 0 [pid 5157] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5157] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5157] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5157] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5157] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5158 attached , parent_tid=[5158], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5158 [pid 5157] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5158] set_robust_list(0x7f01006c89e0, 24 [pid 5157] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5158] <... set_robust_list resumed>) = 0 [pid 5158] memfd_create("syzkaller", 0) = 3 [pid 5158] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5158] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5158] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5158] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5158] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5158] close(3) = 0 [pid 5158] mkdir("./file0", 0777) = 0 [ 108.696096][ T5158] loop0: detected capacity change from 0 to 32768 [ 108.708258][ T5158] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 108.716475][ T5158] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 108.729008][ T5158] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 108.738142][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 108.744947][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [ 108.784179][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [pid 5158] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5158] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5158] chdir("./file0") = 0 [pid 5158] ioctl(4, LOOP_CLR_FD) = 0 [pid 5158] close(4) = 0 [pid 5158] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5157] <... futex resumed>) = 0 [pid 5158] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5157] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5158] <... futex resumed>) = 0 [pid 5157] <... futex resumed>) = 1 [pid 5157] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 108.793523][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 108.799029][ T5158] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 108.819400][ T5158] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 108.828695][ T5158] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 108.828695][ T5158] inode = 12 2341 [pid 5158] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5157] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5157] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5157] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [ 108.828695][ T5158] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 108.848461][ T5158] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 108.857883][ T5158] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5158 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 108.868489][ T5158] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 108.877001][ T5158] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 108.886088][ T5158] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5157] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5157] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5160], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5160 ./strace-static-x86_64: Process 5160 attached [pid 5160] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5160] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [ 108.895356][ T5158] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 108.904882][ T5158] gfs2: fsid=syz:syz.0: File system withdrawn [ 108.911238][ T5158] CPU: 0 PID: 5158 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 108.921693][ T5158] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 108.931768][ T5158] Call Trace: [ 108.935076][ T5158] [ 108.938110][ T5158] dump_stack_lvl+0x1e7/0x2d0 [ 108.942818][ T5158] ? nf_tcp_handle_invalid+0x650/0x650 [ 108.948311][ T5158] ? panic+0x770/0x770 [ 108.952403][ T5158] ? kobject_uevent_env+0x54e/0x8e0 [ 108.957633][ T5158] gfs2_withdraw+0xf48/0x1550 [ 108.962333][ T5158] ? gfs2_lm+0x240/0x240 [ 108.966592][ T5158] ? gfs2_dirent_scan+0xb2/0x640 [ 108.971558][ T5158] ? panic+0x770/0x770 [ 108.975655][ T5158] ? gfs2_consist_inode_i+0xf5/0x110 [ 108.980964][ T5158] gfs2_dirent_scan+0x512/0x640 [ 108.985837][ T5158] ? gfs2_permission+0x268/0x3c0 [ 108.990802][ T5158] ? gfs2_dirent_search+0x8c0/0x8c0 [ 108.996027][ T5158] gfs2_dirent_search+0x30e/0x8c0 [ 109.001080][ T5158] ? gfs2_dirent_search+0x8c0/0x8c0 [ 109.006286][ T5158] ? generic_permission+0x1df/0x550 [ 109.011528][ T5158] ? gfs2_dir_search+0x2f0/0x2f0 [ 109.016590][ T5158] ? gfs2_permission+0x34a/0x3c0 [ 109.021550][ T5158] gfs2_dir_search+0xb2/0x2f0 [ 109.026255][ T5158] ? do_filldir_main+0x520/0x520 [ 109.031235][ T5158] ? inode_go_held+0xea/0x200 [ 109.035921][ T5158] ? gfs2_glock_wait+0x21a/0x2b0 [ 109.040917][ T5158] gfs2_lookupi+0x460/0x5d0 [ 109.045437][ T5158] ? gfs2_lookup_simple+0x180/0x180 [ 109.050654][ T5158] ? __gfs2_lookup+0xa4/0x270 [ 109.055337][ T5158] ? d_alloc_parallel+0x1262/0x13a0 [ 109.060559][ T5158] __gfs2_lookup+0xa4/0x270 [ 109.065070][ T5158] ? gfs2_atomic_open+0x230/0x230 [ 109.070133][ T5158] ? __init_waitqueue_head+0xae/0x150 [ 109.075544][ T5158] __lookup_slow+0x282/0x3e0 [ 109.080157][ T5158] ? lookup_one_len+0x2d0/0x2d0 [ 109.085043][ T5158] ? down_read+0x1b5/0x2f0 [ 109.089480][ T5158] lookup_slow+0x53/0x70 [ 109.093728][ T5158] link_path_walk+0x9c8/0xe70 [ 109.098463][ T5158] ? handle_lookup_down+0x130/0x130 [ 109.103699][ T5158] ? lockdep_hardirqs_on+0x98/0x140 [ 109.108911][ T5158] path_lookupat+0xa9/0x450 [ 109.113426][ T5158] do_o_path+0x95/0x230 [ 109.117598][ T5158] ? do_tmpfile+0x330/0x330 [ 109.122136][ T5158] ? __alloc_file+0x15a/0x230 [ 109.126824][ T5158] path_openat+0x29f0/0x3170 [ 109.131436][ T5158] ? __stack_depot_save+0x20/0x650 [ 109.136579][ T5158] ? mark_lock+0x9a/0x340 [ 109.140917][ T5158] ? kmem_cache_alloc+0x11f/0x2e0 [ 109.145951][ T5158] ? mark_lock+0x9a/0x340 [ 109.150293][ T5158] ? __lock_acquire+0x1295/0x2000 [ 109.155337][ T5158] ? do_filp_open+0x490/0x490 [ 109.160058][ T5158] do_filp_open+0x234/0x490 [ 109.164579][ T5158] ? vfs_tmpfile+0x4a0/0x4a0 [ 109.169197][ T5158] ? _raw_spin_unlock+0x28/0x40 [ 109.174074][ T5158] ? alloc_fd+0x59c/0x640 [ 109.178439][ T5158] do_sys_openat2+0x13f/0x500 [ 109.183216][ T5158] ? print_irqtrace_events+0x220/0x220 [ 109.188710][ T5158] ? do_sys_open+0x230/0x230 [ 109.193333][ T5158] ? lockdep_hardirqs_on+0x98/0x140 [ 109.198545][ T5158] ? _raw_spin_unlock_irq+0x2e/0x50 [ 109.203761][ T5158] ? ptrace_notify+0x278/0x380 [ 109.208581][ T5158] __x64_sys_openat+0x247/0x290 [ 109.213483][ T5158] ? __ia32_sys_open+0x270/0x270 [ 109.218478][ T5158] ? syscall_enter_from_user_mode+0x32/0x230 [ 109.224468][ T5158] ? syscall_enter_from_user_mode+0x8c/0x230 [ 109.230472][ T5158] do_syscall_64+0x41/0xc0 [ 109.234936][ T5158] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 109.240935][ T5158] RIP: 0033:0x7f0100724159 [ 109.245358][ T5158] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 109.264972][ T5158] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 109.273403][ T5158] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 109.281395][ T5158] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 109.289481][ T5158] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [pid 5157] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5160] <... futex resumed>) = 0 [pid 5158] <... openat resumed>) = -1 EIO (Input/output error) [pid 5157] <... futex resumed>) = 1 [pid 5160] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5158] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5157] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5160] <... openat resumed>) = -1 EIO (Input/output error) [pid 5158] <... futex resumed>) = 0 [pid 5160] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5158] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5157] <... futex resumed>) = 0 [pid 5160] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5158] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5157] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5158] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5157] <... futex resumed>) = 0 [pid 5158] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5157] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5158] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5157] <... futex resumed>) = 0 [pid 5158] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5157] exit_group(0 [pid 5160] <... futex resumed>) = ? [pid 5158] <... futex resumed>) = ? [pid 5157] <... exit_group resumed>) = ? [pid 5160] +++ exited with 0 +++ [pid 5158] +++ exited with 0 +++ [pid 5157] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5157, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=33 /* 0.33 s */} --- umount2("./36", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./36", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./36/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./36/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./36/binderfs") = 0 [ 109.297475][ T5158] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 109.305462][ T5158] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 109.313456][ T5158] umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./36/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./36/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./36/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./36") = 0 mkdir("./37", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5161 ./strace-static-x86_64: Process 5161 attached [pid 5161] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5161] chdir("./37") = 0 [pid 5161] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5161] setpgid(0, 0) = 0 [pid 5161] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5161] write(3, "1000", 4) = 4 [pid 5161] close(3) = 0 [pid 5161] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5161] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5161] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5161] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5161] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5162], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5162 [pid 5161] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5161] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5162 attached [pid 5162] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5162] memfd_create("syzkaller", 0) = 3 [pid 5162] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5162] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5162] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5162] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5162] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5162] close(3) = 0 [pid 5162] mkdir("./file0", 0777) = 0 [ 109.710327][ T5162] loop0: detected capacity change from 0 to 32768 [ 109.721314][ T5162] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 109.729554][ T5162] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 109.739781][ T5162] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 109.748678][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 109.755535][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5162] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5162] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5162] chdir("./file0") = 0 [pid 5162] ioctl(4, LOOP_CLR_FD) = 0 [pid 5162] close(4) = 0 [pid 5162] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5161] <... futex resumed>) = 0 [pid 5161] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5161] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 109.798414][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 109.807844][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 109.813135][ T5162] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 109.848078][ T5162] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 109.856488][ T5162] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 109.856488][ T5162] inode = 12 2341 [ 109.856488][ T5162] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 109.875267][ T5162] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 109.885305][ T5162] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5162 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5162] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5161] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5161] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5161] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5161] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5161] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5164], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5164 [pid 5161] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5161] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5164 attached [pid 5164] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 109.895747][ T5162] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 109.900127][ T5164] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 109.905272][ T5162] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 109.912649][ T5164] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 109.920518][ T5162] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 109.929159][ T5164] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5162 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5164] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5161] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5161] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5161] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5161] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5161] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5165], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5165 [pid 5161] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5161] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5165 attached [pid 5165] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5165] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5165] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5161] <... futex resumed>) = 0 [ 109.938279][ T5162] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 109.948074][ T5164] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5164 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 109.954847][ T5162] gfs2: fsid=syz:syz.0: File system withdrawn [ 109.969553][ T5164] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 109.971645][ T5162] CPU: 1 PID: 5162 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 109.989354][ T5162] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 109.999426][ T5162] Call Trace: [ 110.002714][ T5162] [ 110.005660][ T5162] dump_stack_lvl+0x1e7/0x2d0 [ 110.010546][ T5162] ? nf_tcp_handle_invalid+0x650/0x650 [ 110.016042][ T5162] ? panic+0x770/0x770 [ 110.020124][ T5162] ? kobject_uevent_env+0x54e/0x8e0 [ 110.025367][ T5162] gfs2_withdraw+0xf48/0x1550 [ 110.030077][ T5162] ? gfs2_lm+0x240/0x240 [ 110.034332][ T5162] ? gfs2_dirent_scan+0xb2/0x640 [ 110.039281][ T5162] ? panic+0x770/0x770 [ 110.043365][ T5162] ? gfs2_consist_inode_i+0xf5/0x110 [ 110.048672][ T5162] gfs2_dirent_scan+0x512/0x640 [ 110.053543][ T5162] ? gfs2_permission+0x268/0x3c0 [ 110.058503][ T5162] ? gfs2_dirent_search+0x8c0/0x8c0 [ 110.063720][ T5162] gfs2_dirent_search+0x30e/0x8c0 [ 110.068763][ T5162] ? gfs2_dirent_search+0x8c0/0x8c0 [ 110.073977][ T5162] ? generic_permission+0x1df/0x550 [ 110.079190][ T5162] ? gfs2_dir_search+0x2f0/0x2f0 [ 110.084151][ T5162] ? gfs2_permission+0x34a/0x3c0 [ 110.089111][ T5162] gfs2_dir_search+0xb2/0x2f0 [ 110.093806][ T5162] ? do_filldir_main+0x520/0x520 [ 110.098754][ T5162] ? inode_go_held+0xea/0x200 [ 110.103447][ T5162] ? gfs2_glock_wait+0x21a/0x2b0 [ 110.108405][ T5162] gfs2_lookupi+0x460/0x5d0 [ 110.112929][ T5162] ? gfs2_lookup_simple+0x180/0x180 [ 110.118152][ T5162] ? __gfs2_lookup+0xa4/0x270 [ 110.122842][ T5162] ? d_alloc_parallel+0x1262/0x13a0 [ 110.128059][ T5162] __gfs2_lookup+0xa4/0x270 [ 110.132574][ T5162] ? gfs2_atomic_open+0x230/0x230 [ 110.137615][ T5162] ? __init_waitqueue_head+0xae/0x150 [ 110.143005][ T5162] __lookup_slow+0x282/0x3e0 [ 110.147700][ T5162] ? lookup_one_len+0x2d0/0x2d0 [ 110.152572][ T5162] ? down_read+0x1b5/0x2f0 [ 110.157007][ T5162] lookup_slow+0x53/0x70 [ 110.161261][ T5162] link_path_walk+0x9c8/0xe70 [ 110.165965][ T5162] ? handle_lookup_down+0x130/0x130 [ 110.171187][ T5162] ? lockdep_hardirqs_on+0x98/0x140 [ 110.176399][ T5162] path_lookupat+0xa9/0x450 [ 110.180921][ T5162] do_o_path+0x95/0x230 [ 110.185185][ T5162] ? do_tmpfile+0x330/0x330 [ 110.189706][ T5162] ? __alloc_file+0x15a/0x230 [ 110.194398][ T5162] path_openat+0x29f0/0x3170 [ 110.199017][ T5162] ? __stack_depot_save+0x20/0x650 [ 110.204168][ T5162] ? mark_lock+0x9a/0x340 [ 110.208518][ T5162] ? kmem_cache_alloc+0x11f/0x2e0 [ 110.213590][ T5162] ? mark_lock+0x9a/0x340 [ 110.217938][ T5162] ? __lock_acquire+0x1295/0x2000 [ 110.222981][ T5162] ? do_filp_open+0x490/0x490 [ 110.227681][ T5162] ? mark_lock+0x9a/0x340 [ 110.232051][ T5162] do_filp_open+0x234/0x490 [ 110.236589][ T5162] ? vfs_tmpfile+0x4a0/0x4a0 [ 110.241217][ T5162] ? _raw_spin_unlock+0x28/0x40 [ 110.246091][ T5162] ? alloc_fd+0x59c/0x640 [ 110.250463][ T5162] do_sys_openat2+0x13f/0x500 [ 110.255168][ T5162] ? print_irqtrace_events+0x220/0x220 [ 110.260648][ T5162] ? do_sys_open+0x230/0x230 [ 110.265263][ T5162] ? lockdep_hardirqs_on+0x98/0x140 [ 110.270479][ T5162] ? _raw_spin_unlock_irq+0x2e/0x50 [ 110.275817][ T5162] ? ptrace_notify+0x278/0x380 [ 110.280723][ T5162] __x64_sys_openat+0x247/0x290 [ 110.285712][ T5162] ? __ia32_sys_open+0x270/0x270 [ 110.290719][ T5162] ? syscall_enter_from_user_mode+0x32/0x230 [ 110.296739][ T5162] ? syscall_enter_from_user_mode+0x8c/0x230 [ 110.302742][ T5162] do_syscall_64+0x41/0xc0 [ 110.307271][ T5162] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 110.313268][ T5162] RIP: 0033:0x7f0100724159 [ 110.317700][ T5162] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 110.337795][ T5162] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5165] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5162] <... openat resumed>) = -1 EIO (Input/output error) [pid 5162] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5162] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5164] <... openat resumed>) = -1 EIO (Input/output error) [pid 5164] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5164] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5161] exit_group(0 [pid 5165] <... futex resumed>) = ? [pid 5161] <... exit_group resumed>) = ? [pid 5165] +++ exited with 0 +++ [pid 5164] <... futex resumed>) = ? [pid 5164] +++ exited with 0 +++ [pid 5162] <... futex resumed>) = ? [pid 5162] +++ exited with 0 +++ [pid 5161] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5161, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=42 /* 0.42 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./37", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./37", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./37/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./37/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./37/binderfs") = 0 [ 110.346440][ T5162] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 110.354518][ T5162] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 110.362583][ T5162] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 110.370579][ T5162] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 110.379086][ T5162] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 110.387098][ T5162] umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./37/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./37/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./37/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./37") = 0 mkdir("./38", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5166 ./strace-static-x86_64: Process 5166 attached [pid 5166] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5166] chdir("./38") = 0 [pid 5166] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5166] setpgid(0, 0) = 0 [pid 5166] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5166] write(3, "1000", 4) = 4 [pid 5166] close(3) = 0 [pid 5166] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5166] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5166] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5166] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5166] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5167], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5167 [pid 5166] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5166] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5167 attached [pid 5167] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5167] memfd_create("syzkaller", 0) = 3 [pid 5167] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5167] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5167] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5167] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5167] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5167] close(3) = 0 [pid 5167] mkdir("./file0", 0777) = 0 [ 110.797082][ T5167] loop0: detected capacity change from 0 to 32768 [ 110.809305][ T5167] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 110.817640][ T5167] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 110.826952][ T5167] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 110.835991][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 110.842932][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5167] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5167] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5167] chdir("./file0") = 0 [pid 5167] ioctl(4, LOOP_CLR_FD) = 0 [pid 5167] close(4) = 0 [pid 5167] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5166] <... futex resumed>) = 0 [pid 5166] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5166] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 110.883782][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 110.893210][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 110.898649][ T5167] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 110.920833][ T5167] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5167] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5166] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5166] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5166] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5166] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5166] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5169], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5169 [pid 5166] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 110.932425][ T5167] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 110.932425][ T5167] inode = 12 2341 [ 110.932425][ T5167] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 110.951944][ T5167] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 110.961171][ T5167] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5167 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 110.971304][ T5167] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5166] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5169 attached [pid 5169] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5169] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5169] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5166] <... futex resumed>) = 0 [pid 5166] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5166] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5169] <... futex resumed>) = 1 [pid 5169] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5169] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5166] <... futex resumed>) = 0 [pid 5169] <... futex resumed>) = 1 [ 110.980458][ T5167] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 110.988163][ T5167] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 110.997216][ T5167] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 111.003864][ T5167] gfs2: fsid=syz:syz.0: File system withdrawn [ 111.010463][ T5167] CPU: 0 PID: 5167 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 111.020932][ T5167] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 111.031041][ T5167] Call Trace: [ 111.034400][ T5167] [ 111.037353][ T5167] dump_stack_lvl+0x1e7/0x2d0 [ 111.042091][ T5167] ? nf_tcp_handle_invalid+0x650/0x650 [ 111.047602][ T5167] ? panic+0x770/0x770 [ 111.051688][ T5167] ? kobject_uevent_env+0x54e/0x8e0 [ 111.056917][ T5167] gfs2_withdraw+0xf48/0x1550 [ 111.061641][ T5167] ? gfs2_lm+0x240/0x240 [ 111.065933][ T5167] ? gfs2_dirent_scan+0xb2/0x640 [ 111.070923][ T5167] ? panic+0x770/0x770 [ 111.075035][ T5167] ? gfs2_consist_inode_i+0xf5/0x110 [ 111.080379][ T5167] gfs2_dirent_scan+0x512/0x640 [ 111.085280][ T5167] ? gfs2_permission+0x268/0x3c0 [ 111.090274][ T5167] ? gfs2_dirent_search+0x8c0/0x8c0 [ 111.095509][ T5167] gfs2_dirent_search+0x30e/0x8c0 [ 111.100588][ T5167] ? gfs2_dirent_search+0x8c0/0x8c0 [ 111.105815][ T5167] ? generic_permission+0x1df/0x550 [ 111.111043][ T5167] ? gfs2_dir_search+0x2f0/0x2f0 [ 111.116005][ T5167] ? gfs2_permission+0x34a/0x3c0 [ 111.120989][ T5167] gfs2_dir_search+0xb2/0x2f0 [ 111.125682][ T5167] ? do_filldir_main+0x520/0x520 [ 111.130632][ T5167] ? inode_go_held+0xea/0x200 [ 111.135329][ T5167] ? gfs2_glock_wait+0x21a/0x2b0 [ 111.140287][ T5167] gfs2_lookupi+0x460/0x5d0 [ 111.144818][ T5167] ? gfs2_lookup_simple+0x180/0x180 [ 111.150038][ T5167] ? __gfs2_lookup+0xa4/0x270 [ 111.154812][ T5167] ? d_alloc_parallel+0x1262/0x13a0 [ 111.160030][ T5167] __gfs2_lookup+0xa4/0x270 [ 111.164545][ T5167] ? gfs2_atomic_open+0x230/0x230 [ 111.169594][ T5167] ? __init_waitqueue_head+0xae/0x150 [ 111.174985][ T5167] __lookup_slow+0x282/0x3e0 [ 111.179590][ T5167] ? lookup_one_len+0x2d0/0x2d0 [ 111.184459][ T5167] ? down_read+0x1b5/0x2f0 [ 111.188894][ T5167] lookup_slow+0x53/0x70 [ 111.193236][ T5167] link_path_walk+0x9c8/0xe70 [ 111.197950][ T5167] ? handle_lookup_down+0x130/0x130 [ 111.203171][ T5167] ? lockdep_hardirqs_on+0x98/0x140 [ 111.208383][ T5167] path_lookupat+0xa9/0x450 [ 111.212901][ T5167] do_o_path+0x95/0x230 [ 111.217078][ T5167] ? do_tmpfile+0x330/0x330 [ 111.221684][ T5167] ? __alloc_file+0x15a/0x230 [ 111.226372][ T5167] path_openat+0x29f0/0x3170 [ 111.230978][ T5167] ? __stack_depot_save+0x20/0x650 [ 111.236105][ T5167] ? mark_lock+0x9a/0x340 [ 111.240451][ T5167] ? kmem_cache_alloc+0x11f/0x2e0 [ 111.245485][ T5167] ? mark_lock+0x9a/0x340 [ 111.249831][ T5167] ? __lock_acquire+0x1295/0x2000 [ 111.254867][ T5167] ? do_filp_open+0x490/0x490 [ 111.259581][ T5167] do_filp_open+0x234/0x490 [ 111.264099][ T5167] ? vfs_tmpfile+0x4a0/0x4a0 [ 111.268720][ T5167] ? _raw_spin_unlock+0x28/0x40 [ 111.273581][ T5167] ? alloc_fd+0x59c/0x640 [ 111.277941][ T5167] do_sys_openat2+0x13f/0x500 [ 111.282648][ T5167] ? print_irqtrace_events+0x220/0x220 [ 111.288124][ T5167] ? do_sys_open+0x230/0x230 [ 111.292732][ T5167] ? lockdep_hardirqs_on+0x98/0x140 [ 111.297946][ T5167] ? _raw_spin_unlock_irq+0x2e/0x50 [ 111.303152][ T5167] ? ptrace_notify+0x278/0x380 [ 111.307933][ T5167] __x64_sys_openat+0x247/0x290 [ 111.312800][ T5167] ? __ia32_sys_open+0x270/0x270 [ 111.317758][ T5167] ? syscall_enter_from_user_mode+0x32/0x230 [ 111.323753][ T5167] ? syscall_enter_from_user_mode+0x8c/0x230 [ 111.329757][ T5167] do_syscall_64+0x41/0xc0 [ 111.334192][ T5167] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 111.340099][ T5167] RIP: 0033:0x7f0100724159 [ 111.344525][ T5167] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 111.364324][ T5167] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 111.372750][ T5167] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5169] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5167] <... openat resumed>) = -1 EIO (Input/output error) [pid 5167] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5167] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5166] exit_group(0 [pid 5169] <... futex resumed>) = ? [pid 5167] <... futex resumed>) = ? [pid 5166] <... exit_group resumed>) = ? [pid 5169] +++ exited with 0 +++ [pid 5167] +++ exited with 0 +++ [pid 5166] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5166, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- umount2("./38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./38/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./38/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./38/binderfs") = 0 [ 111.380729][ T5167] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 111.388709][ T5167] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 111.396708][ T5167] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 111.404685][ T5167] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 111.412692][ T5167] umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./38/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./38/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./38") = 0 mkdir("./39", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5170 ./strace-static-x86_64: Process 5170 attached [pid 5170] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5170] chdir("./39") = 0 [pid 5170] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5170] setpgid(0, 0) = 0 [pid 5170] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5170] write(3, "1000", 4) = 4 [pid 5170] close(3) = 0 [pid 5170] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5170] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5170] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5170] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5170] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5171 attached , parent_tid=[5171], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5171 [pid 5171] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5171] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5170] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5171] <... futex resumed>) = 0 [pid 5170] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5171] memfd_create("syzkaller", 0) = 3 [pid 5171] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5171] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5171] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5171] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5171] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5171] close(3) = 0 [pid 5171] mkdir("./file0", 0777) = 0 [ 111.813445][ T5171] loop0: detected capacity change from 0 to 32768 [ 111.823896][ T5171] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 111.832268][ T5171] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 111.842641][ T5171] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 111.851913][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 111.858809][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5171] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5171] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5171] chdir("./file0") = 0 [pid 5171] ioctl(4, LOOP_CLR_FD) = 0 [pid 5171] close(4) = 0 [pid 5171] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5170] <... futex resumed>) = 0 [pid 5171] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5170] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5171] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5170] <... futex resumed>) = 0 [pid 5171] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 111.903003][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 111.910579][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 111.915949][ T5171] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 111.944462][ T5171] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 111.953157][ T5171] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 111.953157][ T5171] inode = 12 2341 [ 111.953157][ T5171] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 111.972595][ T5171] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 111.981978][ T5171] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5171 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5170] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5170] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5170] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5170] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5170] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5173], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5173 [pid 5170] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5170] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5173 attached [pid 5173] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5173] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5173] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5170] <... futex resumed>) = 0 [pid 5173] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5170] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5173] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5170] <... futex resumed>) = 0 [ 111.992118][ T5171] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 112.000613][ T5171] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 112.007978][ T5171] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 112.016809][ T5171] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 112.023580][ T5171] gfs2: fsid=syz:syz.0: File system withdrawn [ 112.029791][ T5171] CPU: 0 PID: 5171 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [pid 5173] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5170] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5173] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5173] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5170] <... futex resumed>) = 0 [ 112.040255][ T5171] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 112.050371][ T5171] Call Trace: [ 112.053658][ T5171] [ 112.056605][ T5171] dump_stack_lvl+0x1e7/0x2d0 [ 112.061301][ T5171] ? nf_tcp_handle_invalid+0x650/0x650 [ 112.066803][ T5171] ? panic+0x770/0x770 [ 112.070909][ T5171] ? kobject_uevent_env+0x54e/0x8e0 [ 112.076161][ T5171] gfs2_withdraw+0xf48/0x1550 [ 112.080888][ T5171] ? gfs2_lm+0x240/0x240 [ 112.085143][ T5171] ? gfs2_dirent_scan+0xb2/0x640 [ 112.090092][ T5171] ? panic+0x770/0x770 [ 112.094194][ T5171] ? gfs2_consist_inode_i+0xf5/0x110 [ 112.099518][ T5171] gfs2_dirent_scan+0x512/0x640 [ 112.104391][ T5171] ? gfs2_permission+0x268/0x3c0 [ 112.109375][ T5171] ? gfs2_dirent_search+0x8c0/0x8c0 [ 112.114645][ T5171] gfs2_dirent_search+0x30e/0x8c0 [ 112.119704][ T5171] ? gfs2_dirent_search+0x8c0/0x8c0 [ 112.124954][ T5171] ? generic_permission+0x1df/0x550 [ 112.130197][ T5171] ? gfs2_dir_search+0x2f0/0x2f0 [ 112.135170][ T5171] ? gfs2_permission+0x34a/0x3c0 [ 112.140162][ T5171] gfs2_dir_search+0xb2/0x2f0 [pid 5173] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5170] exit_group(0 [pid 5173] <... futex resumed>) = ? [pid 5170] <... exit_group resumed>) = ? [pid 5173] +++ exited with 0 +++ [ 112.144883][ T5171] ? do_filldir_main+0x520/0x520 [ 112.149894][ T5171] ? inode_go_held+0xea/0x200 [ 112.154615][ T5171] ? gfs2_glock_wait+0x21a/0x2b0 [ 112.159584][ T5171] gfs2_lookupi+0x460/0x5d0 [ 112.164128][ T5171] ? gfs2_lookup_simple+0x180/0x180 [ 112.169366][ T5171] ? __gfs2_lookup+0xa4/0x270 [ 112.174068][ T5171] ? d_alloc_parallel+0x1262/0x13a0 [ 112.179286][ T5171] __gfs2_lookup+0xa4/0x270 [ 112.183828][ T5171] ? gfs2_atomic_open+0x230/0x230 [ 112.188892][ T5171] ? __init_waitqueue_head+0xae/0x150 [ 112.194332][ T5171] __lookup_slow+0x282/0x3e0 [ 112.198938][ T5171] ? lookup_one_len+0x2d0/0x2d0 [ 112.203821][ T5171] ? down_read+0x1b5/0x2f0 [ 112.208285][ T5171] lookup_slow+0x53/0x70 [ 112.212569][ T5171] link_path_walk+0x9c8/0xe70 [ 112.217270][ T5171] ? handle_lookup_down+0x130/0x130 [ 112.222486][ T5171] ? lockdep_hardirqs_on+0x98/0x140 [ 112.227705][ T5171] path_lookupat+0xa9/0x450 [ 112.232239][ T5171] do_o_path+0x95/0x230 [ 112.236407][ T5171] ? do_tmpfile+0x330/0x330 [ 112.240922][ T5171] ? __alloc_file+0x15a/0x230 [ 112.245611][ T5171] path_openat+0x29f0/0x3170 [ 112.250253][ T5171] ? __stack_depot_save+0x20/0x650 [ 112.255422][ T5171] ? mark_lock+0x9a/0x340 [ 112.259780][ T5171] ? kmem_cache_alloc+0x11f/0x2e0 [ 112.264826][ T5171] ? mark_lock+0x9a/0x340 [ 112.269186][ T5171] ? __lock_acquire+0x1295/0x2000 [ 112.274224][ T5171] ? do_filp_open+0x490/0x490 [ 112.278969][ T5171] do_filp_open+0x234/0x490 [ 112.283497][ T5171] ? vfs_tmpfile+0x4a0/0x4a0 [ 112.288144][ T5171] ? _raw_spin_unlock+0x28/0x40 [ 112.293020][ T5171] ? alloc_fd+0x59c/0x640 [ 112.297445][ T5171] do_sys_openat2+0x13f/0x500 [ 112.302429][ T5171] ? print_irqtrace_events+0x220/0x220 [ 112.307909][ T5171] ? do_sys_open+0x230/0x230 [ 112.312517][ T5171] ? lockdep_hardirqs_on+0x98/0x140 [ 112.317779][ T5171] ? _raw_spin_unlock_irq+0x2e/0x50 [ 112.323026][ T5171] ? ptrace_notify+0x278/0x380 [ 112.327821][ T5171] __x64_sys_openat+0x247/0x290 [ 112.332718][ T5171] ? __ia32_sys_open+0x270/0x270 [ 112.337690][ T5171] ? syscall_enter_from_user_mode+0x32/0x230 [ 112.343737][ T5171] ? syscall_enter_from_user_mode+0x8c/0x230 [ 112.349734][ T5171] do_syscall_64+0x41/0xc0 [ 112.354184][ T5171] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 112.360095][ T5171] RIP: 0033:0x7f0100724159 [ 112.364519][ T5171] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 112.384166][ T5171] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5171] <... openat resumed>) = ? [pid 5171] +++ exited with 0 +++ [pid 5170] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5170, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- umount2("./39", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./39/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./39/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 [ 112.392602][ T5171] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 112.400602][ T5171] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 112.408617][ T5171] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 112.416642][ T5171] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 112.424647][ T5171] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 112.432671][ T5171] unlink("./39/binderfs") = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./39/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./39/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./39") = 0 mkdir("./40", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5174 ./strace-static-x86_64: Process 5174 attached [pid 5174] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5174] chdir("./40") = 0 [pid 5174] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5174] setpgid(0, 0) = 0 [pid 5174] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5174] write(3, "1000", 4) = 4 [pid 5174] close(3) = 0 [pid 5174] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5174] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5174] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5174] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5174] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5175], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5175 [pid 5174] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5174] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5175 attached [pid 5175] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5175] memfd_create("syzkaller", 0) = 3 [pid 5175] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5175] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5175] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5175] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5175] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5175] close(3) = 0 [pid 5175] mkdir("./file0", 0777) = 0 [ 112.877353][ T5175] loop0: detected capacity change from 0 to 32768 [ 112.889069][ T5175] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 112.897499][ T5175] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 112.907596][ T5175] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 112.916319][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 112.923215][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5175] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5175] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5175] chdir("./file0") = 0 [pid 5175] ioctl(4, LOOP_CLR_FD) = 0 [pid 5175] close(4) = 0 [pid 5175] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5174] <... futex resumed>) = 0 [pid 5175] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5174] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5175] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5174] <... futex resumed>) = 0 [pid 5175] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 112.966294][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 112.974007][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 112.979679][ T5175] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 112.998795][ T5175] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 113.008026][ T5175] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5174] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5174] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5174] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5174] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5174] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5177], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5177 [pid 5174] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5177 attached [pid 5177] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5177] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5174] <... futex resumed>) = 0 [pid 5174] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5177] <... openat resumed>) = -1 EIO (Input/output error) [pid 5177] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5174] <... futex resumed>) = 0 [pid 5177] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5174] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5174] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5177] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5177] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5174] <... futex resumed>) = 0 [ 113.008026][ T5175] inode = 12 2341 [ 113.008026][ T5175] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 113.027945][ T5175] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 113.037499][ T5175] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5175 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 113.048052][ T5175] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 113.056642][ T5175] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 113.077645][ T5175] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 113.086525][ T5175] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 113.093246][ T5175] gfs2: fsid=syz:syz.0: File system withdrawn [ 113.099401][ T5175] CPU: 1 PID: 5175 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 113.110007][ T5175] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 113.120075][ T5175] Call Trace: [ 113.123366][ T5175] [ 113.126317][ T5175] dump_stack_lvl+0x1e7/0x2d0 [ 113.131041][ T5175] ? nf_tcp_handle_invalid+0x650/0x650 [ 113.136546][ T5175] ? panic+0x770/0x770 [ 113.140636][ T5175] ? kobject_uevent_env+0x54e/0x8e0 [ 113.145878][ T5175] gfs2_withdraw+0xf48/0x1550 [ 113.150605][ T5175] ? gfs2_lm+0x240/0x240 [ 113.154881][ T5175] ? gfs2_dirent_scan+0xb2/0x640 [ 113.159844][ T5175] ? panic+0x770/0x770 [ 113.163932][ T5175] ? gfs2_consist_inode_i+0xf5/0x110 [ 113.169329][ T5175] gfs2_dirent_scan+0x512/0x640 [ 113.174213][ T5175] ? gfs2_permission+0x268/0x3c0 [ 113.179171][ T5175] ? gfs2_dirent_search+0x8c0/0x8c0 [ 113.184384][ T5175] gfs2_dirent_search+0x30e/0x8c0 [ 113.189426][ T5175] ? gfs2_dirent_search+0x8c0/0x8c0 [ 113.194636][ T5175] ? generic_permission+0x1df/0x550 [ 113.199846][ T5175] ? gfs2_dir_search+0x2f0/0x2f0 [ 113.204797][ T5175] ? gfs2_permission+0x34a/0x3c0 [ 113.209758][ T5175] gfs2_dir_search+0xb2/0x2f0 [ 113.214450][ T5175] ? do_filldir_main+0x520/0x520 [ 113.219413][ T5175] ? inode_go_held+0xea/0x200 [ 113.224103][ T5175] ? gfs2_glock_wait+0x21a/0x2b0 [ 113.229061][ T5175] gfs2_lookupi+0x460/0x5d0 [ 113.233585][ T5175] ? gfs2_lookup_simple+0x180/0x180 [ 113.238821][ T5175] ? __gfs2_lookup+0xa4/0x270 [ 113.243507][ T5175] ? d_alloc_parallel+0x1262/0x13a0 [ 113.248722][ T5175] __gfs2_lookup+0xa4/0x270 [ 113.253240][ T5175] ? gfs2_atomic_open+0x230/0x230 [ 113.258282][ T5175] ? __init_waitqueue_head+0xae/0x150 [ 113.263684][ T5175] __lookup_slow+0x282/0x3e0 [ 113.268291][ T5175] ? lookup_one_len+0x2d0/0x2d0 [ 113.273160][ T5175] ? down_read+0x1b5/0x2f0 [ 113.277610][ T5175] lookup_slow+0x53/0x70 [ 113.281872][ T5175] link_path_walk+0x9c8/0xe70 [ 113.286573][ T5175] ? handle_lookup_down+0x130/0x130 [ 113.291789][ T5175] ? lockdep_hardirqs_on+0x98/0x140 [ 113.297006][ T5175] path_lookupat+0xa9/0x450 [ 113.301529][ T5175] do_o_path+0x95/0x230 [ 113.305703][ T5175] ? do_tmpfile+0x330/0x330 [ 113.310222][ T5175] ? __alloc_file+0x15a/0x230 [ 113.314913][ T5175] path_openat+0x29f0/0x3170 [ 113.319517][ T5175] ? __stack_depot_save+0x20/0x650 [ 113.324644][ T5175] ? mark_lock+0x9a/0x340 [ 113.328985][ T5175] ? kmem_cache_alloc+0x11f/0x2e0 [ 113.334030][ T5175] ? mark_lock+0x9a/0x340 [ 113.338381][ T5175] ? __lock_acquire+0x1295/0x2000 [ 113.343422][ T5175] ? do_filp_open+0x490/0x490 [ 113.348136][ T5175] do_filp_open+0x234/0x490 [ 113.352656][ T5175] ? vfs_tmpfile+0x4a0/0x4a0 [ 113.357274][ T5175] ? _raw_spin_unlock+0x28/0x40 [ 113.362144][ T5175] ? alloc_fd+0x59c/0x640 [ 113.366495][ T5175] do_sys_openat2+0x13f/0x500 [ 113.371187][ T5175] ? print_irqtrace_events+0x220/0x220 [ 113.376662][ T5175] ? do_sys_open+0x230/0x230 [ 113.381268][ T5175] ? lockdep_hardirqs_on+0x98/0x140 [ 113.386478][ T5175] ? _raw_spin_unlock_irq+0x2e/0x50 [ 113.391687][ T5175] ? ptrace_notify+0x278/0x380 [ 113.396464][ T5175] __x64_sys_openat+0x247/0x290 [ 113.401347][ T5175] ? __ia32_sys_open+0x270/0x270 [ 113.406303][ T5175] ? syscall_enter_from_user_mode+0x32/0x230 [ 113.412299][ T5175] ? syscall_enter_from_user_mode+0x8c/0x230 [ 113.418298][ T5175] do_syscall_64+0x41/0xc0 [ 113.422736][ T5175] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 113.428654][ T5175] RIP: 0033:0x7f0100724159 [ 113.433079][ T5175] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 113.452704][ T5175] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 113.461129][ T5175] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 113.469111][ T5175] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5177] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5175] <... openat resumed>) = -1 EIO (Input/output error) [pid 5175] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5175] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5174] exit_group(0 [pid 5177] <... futex resumed>) = ? [pid 5175] <... futex resumed>) = ? [pid 5174] <... exit_group resumed>) = ? [pid 5177] +++ exited with 0 +++ [pid 5175] +++ exited with 0 +++ [pid 5174] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5174, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- umount2("./40", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./40/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./40/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./40/binderfs") = 0 [ 113.477089][ T5175] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 113.485065][ T5175] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 113.493066][ T5175] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 113.501078][ T5175] umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./40/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./40/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./40") = 0 mkdir("./41", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5178 ./strace-static-x86_64: Process 5178 attached [pid 5178] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5178] chdir("./41") = 0 [pid 5178] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5178] setpgid(0, 0) = 0 [pid 5178] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5178] write(3, "1000", 4) = 4 [pid 5178] close(3) = 0 [pid 5178] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5178] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5178] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5178] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5178] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5179], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5179 ./strace-static-x86_64: Process 5179 attached [pid 5178] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5178] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5179] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5179] memfd_create("syzkaller", 0) = 3 [pid 5179] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5179] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5179] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5179] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5179] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5179] close(3) = 0 [pid 5179] mkdir("./file0", 0777) = 0 [ 113.914999][ T5179] loop0: detected capacity change from 0 to 32768 [ 113.931895][ T5179] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 113.940255][ T5179] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 113.950066][ T5179] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 113.958909][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 113.965714][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [ 114.003336][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [pid 5179] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5179] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5179] chdir("./file0") = 0 [pid 5179] ioctl(4, LOOP_CLR_FD) = 0 [pid 5179] close(4) = 0 [pid 5179] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5178] <... futex resumed>) = 0 [pid 5178] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5178] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5179] <... futex resumed>) = 1 [ 114.011043][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 114.016314][ T5179] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 114.042217][ T5179] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 114.051264][ T5179] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 114.051264][ T5179] inode = 12 2341 [pid 5179] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5178] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5178] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5178] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5178] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5178] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5181], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5181 [pid 5178] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5178] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5181 attached [pid 5181] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5181] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5181] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5178] <... futex resumed>) = 0 [pid 5178] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5178] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5181] <... futex resumed>) = 1 [pid 5181] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5181] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5178] <... futex resumed>) = 0 [pid 5181] <... futex resumed>) = 1 [ 114.051264][ T5179] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 114.070531][ T5179] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 114.079995][ T5179] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5179 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 114.090537][ T5179] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 114.100074][ T5179] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 114.108325][ T5179] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 114.117868][ T5179] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 114.125115][ T5179] gfs2: fsid=syz:syz.0: File system withdrawn [ 114.131463][ T5179] CPU: 1 PID: 5179 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 114.142014][ T5179] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 114.152197][ T5179] Call Trace: [ 114.155501][ T5179] [ 114.158465][ T5179] dump_stack_lvl+0x1e7/0x2d0 [ 114.163188][ T5179] ? nf_tcp_handle_invalid+0x650/0x650 [ 114.168676][ T5179] ? panic+0x770/0x770 [ 114.172797][ T5179] ? kobject_uevent_env+0x54e/0x8e0 [ 114.178025][ T5179] gfs2_withdraw+0xf48/0x1550 [ 114.182738][ T5179] ? gfs2_lm+0x240/0x240 [ 114.187000][ T5179] ? gfs2_dirent_scan+0xb2/0x640 [ 114.191965][ T5179] ? panic+0x770/0x770 [ 114.196090][ T5179] ? gfs2_consist_inode_i+0xf5/0x110 [ 114.201399][ T5179] gfs2_dirent_scan+0x512/0x640 [ 114.206284][ T5179] ? gfs2_permission+0x268/0x3c0 [ 114.211275][ T5179] ? gfs2_dirent_search+0x8c0/0x8c0 [pid 5181] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5178] exit_group(0 [pid 5181] <... futex resumed>) = ? [pid 5178] <... exit_group resumed>) = ? [pid 5181] +++ exited with 0 +++ [ 114.216515][ T5179] gfs2_dirent_search+0x30e/0x8c0 [ 114.221566][ T5179] ? gfs2_dirent_search+0x8c0/0x8c0 [ 114.226794][ T5179] ? generic_permission+0x1df/0x550 [ 114.232031][ T5179] ? gfs2_dir_search+0x2f0/0x2f0 [ 114.237015][ T5179] ? gfs2_permission+0x34a/0x3c0 [ 114.241997][ T5179] gfs2_dir_search+0xb2/0x2f0 [ 114.246691][ T5179] ? do_filldir_main+0x520/0x520 [ 114.251685][ T5179] ? inode_go_held+0xea/0x200 [ 114.256403][ T5179] ? gfs2_glock_wait+0x21a/0x2b0 [ 114.261370][ T5179] gfs2_lookupi+0x460/0x5d0 [ 114.265930][ T5179] ? gfs2_lookup_simple+0x180/0x180 [ 114.271167][ T5179] ? __gfs2_lookup+0xa4/0x270 [ 114.275864][ T5179] ? d_alloc_parallel+0x1262/0x13a0 [ 114.281096][ T5179] __gfs2_lookup+0xa4/0x270 [ 114.285626][ T5179] ? gfs2_atomic_open+0x230/0x230 [ 114.290688][ T5179] ? __init_waitqueue_head+0xae/0x150 [ 114.296092][ T5179] __lookup_slow+0x282/0x3e0 [ 114.300697][ T5179] ? lookup_one_len+0x2d0/0x2d0 [ 114.305568][ T5179] ? down_read+0x1b5/0x2f0 [ 114.310020][ T5179] lookup_slow+0x53/0x70 [ 114.314309][ T5179] link_path_walk+0x9c8/0xe70 [ 114.319031][ T5179] ? handle_lookup_down+0x130/0x130 [ 114.324258][ T5179] ? lockdep_hardirqs_on+0x98/0x140 [ 114.329491][ T5179] path_lookupat+0xa9/0x450 [ 114.334036][ T5179] do_o_path+0x95/0x230 [ 114.338210][ T5179] ? do_tmpfile+0x330/0x330 [ 114.342736][ T5179] ? __alloc_file+0x15a/0x230 [ 114.347451][ T5179] path_openat+0x29f0/0x3170 [ 114.352064][ T5179] ? __stack_depot_save+0x20/0x650 [ 114.357205][ T5179] ? mark_lock+0x9a/0x340 [ 114.361582][ T5179] ? kmem_cache_alloc+0x11f/0x2e0 [ 114.366622][ T5179] ? mark_lock+0x9a/0x340 [ 114.370967][ T5179] ? __lock_acquire+0x1295/0x2000 [ 114.376006][ T5179] ? do_filp_open+0x490/0x490 [ 114.380704][ T5179] do_filp_open+0x234/0x490 [ 114.385219][ T5179] ? vfs_tmpfile+0x4a0/0x4a0 [ 114.389859][ T5179] ? _raw_spin_unlock+0x28/0x40 [ 114.394746][ T5179] ? alloc_fd+0x59c/0x640 [ 114.399099][ T5179] do_sys_openat2+0x13f/0x500 [ 114.403790][ T5179] ? print_irqtrace_events+0x220/0x220 [ 114.409271][ T5179] ? do_sys_open+0x230/0x230 [ 114.413891][ T5179] ? lockdep_hardirqs_on+0x98/0x140 [ 114.419131][ T5179] ? _raw_spin_unlock_irq+0x2e/0x50 [ 114.424351][ T5179] ? ptrace_notify+0x278/0x380 [ 114.429128][ T5179] __x64_sys_openat+0x247/0x290 [ 114.434006][ T5179] ? __ia32_sys_open+0x270/0x270 [ 114.438964][ T5179] ? syscall_enter_from_user_mode+0x32/0x230 [ 114.444969][ T5179] ? syscall_enter_from_user_mode+0x8c/0x230 [ 114.450984][ T5179] do_syscall_64+0x41/0xc0 [ 114.455435][ T5179] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 114.461338][ T5179] RIP: 0033:0x7f0100724159 [ 114.465760][ T5179] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 114.485374][ T5179] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 114.493802][ T5179] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 114.501794][ T5179] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 114.509778][ T5179] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [pid 5179] <... openat resumed>) = ? [pid 5179] +++ exited with 0 +++ [pid 5178] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5178, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./41", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./41", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./41/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./41/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./41/binderfs") = 0 [ 114.517767][ T5179] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 114.525755][ T5179] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 114.533751][ T5179] umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./41/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./41/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./41/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./41") = 0 mkdir("./42", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5182 ./strace-static-x86_64: Process 5182 attached [pid 5182] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5182] chdir("./42") = 0 [pid 5182] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5182] setpgid(0, 0) = 0 [pid 5182] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5182] write(3, "1000", 4) = 4 [pid 5182] close(3) = 0 [pid 5182] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5182] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5182] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5182] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5182] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5183], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5183 ./strace-static-x86_64: Process 5183 attached [pid 5182] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5182] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5183] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5183] memfd_create("syzkaller", 0) = 3 [pid 5183] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5183] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5183] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5183] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5183] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5183] close(3) = 0 [pid 5183] mkdir("./file0", 0777) = 0 [ 114.915368][ T5183] loop0: detected capacity change from 0 to 32768 [ 114.927780][ T5183] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 114.936006][ T5183] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 114.946083][ T5183] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 114.954910][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 114.961814][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5183] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5183] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5183] chdir("./file0") = 0 [pid 5183] ioctl(4, LOOP_CLR_FD) = 0 [pid 5183] close(4) = 0 [pid 5183] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5182] <... futex resumed>) = 0 [pid 5182] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5182] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5183] <... futex resumed>) = 1 [ 114.998378][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 115.006127][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 115.011528][ T5183] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 115.027078][ T5183] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 115.035855][ T5183] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 115.035855][ T5183] inode = 12 2341 [pid 5183] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5182] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5182] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5182] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5182] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5182] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5185], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5185 [pid 5182] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5182] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5185 attached [pid 5185] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 115.035855][ T5183] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 115.055033][ T5183] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 115.064254][ T5183] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5183 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 115.074566][ T5183] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 115.083230][ T5183] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5185] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5185] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5182] <... futex resumed>) = 0 [pid 5182] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5182] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5185] <... futex resumed>) = 1 [pid 5185] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5185] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5182] <... futex resumed>) = 0 [pid 5185] <... futex resumed>) = 1 [ 115.090567][ T5183] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 115.099429][ T5183] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 115.106057][ T5183] gfs2: fsid=syz:syz.0: File system withdrawn [ 115.112267][ T5183] CPU: 0 PID: 5183 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 115.122721][ T5183] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 115.132815][ T5183] Call Trace: [ 115.136107][ T5183] [ 115.139071][ T5183] dump_stack_lvl+0x1e7/0x2d0 [ 115.143777][ T5183] ? nf_tcp_handle_invalid+0x650/0x650 [ 115.149261][ T5183] ? panic+0x770/0x770 [ 115.153357][ T5183] ? kobject_uevent_env+0x54e/0x8e0 [ 115.158579][ T5183] gfs2_withdraw+0xf48/0x1550 [ 115.163287][ T5183] ? gfs2_lm+0x240/0x240 [ 115.167562][ T5183] ? gfs2_dirent_scan+0xb2/0x640 [ 115.172550][ T5183] ? panic+0x770/0x770 [ 115.176647][ T5183] ? gfs2_consist_inode_i+0xf5/0x110 [ 115.181958][ T5183] gfs2_dirent_scan+0x512/0x640 [ 115.186821][ T5183] ? gfs2_permission+0x268/0x3c0 [ 115.191779][ T5183] ? gfs2_dirent_search+0x8c0/0x8c0 [ 115.197011][ T5183] gfs2_dirent_search+0x30e/0x8c0 [ 115.202053][ T5183] ? gfs2_dirent_search+0x8c0/0x8c0 [ 115.207266][ T5183] ? generic_permission+0x1df/0x550 [ 115.212496][ T5183] ? gfs2_dir_search+0x2f0/0x2f0 [ 115.217453][ T5183] ? gfs2_permission+0x34a/0x3c0 [ 115.222415][ T5183] gfs2_dir_search+0xb2/0x2f0 [ 115.227127][ T5183] ? do_filldir_main+0x520/0x520 [ 115.232083][ T5183] ? inode_go_held+0xea/0x200 [ 115.236770][ T5183] ? gfs2_glock_wait+0x21a/0x2b0 [ 115.241730][ T5183] gfs2_lookupi+0x460/0x5d0 [ 115.246254][ T5183] ? gfs2_lookup_simple+0x180/0x180 [ 115.251484][ T5183] ? __gfs2_lookup+0xa4/0x270 [ 115.256180][ T5183] ? d_alloc_parallel+0x1262/0x13a0 [ 115.261394][ T5183] __gfs2_lookup+0xa4/0x270 [ 115.265924][ T5183] ? gfs2_atomic_open+0x230/0x230 [ 115.270966][ T5183] ? __init_waitqueue_head+0xae/0x150 [ 115.276356][ T5183] __lookup_slow+0x282/0x3e0 [ 115.280959][ T5183] ? lookup_one_len+0x2d0/0x2d0 [ 115.285830][ T5183] ? down_read+0x1b5/0x2f0 [ 115.290268][ T5183] lookup_slow+0x53/0x70 [ 115.294537][ T5183] link_path_walk+0x9c8/0xe70 [ 115.299242][ T5183] ? handle_lookup_down+0x130/0x130 [ 115.304461][ T5183] ? lockdep_hardirqs_on+0x98/0x140 [ 115.309675][ T5183] path_lookupat+0xa9/0x450 [ 115.314216][ T5183] do_o_path+0x95/0x230 [ 115.318390][ T5183] ? do_tmpfile+0x330/0x330 [ 115.322992][ T5183] ? __alloc_file+0x15a/0x230 [ 115.327682][ T5183] path_openat+0x29f0/0x3170 [ 115.332285][ T5183] ? __stack_depot_save+0x20/0x650 [ 115.337408][ T5183] ? __lock_acquire+0x1295/0x2000 [ 115.342450][ T5183] ? mark_lock+0x9a/0x340 [ 115.346806][ T5183] ? kmem_cache_alloc+0x11f/0x2e0 [ 115.351843][ T5183] ? mark_lock+0x9a/0x340 [ 115.356188][ T5183] ? __lock_acquire+0x1295/0x2000 [ 115.361236][ T5183] ? do_filp_open+0x490/0x490 [ 115.365958][ T5183] do_filp_open+0x234/0x490 [ 115.370478][ T5183] ? vfs_tmpfile+0x4a0/0x4a0 [ 115.375100][ T5183] ? _raw_spin_unlock+0x28/0x40 [ 115.380059][ T5183] ? alloc_fd+0x59c/0x640 [ 115.384422][ T5183] do_sys_openat2+0x13f/0x500 [ 115.389117][ T5183] ? print_irqtrace_events+0x220/0x220 [ 115.394613][ T5183] ? do_sys_open+0x230/0x230 [ 115.399227][ T5183] ? lockdep_hardirqs_on+0x98/0x140 [ 115.404455][ T5183] ? _raw_spin_unlock_irq+0x2e/0x50 [ 115.409677][ T5183] ? ptrace_notify+0x278/0x380 [ 115.414460][ T5183] __x64_sys_openat+0x247/0x290 [ 115.419339][ T5183] ? __ia32_sys_open+0x270/0x270 [ 115.424305][ T5183] ? syscall_enter_from_user_mode+0x32/0x230 [ 115.430328][ T5183] ? syscall_enter_from_user_mode+0x8c/0x230 [ 115.436423][ T5183] do_syscall_64+0x41/0xc0 [ 115.440946][ T5183] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 115.446852][ T5183] RIP: 0033:0x7f0100724159 [ 115.451290][ T5183] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 115.471333][ T5183] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 115.479797][ T5183] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 115.487783][ T5183] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5185] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5183] <... openat resumed>) = -1 EIO (Input/output error) [pid 5183] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5182] exit_group(0 [pid 5183] <... futex resumed>) = ? [pid 5182] <... exit_group resumed>) = ? [pid 5183] +++ exited with 0 +++ [pid 5185] <... futex resumed>) = ? [pid 5185] +++ exited with 0 +++ [pid 5182] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5182, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- umount2("./42", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./42", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./42/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./42/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./42/binderfs") = 0 [ 115.495854][ T5183] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 115.504187][ T5183] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 115.512170][ T5183] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 115.520177][ T5183] umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./42/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./42/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./42/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./42") = 0 mkdir("./43", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5186 ./strace-static-x86_64: Process 5186 attached [pid 5186] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5186] chdir("./43") = 0 [pid 5186] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5186] setpgid(0, 0) = 0 [pid 5186] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5186] write(3, "1000", 4) = 4 [pid 5186] close(3) = 0 [pid 5186] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5186] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5186] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5186] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5186] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5187], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5187 [pid 5186] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5187 attached ) = 0 [pid 5187] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5186] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5187] memfd_create("syzkaller", 0) = 3 [pid 5187] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5187] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5187] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5187] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5187] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5187] close(3) = 0 [pid 5187] mkdir("./file0", 0777) = 0 [ 115.908969][ T5187] loop0: detected capacity change from 0 to 32768 [ 115.920583][ T5187] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 115.928939][ T5187] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 115.939921][ T5187] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 115.948875][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 115.955785][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5187] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5187] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5187] chdir("./file0") = 0 [pid 5187] ioctl(4, LOOP_CLR_FD) = 0 [pid 5187] close(4) = 0 [pid 5187] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5187] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5186] <... futex resumed>) = 0 [pid 5186] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5187] <... futex resumed>) = 0 [pid 5186] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 115.992280][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 116.000091][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 116.005394][ T5187] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 116.038838][ T5187] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 116.047515][ T5187] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 116.047515][ T5187] inode = 12 2341 [ 116.047515][ T5187] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 116.066838][ T5187] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 116.078089][ T5187] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5187 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5187] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5186] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5186] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5186] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5186] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5186] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5189], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5189 [pid 5186] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5186] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5189 attached [pid 5189] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5189] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5189] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5186] <... futex resumed>) = 0 [pid 5186] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5186] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5189] <... futex resumed>) = 1 [pid 5189] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5189] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5186] <... futex resumed>) = 0 [pid 5189] <... futex resumed>) = 1 [ 116.088196][ T5187] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 116.096659][ T5187] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 116.103977][ T5187] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 116.112907][ T5187] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 116.119672][ T5187] gfs2: fsid=syz:syz.0: File system withdrawn [ 116.125770][ T5187] CPU: 0 PID: 5187 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 116.136397][ T5187] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 116.146495][ T5187] Call Trace: [ 116.149809][ T5187] [ 116.152784][ T5187] dump_stack_lvl+0x1e7/0x2d0 [ 116.157484][ T5187] ? nf_tcp_handle_invalid+0x650/0x650 [ 116.162963][ T5187] ? panic+0x770/0x770 [ 116.167062][ T5187] ? kobject_uevent_env+0x54e/0x8e0 [ 116.172297][ T5187] gfs2_withdraw+0xf48/0x1550 [ 116.177201][ T5187] ? gfs2_lm+0x240/0x240 [ 116.181489][ T5187] ? gfs2_dirent_scan+0xb2/0x640 [ 116.186458][ T5187] ? panic+0x770/0x770 [ 116.190557][ T5187] ? gfs2_consist_inode_i+0xf5/0x110 [ 116.195878][ T5187] gfs2_dirent_scan+0x512/0x640 [ 116.200770][ T5187] ? gfs2_permission+0x268/0x3c0 [ 116.205760][ T5187] ? gfs2_dirent_search+0x8c0/0x8c0 [ 116.210985][ T5187] gfs2_dirent_search+0x30e/0x8c0 [ 116.216041][ T5187] ? gfs2_dirent_search+0x8c0/0x8c0 [ 116.221263][ T5187] ? generic_permission+0x1df/0x550 [ 116.226495][ T5187] ? gfs2_dir_search+0x2f0/0x2f0 [ 116.231480][ T5187] ? gfs2_permission+0x34a/0x3c0 [ 116.236555][ T5187] gfs2_dir_search+0xb2/0x2f0 [ 116.241256][ T5187] ? do_filldir_main+0x520/0x520 [ 116.246209][ T5187] ? inode_go_held+0xea/0x200 [ 116.250900][ T5187] ? gfs2_glock_wait+0x21a/0x2b0 [ 116.255857][ T5187] gfs2_lookupi+0x460/0x5d0 [ 116.260491][ T5187] ? gfs2_lookup_simple+0x180/0x180 [ 116.265716][ T5187] ? __gfs2_lookup+0xa4/0x270 [ 116.270405][ T5187] ? d_alloc_parallel+0x1262/0x13a0 [ 116.275640][ T5187] __gfs2_lookup+0xa4/0x270 [ 116.280158][ T5187] ? gfs2_atomic_open+0x230/0x230 [ 116.285212][ T5187] ? __init_waitqueue_head+0xae/0x150 [ 116.290603][ T5187] __lookup_slow+0x282/0x3e0 [ 116.295209][ T5187] ? lookup_one_len+0x2d0/0x2d0 [ 116.300086][ T5187] ? down_read+0x1b5/0x2f0 [ 116.304523][ T5187] lookup_slow+0x53/0x70 [ 116.308790][ T5187] link_path_walk+0x9c8/0xe70 [ 116.313501][ T5187] ? handle_lookup_down+0x130/0x130 [ 116.318718][ T5187] ? lockdep_hardirqs_on+0x98/0x140 [ 116.323942][ T5187] path_lookupat+0xa9/0x450 [ 116.328472][ T5187] do_o_path+0x95/0x230 [ 116.332646][ T5187] ? do_tmpfile+0x330/0x330 [ 116.337166][ T5187] ? __alloc_file+0x15a/0x230 [ 116.341864][ T5187] path_openat+0x29f0/0x3170 [ 116.346483][ T5187] ? __stack_depot_save+0x20/0x650 [ 116.351614][ T5187] ? mark_lock+0x9a/0x340 [ 116.355957][ T5187] ? kmem_cache_alloc+0x11f/0x2e0 [ 116.361024][ T5187] ? mark_lock+0x9a/0x340 [ 116.365405][ T5187] ? __lock_acquire+0x1295/0x2000 [ 116.370476][ T5187] ? do_filp_open+0x490/0x490 [ 116.375185][ T5187] do_filp_open+0x234/0x490 [ 116.379719][ T5187] ? vfs_tmpfile+0x4a0/0x4a0 [ 116.384424][ T5187] ? _raw_spin_unlock+0x28/0x40 [ 116.389283][ T5187] ? alloc_fd+0x59c/0x640 [ 116.393639][ T5187] do_sys_openat2+0x13f/0x500 [ 116.398342][ T5187] ? print_irqtrace_events+0x220/0x220 [ 116.403823][ T5187] ? do_sys_open+0x230/0x230 [ 116.408445][ T5187] ? lockdep_hardirqs_on+0x98/0x140 [ 116.413691][ T5187] ? _raw_spin_unlock_irq+0x2e/0x50 [ 116.418901][ T5187] ? ptrace_notify+0x278/0x380 [ 116.423684][ T5187] __x64_sys_openat+0x247/0x290 [ 116.428552][ T5187] ? __ia32_sys_open+0x270/0x270 [ 116.433584][ T5187] ? syscall_enter_from_user_mode+0x32/0x230 [ 116.439582][ T5187] ? syscall_enter_from_user_mode+0x8c/0x230 [ 116.445585][ T5187] do_syscall_64+0x41/0xc0 [ 116.450024][ T5187] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 116.455929][ T5187] RIP: 0033:0x7f0100724159 [ 116.460354][ T5187] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 116.480018][ T5187] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5189] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5187] <... openat resumed>) = -1 EIO (Input/output error) [pid 5187] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5187] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5186] exit_group(0 [pid 5189] <... futex resumed>) = ? [pid 5187] <... futex resumed>) = ? [pid 5189] +++ exited with 0 +++ [pid 5187] +++ exited with 0 +++ [pid 5186] <... exit_group resumed>) = ? [pid 5186] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5186, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./43", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./43", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./43/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./43/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./43/binderfs") = 0 [ 116.488443][ T5187] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 116.496424][ T5187] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 116.504406][ T5187] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 116.512396][ T5187] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 116.520399][ T5187] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 116.528398][ T5187] umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./43/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./43/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./43/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./43") = 0 mkdir("./44", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5190 ./strace-static-x86_64: Process 5190 attached [pid 5190] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5190] chdir("./44") = 0 [pid 5190] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5190] setpgid(0, 0) = 0 [pid 5190] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5190] write(3, "1000", 4) = 4 [pid 5190] close(3) = 0 [pid 5190] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5190] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5190] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5190] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5190] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5191 attached , parent_tid=[5191], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5191 [pid 5191] set_robust_list(0x7f01006c89e0, 24 [pid 5190] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5191] <... set_robust_list resumed>) = 0 [pid 5190] <... futex resumed>) = 0 [pid 5190] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5191] memfd_create("syzkaller", 0) = 3 [pid 5191] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5191] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5191] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5191] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5191] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5191] close(3) = 0 [pid 5191] mkdir("./file0", 0777) = 0 [ 116.952679][ T5191] loop0: detected capacity change from 0 to 32768 [ 116.965178][ T5191] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 116.974164][ T5191] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 116.983878][ T5191] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 116.993255][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 117.000143][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5191] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5191] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5191] chdir("./file0") = 0 [pid 5191] ioctl(4, LOOP_CLR_FD) = 0 [pid 5191] close(4) = 0 [pid 5191] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5190] <... futex resumed>) = 0 [pid 5190] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5190] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 117.037424][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 117.045123][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 117.050763][ T5191] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5191] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5190] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 117.082370][ T5191] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 117.091802][ T5191] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 117.091802][ T5191] inode = 12 2341 [ 117.091802][ T5191] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 117.111217][ T5191] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 117.121006][ T5191] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5191 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5190] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5190] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5190] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5190] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5193], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5193 [pid 5190] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5190] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5193 attached [pid 5193] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5193] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5193] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5190] <... futex resumed>) = 0 [pid 5190] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5190] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5193] <... futex resumed>) = 1 [pid 5193] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5193] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5190] <... futex resumed>) = 0 [pid 5193] <... futex resumed>) = 1 [ 117.131557][ T5191] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 117.140823][ T5191] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 117.148609][ T5191] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 117.157725][ T5191] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 117.166674][ T5191] gfs2: fsid=syz:syz.0: File system withdrawn [ 117.172919][ T5191] CPU: 0 PID: 5191 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 117.184175][ T5191] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 117.194544][ T5191] Call Trace: [ 117.197861][ T5191] [ 117.200857][ T5191] dump_stack_lvl+0x1e7/0x2d0 [ 117.205912][ T5191] ? nf_tcp_handle_invalid+0x650/0x650 [ 117.211481][ T5191] ? panic+0x770/0x770 [ 117.215812][ T5191] ? kobject_uevent_env+0x54e/0x8e0 [ 117.221477][ T5191] gfs2_withdraw+0xf48/0x1550 [ 117.226304][ T5191] ? gfs2_lm+0x240/0x240 [ 117.230669][ T5191] ? gfs2_dirent_scan+0xb2/0x640 [ 117.235842][ T5191] ? panic+0x770/0x770 [ 117.240008][ T5191] ? gfs2_consist_inode_i+0xf5/0x110 [ 117.245348][ T5191] gfs2_dirent_scan+0x512/0x640 [ 117.250264][ T5191] ? gfs2_permission+0x268/0x3c0 [ 117.255257][ T5191] ? gfs2_dirent_search+0x8c0/0x8c0 [ 117.260507][ T5191] gfs2_dirent_search+0x30e/0x8c0 [ 117.265553][ T5191] ? gfs2_dirent_search+0x8c0/0x8c0 [ 117.270767][ T5191] ? generic_permission+0x1df/0x550 [ 117.276022][ T5191] ? gfs2_dir_search+0x2f0/0x2f0 [pid 5193] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5190] exit_group(0 [pid 5193] <... futex resumed>) = ? [pid 5190] <... exit_group resumed>) = ? [pid 5193] +++ exited with 0 +++ [ 117.280999][ T5191] ? gfs2_permission+0x34a/0x3c0 [ 117.285963][ T5191] gfs2_dir_search+0xb2/0x2f0 [ 117.290668][ T5191] ? do_filldir_main+0x520/0x520 [ 117.295638][ T5191] ? inode_go_held+0xea/0x200 [ 117.300343][ T5191] ? gfs2_glock_wait+0x21a/0x2b0 [ 117.305355][ T5191] gfs2_lookupi+0x460/0x5d0 [ 117.309927][ T5191] ? gfs2_lookup_simple+0x180/0x180 [ 117.315159][ T5191] ? __gfs2_lookup+0xa4/0x270 [ 117.319866][ T5191] ? d_alloc_parallel+0x1262/0x13a0 [ 117.325108][ T5191] __gfs2_lookup+0xa4/0x270 [ 117.329642][ T5191] ? gfs2_atomic_open+0x230/0x230 [ 117.334905][ T5191] ? __init_waitqueue_head+0xae/0x150 [ 117.340317][ T5191] __lookup_slow+0x282/0x3e0 [ 117.344955][ T5191] ? lookup_one_len+0x2d0/0x2d0 [ 117.349844][ T5191] ? down_read+0x1b5/0x2f0 [ 117.357161][ T5191] lookup_slow+0x53/0x70 [ 117.361430][ T5191] link_path_walk+0x9c8/0xe70 [ 117.366150][ T5191] ? handle_lookup_down+0x130/0x130 [ 117.371427][ T5191] ? lockdep_hardirqs_on+0x98/0x140 [ 117.376636][ T5191] path_lookupat+0xa9/0x450 [ 117.381173][ T5191] do_o_path+0x95/0x230 [ 117.385353][ T5191] ? do_tmpfile+0x330/0x330 [ 117.389870][ T5191] ? __alloc_file+0x15a/0x230 [ 117.394598][ T5191] path_openat+0x29f0/0x3170 [ 117.399207][ T5191] ? __stack_depot_save+0x20/0x650 [ 117.404436][ T5191] ? mark_lock+0x9a/0x340 [ 117.408809][ T5191] ? kmem_cache_alloc+0x11f/0x2e0 [ 117.413867][ T5191] ? mark_lock+0x9a/0x340 [ 117.418226][ T5191] ? __lock_acquire+0x1295/0x2000 [ 117.423267][ T5191] ? do_filp_open+0x490/0x490 [ 117.427966][ T5191] do_filp_open+0x234/0x490 [ 117.432481][ T5191] ? vfs_tmpfile+0x4a0/0x4a0 [ 117.437114][ T5191] ? _raw_spin_unlock+0x28/0x40 [ 117.441988][ T5191] ? alloc_fd+0x59c/0x640 [ 117.446368][ T5191] do_sys_openat2+0x13f/0x500 [ 117.451169][ T5191] ? print_irqtrace_events+0x220/0x220 [ 117.456685][ T5191] ? do_sys_open+0x230/0x230 [ 117.461303][ T5191] ? lockdep_hardirqs_on+0x98/0x140 [ 117.466548][ T5191] ? _raw_spin_unlock_irq+0x2e/0x50 [ 117.471784][ T5191] ? ptrace_notify+0x278/0x380 [ 117.476578][ T5191] __x64_sys_openat+0x247/0x290 [ 117.481468][ T5191] ? __ia32_sys_open+0x270/0x270 [ 117.486441][ T5191] ? syscall_enter_from_user_mode+0x32/0x230 [ 117.492655][ T5191] ? syscall_enter_from_user_mode+0x8c/0x230 [ 117.498692][ T5191] do_syscall_64+0x41/0xc0 [ 117.503266][ T5191] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 117.509396][ T5191] RIP: 0033:0x7f0100724159 [ 117.513871][ T5191] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 117.533968][ T5191] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 117.542543][ T5191] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 117.550903][ T5191] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 117.559019][ T5191] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 117.567010][ T5191] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 117.575095][ T5191] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [pid 5191] <... openat resumed>) = ? [pid 5191] +++ exited with 0 +++ [pid 5190] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5190, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=31 /* 0.31 s */} --- umount2("./44", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./44/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./44/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./44/binderfs") = 0 [ 117.583285][ T5191] umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./44/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./44/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./44") = 0 mkdir("./45", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5194 ./strace-static-x86_64: Process 5194 attached [pid 5194] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5194] chdir("./45") = 0 [pid 5194] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5194] setpgid(0, 0) = 0 [pid 5194] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5194] write(3, "1000", 4) = 4 [pid 5194] close(3) = 0 [pid 5194] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5194] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5194] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5194] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5194] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5195], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5195 ./strace-static-x86_64: Process 5195 attached [pid 5195] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5195] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5194] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5195] <... futex resumed>) = 0 [pid 5194] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5195] memfd_create("syzkaller", 0) = 3 [pid 5195] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5195] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5195] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5195] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5195] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5195] close(3) = 0 [pid 5195] mkdir("./file0", 0777) = 0 [ 117.978701][ T5195] loop0: detected capacity change from 0 to 32768 [ 117.990942][ T5195] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 118.000898][ T5195] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 118.011078][ T5195] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 118.019884][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 118.026699][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5195] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5195] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5195] chdir("./file0") = 0 [pid 5195] ioctl(4, LOOP_CLR_FD) = 0 [pid 5195] close(4) = 0 [pid 5195] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5194] <... futex resumed>) = 0 [pid 5194] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5194] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5195] <... futex resumed>) = 1 [ 118.064529][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 118.074219][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 118.079679][ T5195] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 118.094700][ T5195] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 118.103682][ T5195] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 118.103682][ T5195] inode = 12 2341 [pid 5195] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5194] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 118.103682][ T5195] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 118.122883][ T5195] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 118.132170][ T5195] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5195 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 118.142302][ T5195] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 118.150921][ T5195] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5194] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5194] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5194] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5194] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5197], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5197 [pid 5194] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5194] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5197 attached [pid 5197] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5197] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5197] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5194] <... futex resumed>) = 0 [pid 5194] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5194] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5197] <... futex resumed>) = 1 [ 118.158529][ T5195] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 118.167646][ T5195] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 118.174545][ T5195] gfs2: fsid=syz:syz.0: File system withdrawn [ 118.181224][ T5195] CPU: 1 PID: 5195 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 118.191703][ T5195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 118.201801][ T5195] Call Trace: [ 118.205133][ T5195] [ 118.208092][ T5195] dump_stack_lvl+0x1e7/0x2d0 [pid 5197] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5197] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5194] <... futex resumed>) = 0 [pid 5197] <... futex resumed>) = 1 [ 118.212791][ T5195] ? nf_tcp_handle_invalid+0x650/0x650 [ 118.218275][ T5195] ? panic+0x770/0x770 [ 118.222358][ T5195] ? kobject_uevent_env+0x54e/0x8e0 [ 118.227582][ T5195] gfs2_withdraw+0xf48/0x1550 [ 118.232308][ T5195] ? gfs2_lm+0x240/0x240 [ 118.236613][ T5195] ? gfs2_dirent_scan+0xb2/0x640 [ 118.241586][ T5195] ? panic+0x770/0x770 [ 118.245690][ T5195] ? gfs2_consist_inode_i+0xf5/0x110 [ 118.251039][ T5195] gfs2_dirent_scan+0x512/0x640 [ 118.255947][ T5195] ? gfs2_permission+0x268/0x3c0 [ 118.260910][ T5195] ? gfs2_dirent_search+0x8c0/0x8c0 [ 118.266136][ T5195] gfs2_dirent_search+0x30e/0x8c0 [ 118.271194][ T5195] ? gfs2_dirent_search+0x8c0/0x8c0 [ 118.276413][ T5195] ? generic_permission+0x1df/0x550 [ 118.281723][ T5195] ? gfs2_dir_search+0x2f0/0x2f0 [ 118.286696][ T5195] ? gfs2_permission+0x34a/0x3c0 [ 118.291665][ T5195] gfs2_dir_search+0xb2/0x2f0 [ 118.296363][ T5195] ? do_filldir_main+0x520/0x520 [ 118.301315][ T5195] ? inode_go_held+0xea/0x200 [ 118.306012][ T5195] ? gfs2_glock_wait+0x21a/0x2b0 [ 118.310972][ T5195] gfs2_lookupi+0x460/0x5d0 [ 118.315501][ T5195] ? gfs2_lookup_simple+0x180/0x180 [ 118.320727][ T5195] ? __gfs2_lookup+0xa4/0x270 [ 118.325416][ T5195] ? d_alloc_parallel+0x1262/0x13a0 [ 118.330634][ T5195] __gfs2_lookup+0xa4/0x270 [ 118.335153][ T5195] ? gfs2_atomic_open+0x230/0x230 [ 118.340198][ T5195] ? __init_waitqueue_head+0xae/0x150 [ 118.345593][ T5195] __lookup_slow+0x282/0x3e0 [ 118.350198][ T5195] ? lookup_one_len+0x2d0/0x2d0 [ 118.355094][ T5195] ? down_read+0x1b5/0x2f0 [ 118.359536][ T5195] lookup_slow+0x53/0x70 [ 118.363792][ T5195] link_path_walk+0x9c8/0xe70 [ 118.368501][ T5195] ? handle_lookup_down+0x130/0x130 [ 118.373722][ T5195] ? lockdep_hardirqs_on+0x98/0x140 [ 118.378946][ T5195] path_lookupat+0xa9/0x450 [ 118.383487][ T5195] do_o_path+0x95/0x230 [ 118.387664][ T5195] ? do_tmpfile+0x330/0x330 [ 118.392185][ T5195] ? __alloc_file+0x15a/0x230 [ 118.396894][ T5195] path_openat+0x29f0/0x3170 [ 118.401500][ T5195] ? __stack_depot_save+0x20/0x650 [ 118.406630][ T5195] ? mark_lock+0x9a/0x340 [ 118.410996][ T5195] ? kmem_cache_alloc+0x11f/0x2e0 [ 118.416122][ T5195] ? mark_lock+0x9a/0x340 [ 118.420475][ T5195] ? __lock_acquire+0x1295/0x2000 [ 118.425534][ T5195] ? do_filp_open+0x490/0x490 [ 118.430237][ T5195] do_filp_open+0x234/0x490 [ 118.434759][ T5195] ? vfs_tmpfile+0x4a0/0x4a0 [ 118.439484][ T5195] ? _raw_spin_unlock+0x28/0x40 [ 118.444346][ T5195] ? alloc_fd+0x59c/0x640 [ 118.448973][ T5195] do_sys_openat2+0x13f/0x500 [ 118.453687][ T5195] ? print_irqtrace_events+0x220/0x220 [ 118.459171][ T5195] ? do_sys_open+0x230/0x230 [ 118.463865][ T5195] ? lockdep_hardirqs_on+0x98/0x140 [ 118.469081][ T5195] ? _raw_spin_unlock_irq+0x2e/0x50 [ 118.474307][ T5195] ? ptrace_notify+0x278/0x380 [ 118.479089][ T5195] __x64_sys_openat+0x247/0x290 [ 118.483970][ T5195] ? __ia32_sys_open+0x270/0x270 [ 118.488932][ T5195] ? syscall_enter_from_user_mode+0x32/0x230 [ 118.494930][ T5195] ? syscall_enter_from_user_mode+0x8c/0x230 [ 118.500925][ T5195] do_syscall_64+0x41/0xc0 [ 118.505365][ T5195] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 118.511357][ T5195] RIP: 0033:0x7f0100724159 [ 118.515868][ T5195] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 118.535483][ T5195] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 118.543930][ T5195] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 118.551911][ T5195] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5197] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5195] <... openat resumed>) = -1 EIO (Input/output error) [pid 5195] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5195] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5194] exit_group(0 [pid 5197] <... futex resumed>) = ? [pid 5195] <... futex resumed>) = ? [pid 5194] <... exit_group resumed>) = ? [pid 5197] +++ exited with 0 +++ [pid 5195] +++ exited with 0 +++ [pid 5194] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5194, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- umount2("./45", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./45", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./45/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./45/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./45/binderfs") = 0 [ 118.559895][ T5195] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 118.567875][ T5195] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 118.575855][ T5195] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 118.583857][ T5195] umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./45/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./45/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./45/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./45") = 0 mkdir("./46", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5198 ./strace-static-x86_64: Process 5198 attached [pid 5198] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5198] chdir("./46") = 0 [pid 5198] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5198] setpgid(0, 0) = 0 [pid 5198] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5198] write(3, "1000", 4) = 4 [pid 5198] close(3) = 0 [pid 5198] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5198] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5198] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5198] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5198] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5199 attached , parent_tid=[5199], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5199 [pid 5199] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5199] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5198] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5199] <... futex resumed>) = 0 [pid 5198] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5199] memfd_create("syzkaller", 0) = 3 [pid 5199] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5199] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5199] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5199] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5199] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5199] close(3) = 0 [pid 5199] mkdir("./file0", 0777) = 0 [ 119.000609][ T5199] loop0: detected capacity change from 0 to 32768 [ 119.012560][ T5199] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 119.021142][ T5199] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 119.030840][ T5199] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 119.039675][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 119.046494][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5199] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5199] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5199] chdir("./file0") = 0 [pid 5199] ioctl(4, LOOP_CLR_FD) = 0 [pid 5199] close(4) = 0 [pid 5199] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5198] <... futex resumed>) = 0 [pid 5199] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5198] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 119.097650][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 51ms [ 119.105215][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 119.110775][ T5199] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 119.123185][ T5199] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 119.132422][ T5199] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 119.132422][ T5199] inode = 12 2341 [pid 5198] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5198] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 119.132422][ T5199] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 119.151740][ T5199] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 119.161541][ T5199] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5199 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 119.172010][ T5199] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 119.180886][ T5199] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 119.188623][ T5199] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5198] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [ 119.197940][ T5199] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 119.204860][ T5199] gfs2: fsid=syz:syz.0: File system withdrawn [ 119.211426][ T5199] CPU: 0 PID: 5199 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 119.221883][ T5199] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 119.231957][ T5199] Call Trace: [ 119.235252][ T5199] [ 119.238211][ T5199] dump_stack_lvl+0x1e7/0x2d0 [ 119.242933][ T5199] ? nf_tcp_handle_invalid+0x650/0x650 [ 119.248443][ T5199] ? panic+0x770/0x770 [ 119.252545][ T5199] ? kobject_uevent_env+0x54e/0x8e0 [ 119.257893][ T5199] gfs2_withdraw+0xf48/0x1550 [ 119.262616][ T5199] ? gfs2_lm+0x240/0x240 [ 119.266878][ T5199] ? gfs2_dirent_scan+0xb2/0x640 [ 119.271843][ T5199] ? panic+0x770/0x770 [ 119.275965][ T5199] ? gfs2_consist_inode_i+0xf5/0x110 [ 119.281293][ T5199] gfs2_dirent_scan+0x512/0x640 [ 119.286173][ T5199] ? gfs2_permission+0x268/0x3c0 [ 119.291165][ T5199] ? gfs2_dirent_search+0x8c0/0x8c0 [ 119.296493][ T5199] gfs2_dirent_search+0x30e/0x8c0 [ 119.301562][ T5199] ? gfs2_dirent_search+0x8c0/0x8c0 [ 119.306789][ T5199] ? generic_permission+0x1df/0x550 [ 119.312053][ T5199] ? gfs2_dir_search+0x2f0/0x2f0 [ 119.317009][ T5199] ? gfs2_permission+0x34a/0x3c0 [ 119.321982][ T5199] gfs2_dir_search+0xb2/0x2f0 [ 119.326687][ T5199] ? do_filldir_main+0x520/0x520 [ 119.331748][ T5199] ? inode_go_held+0xea/0x200 [ 119.336552][ T5199] ? gfs2_glock_wait+0x21a/0x2b0 [ 119.341571][ T5199] gfs2_lookupi+0x460/0x5d0 [ 119.346114][ T5199] ? gfs2_lookup_simple+0x180/0x180 [ 119.351380][ T5199] ? __gfs2_lookup+0xa4/0x270 [ 119.356078][ T5199] ? d_alloc_parallel+0x1262/0x13a0 [ 119.361337][ T5199] __gfs2_lookup+0xa4/0x270 [ 119.365862][ T5199] ? gfs2_atomic_open+0x230/0x230 [ 119.370905][ T5199] ? __init_waitqueue_head+0xae/0x150 [ 119.376317][ T5199] __lookup_slow+0x282/0x3e0 [ 119.380930][ T5199] ? lookup_one_len+0x2d0/0x2d0 [ 119.385806][ T5199] ? down_read+0x1b5/0x2f0 [ 119.390246][ T5199] lookup_slow+0x53/0x70 [ 119.394503][ T5199] link_path_walk+0x9c8/0xe70 [ 119.399207][ T5199] ? handle_lookup_down+0x130/0x130 [ 119.404430][ T5199] ? lockdep_hardirqs_on+0x98/0x140 [ 119.409644][ T5199] path_lookupat+0xa9/0x450 [ 119.414187][ T5199] do_o_path+0x95/0x230 [ 119.418417][ T5199] ? do_tmpfile+0x330/0x330 [ 119.422954][ T5199] ? __alloc_file+0x15a/0x230 [ 119.427660][ T5199] path_openat+0x29f0/0x3170 [ 119.432278][ T5199] ? __stack_depot_save+0x20/0x650 [ 119.437412][ T5199] ? mark_lock+0x9a/0x340 [ 119.441760][ T5199] ? kmem_cache_alloc+0x11f/0x2e0 [ 119.446799][ T5199] ? mark_lock+0x9a/0x340 [ 119.451235][ T5199] ? __lock_acquire+0x1295/0x2000 [ 119.456280][ T5199] ? do_filp_open+0x490/0x490 [ 119.461007][ T5199] do_filp_open+0x234/0x490 [ 119.465529][ T5199] ? vfs_tmpfile+0x4a0/0x4a0 [ 119.470149][ T5199] ? _raw_spin_unlock+0x28/0x40 [ 119.475014][ T5199] ? alloc_fd+0x59c/0x640 [ 119.479384][ T5199] do_sys_openat2+0x13f/0x500 [ 119.484078][ T5199] ? print_irqtrace_events+0x220/0x220 [ 119.489553][ T5199] ? do_sys_open+0x230/0x230 [ 119.494159][ T5199] ? lockdep_hardirqs_on+0x98/0x140 [ 119.499386][ T5199] ? _raw_spin_unlock_irq+0x2e/0x50 [ 119.504593][ T5199] ? ptrace_notify+0x278/0x380 [ 119.509375][ T5199] __x64_sys_openat+0x247/0x290 [ 119.514254][ T5199] ? __ia32_sys_open+0x270/0x270 [ 119.519213][ T5199] ? syscall_enter_from_user_mode+0x32/0x230 [ 119.525234][ T5199] ? syscall_enter_from_user_mode+0x8c/0x230 [ 119.531324][ T5199] do_syscall_64+0x41/0xc0 [ 119.535772][ T5199] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 119.541767][ T5199] RIP: 0033:0x7f0100724159 [ 119.546193][ T5199] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 119.565833][ T5199] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 119.574284][ T5199] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 119.582295][ T5199] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 119.590278][ T5199] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [pid 5198] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5198] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5201 attached , parent_tid=[5201], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5201 [pid 5201] set_robust_list(0x7f00f92a79e0, 24 [pid 5198] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5198] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5201] <... set_robust_list resumed>) = 0 [pid 5201] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5201] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5198] <... futex resumed>) = 0 [pid 5199] <... openat resumed>) = -1 EIO (Input/output error) [pid 5201] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5199] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5198] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5198] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5201] <... futex resumed>) = 0 [pid 5201] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5199] <... futex resumed>) = 0 [pid 5199] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5201] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5198] <... futex resumed>) = 0 [pid 5201] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5198] exit_group(0 [pid 5201] <... futex resumed>) = ? [pid 5198] <... exit_group resumed>) = ? [pid 5201] +++ exited with 0 +++ [pid 5199] <... futex resumed>) = ? [pid 5199] +++ exited with 0 +++ [pid 5198] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5198, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./46", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./46", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./46/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./46/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./46/binderfs") = 0 [ 119.598258][ T5199] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 119.606261][ T5199] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 119.614400][ T5199] umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./46/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./46/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./46/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./46") = 0 mkdir("./47", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5202 ./strace-static-x86_64: Process 5202 attached [pid 5202] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5202] chdir("./47") = 0 [pid 5202] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5202] setpgid(0, 0) = 0 [pid 5202] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5202] write(3, "1000", 4) = 4 [pid 5202] close(3) = 0 [pid 5202] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5202] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5202] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5202] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5202] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5203 attached , parent_tid=[5203], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5203 [pid 5203] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5203] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5202] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5203] <... futex resumed>) = 0 [pid 5202] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5203] memfd_create("syzkaller", 0) = 3 [pid 5203] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5203] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5203] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5203] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5203] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5203] close(3) = 0 [pid 5203] mkdir("./file0", 0777) = 0 [ 120.032330][ T5203] loop0: detected capacity change from 0 to 32768 [ 120.053530][ T5203] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 120.061809][ T5203] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 120.071756][ T5203] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 120.080693][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 120.088036][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5203] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5203] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5203] chdir("./file0") = 0 [pid 5203] ioctl(4, LOOP_CLR_FD) = 0 [pid 5203] close(4) = 0 [pid 5203] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5202] <... futex resumed>) = 0 [pid 5203] <... futex resumed>) = 1 [pid 5202] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5203] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5202] <... futex resumed>) = 0 [ 120.134752][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 120.143988][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 120.149357][ T5203] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 120.177011][ T5203] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 120.185724][ T5203] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 120.185724][ T5203] inode = 12 2341 [ 120.185724][ T5203] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 120.204691][ T5203] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 120.214606][ T5203] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5203 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5202] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5202] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5202] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5202] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5202] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5205], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5205 [pid 5202] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5202] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5205 attached [pid 5205] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5205] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5205] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5202] <... futex resumed>) = 0 [pid 5202] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5202] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5205] <... futex resumed>) = 1 [pid 5205] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5205] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5202] <... futex resumed>) = 0 [pid 5205] <... futex resumed>) = 1 [ 120.225023][ T5203] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 120.234041][ T5203] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 120.241439][ T5203] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 120.250301][ T5203] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 120.258823][ T5203] gfs2: fsid=syz:syz.0: File system withdrawn [ 120.264926][ T5203] CPU: 0 PID: 5203 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 120.275444][ T5203] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 120.285620][ T5203] Call Trace: [ 120.288925][ T5203] [ 120.291870][ T5203] dump_stack_lvl+0x1e7/0x2d0 [ 120.296589][ T5203] ? nf_tcp_handle_invalid+0x650/0x650 [ 120.302119][ T5203] ? panic+0x770/0x770 [ 120.306212][ T5203] ? kobject_uevent_env+0x54e/0x8e0 [ 120.311448][ T5203] gfs2_withdraw+0xf48/0x1550 [ 120.316203][ T5203] ? gfs2_lm+0x240/0x240 [ 120.320478][ T5203] ? gfs2_dirent_scan+0xb2/0x640 [ 120.325444][ T5203] ? panic+0x770/0x770 [ 120.329529][ T5203] ? gfs2_consist_inode_i+0xf5/0x110 [ 120.334848][ T5203] gfs2_dirent_scan+0x512/0x640 [ 120.339732][ T5203] ? gfs2_permission+0x268/0x3c0 [ 120.344697][ T5203] ? gfs2_dirent_search+0x8c0/0x8c0 [ 120.349945][ T5203] gfs2_dirent_search+0x30e/0x8c0 [ 120.355001][ T5203] ? gfs2_dirent_search+0x8c0/0x8c0 [ 120.360233][ T5203] ? generic_permission+0x1df/0x550 [ 120.365459][ T5203] ? gfs2_dir_search+0x2f0/0x2f0 [ 120.370429][ T5203] ? gfs2_permission+0x34a/0x3c0 [pid 5205] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5202] exit_group(0 [pid 5205] <... futex resumed>) = ? [pid 5202] <... exit_group resumed>) = ? [pid 5205] +++ exited with 0 +++ [ 120.375408][ T5203] gfs2_dir_search+0xb2/0x2f0 [ 120.380142][ T5203] ? do_filldir_main+0x520/0x520 [ 120.385139][ T5203] ? inode_go_held+0xea/0x200 [ 120.389860][ T5203] ? gfs2_glock_wait+0x21a/0x2b0 [ 120.394815][ T5203] gfs2_lookupi+0x460/0x5d0 [ 120.399363][ T5203] ? gfs2_lookup_simple+0x180/0x180 [ 120.404606][ T5203] ? __gfs2_lookup+0xa4/0x270 [ 120.409311][ T5203] ? d_alloc_parallel+0x1262/0x13a0 [ 120.414759][ T5203] __gfs2_lookup+0xa4/0x270 [ 120.419308][ T5203] ? gfs2_atomic_open+0x230/0x230 [ 120.424369][ T5203] ? __init_waitqueue_head+0xae/0x150 [ 120.429764][ T5203] __lookup_slow+0x282/0x3e0 [ 120.434369][ T5203] ? lookup_one_len+0x2d0/0x2d0 [ 120.439257][ T5203] ? down_read+0x1b5/0x2f0 [ 120.443700][ T5203] lookup_slow+0x53/0x70 [ 120.447993][ T5203] link_path_walk+0x9c8/0xe70 [ 120.452789][ T5203] ? handle_lookup_down+0x130/0x130 [ 120.458017][ T5203] ? lockdep_hardirqs_on+0x98/0x140 [ 120.463278][ T5203] path_lookupat+0xa9/0x450 [ 120.467843][ T5203] do_o_path+0x95/0x230 [ 120.472015][ T5203] ? do_tmpfile+0x330/0x330 [ 120.476537][ T5203] ? __alloc_file+0x15a/0x230 [ 120.481231][ T5203] path_openat+0x29f0/0x3170 [ 120.485854][ T5203] ? __stack_depot_save+0x20/0x650 [ 120.491091][ T5203] ? mark_lock+0x9a/0x340 [ 120.495522][ T5203] ? kmem_cache_alloc+0x11f/0x2e0 [ 120.500556][ T5203] ? mark_lock+0x9a/0x340 [ 120.504915][ T5203] ? __lock_acquire+0x1295/0x2000 [ 120.509964][ T5203] ? do_filp_open+0x490/0x490 [ 120.514688][ T5203] do_filp_open+0x234/0x490 [ 120.519231][ T5203] ? vfs_tmpfile+0x4a0/0x4a0 [ 120.523856][ T5203] ? _raw_spin_unlock+0x28/0x40 [ 120.528732][ T5203] ? alloc_fd+0x59c/0x640 [ 120.533132][ T5203] do_sys_openat2+0x13f/0x500 [ 120.537838][ T5203] ? print_irqtrace_events+0x220/0x220 [ 120.543423][ T5203] ? do_sys_open+0x230/0x230 [ 120.548320][ T5203] ? lockdep_hardirqs_on+0x98/0x140 [ 120.553640][ T5203] ? _raw_spin_unlock_irq+0x2e/0x50 [ 120.559043][ T5203] ? ptrace_notify+0x278/0x380 [ 120.563831][ T5203] __x64_sys_openat+0x247/0x290 [ 120.568722][ T5203] ? __ia32_sys_open+0x270/0x270 [ 120.573696][ T5203] ? syscall_enter_from_user_mode+0x32/0x230 [ 120.579791][ T5203] ? syscall_enter_from_user_mode+0x8c/0x230 [ 120.585821][ T5203] do_syscall_64+0x41/0xc0 [ 120.590298][ T5203] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 120.596254][ T5203] RIP: 0033:0x7f0100724159 [ 120.600713][ T5203] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 120.620354][ T5203] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5203] <... openat resumed>) = ? [pid 5203] +++ exited with 0 +++ [pid 5202] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5202, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=36 /* 0.36 s */} --- umount2("./47", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./47", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./47/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./47/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./47/binderfs") = 0 [ 120.628840][ T5203] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 120.636840][ T5203] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 120.644826][ T5203] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 120.652909][ T5203] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 120.660909][ T5203] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 120.668922][ T5203] umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./47/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./47/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./47/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./47") = 0 mkdir("./48", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5206 ./strace-static-x86_64: Process 5206 attached [pid 5206] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5206] chdir("./48") = 0 [pid 5206] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5206] setpgid(0, 0) = 0 [pid 5206] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5206] write(3, "1000", 4) = 4 [pid 5206] close(3) = 0 [pid 5206] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5206] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5206] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5206] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5206] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5207], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5207 [pid 5206] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5206] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5207 attached [pid 5207] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5207] memfd_create("syzkaller", 0) = 3 [pid 5207] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5207] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5207] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5207] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5207] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5207] close(3) = 0 [pid 5207] mkdir("./file0", 0777) = 0 [ 121.050877][ T5207] loop0: detected capacity change from 0 to 32768 [ 121.062968][ T5207] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 121.071522][ T5207] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 121.081662][ T5207] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 121.090536][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 121.097845][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5207] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5207] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5207] chdir("./file0") = 0 [pid 5207] ioctl(4, LOOP_CLR_FD) = 0 [pid 5207] close(4) = 0 [pid 5207] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5206] <... futex resumed>) = 0 [pid 5206] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5206] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5207] <... futex resumed>) = 1 [ 121.140755][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 121.149747][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 121.155052][ T5207] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 121.169512][ T5207] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 121.178174][ T5207] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 121.178174][ T5207] inode = 12 2341 [pid 5207] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5206] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 121.178174][ T5207] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 121.197635][ T5207] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 121.206811][ T5207] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5207 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 121.217223][ T5207] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 121.225868][ T5207] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5206] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5206] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5206] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5206] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5209], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5209 [pid 5206] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5206] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5209 attached [pid 5209] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5209] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5209] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5206] <... futex resumed>) = 0 [pid 5206] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5206] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5209] <... futex resumed>) = 1 [pid 5209] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [ 121.233539][ T5207] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 121.242560][ T5207] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 121.249286][ T5207] gfs2: fsid=syz:syz.0: File system withdrawn [ 121.255682][ T5207] CPU: 0 PID: 5207 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 121.266142][ T5207] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 121.276256][ T5207] Call Trace: [ 121.279577][ T5207] [ 121.282641][ T5207] dump_stack_lvl+0x1e7/0x2d0 [pid 5209] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5206] <... futex resumed>) = 0 [pid 5209] <... futex resumed>) = 1 [ 121.287384][ T5207] ? nf_tcp_handle_invalid+0x650/0x650 [ 121.292906][ T5207] ? panic+0x770/0x770 [ 121.297031][ T5207] ? kobject_uevent_env+0x54e/0x8e0 [ 121.302314][ T5207] gfs2_withdraw+0xf48/0x1550 [ 121.307036][ T5207] ? gfs2_lm+0x240/0x240 [ 121.311763][ T5207] ? gfs2_dirent_scan+0xb2/0x640 [ 121.316735][ T5207] ? panic+0x770/0x770 [ 121.320823][ T5207] ? gfs2_consist_inode_i+0xf5/0x110 [ 121.326144][ T5207] gfs2_dirent_scan+0x512/0x640 [ 121.331035][ T5207] ? gfs2_permission+0x268/0x3c0 [ 121.336017][ T5207] ? gfs2_dirent_search+0x8c0/0x8c0 [ 121.341240][ T5207] gfs2_dirent_search+0x30e/0x8c0 [ 121.346313][ T5207] ? gfs2_dirent_search+0x8c0/0x8c0 [ 121.351560][ T5207] ? generic_permission+0x1df/0x550 [ 121.356785][ T5207] ? gfs2_dir_search+0x2f0/0x2f0 [ 121.361766][ T5207] ? gfs2_permission+0x34a/0x3c0 [ 121.366735][ T5207] gfs2_dir_search+0xb2/0x2f0 [ 121.371434][ T5207] ? do_filldir_main+0x520/0x520 [ 121.376474][ T5207] ? inode_go_held+0xea/0x200 [ 121.381163][ T5207] ? gfs2_glock_wait+0x21a/0x2b0 [ 121.386118][ T5207] gfs2_lookupi+0x460/0x5d0 [ 121.390648][ T5207] ? gfs2_lookup_simple+0x180/0x180 [ 121.395878][ T5207] ? __gfs2_lookup+0xa4/0x270 [ 121.400565][ T5207] ? d_alloc_parallel+0x1262/0x13a0 [ 121.405781][ T5207] __gfs2_lookup+0xa4/0x270 [ 121.410297][ T5207] ? gfs2_atomic_open+0x230/0x230 [ 121.415340][ T5207] ? __init_waitqueue_head+0xae/0x150 [ 121.420734][ T5207] __lookup_slow+0x282/0x3e0 [ 121.425338][ T5207] ? lookup_one_len+0x2d0/0x2d0 [ 121.430236][ T5207] ? down_read+0x1b5/0x2f0 [ 121.434706][ T5207] lookup_slow+0x53/0x70 [ 121.438966][ T5207] link_path_walk+0x9c8/0xe70 [ 121.443673][ T5207] ? handle_lookup_down+0x130/0x130 [ 121.448917][ T5207] ? lockdep_hardirqs_on+0x98/0x140 [ 121.454225][ T5207] path_lookupat+0xa9/0x450 [ 121.458748][ T5207] do_o_path+0x95/0x230 [ 121.462922][ T5207] ? do_tmpfile+0x330/0x330 [ 121.467445][ T5207] ? __alloc_file+0x15a/0x230 [ 121.472139][ T5207] path_openat+0x29f0/0x3170 [ 121.476745][ T5207] ? __stack_depot_save+0x20/0x650 [ 121.481878][ T5207] ? mark_lock+0x9a/0x340 [ 121.486230][ T5207] ? kmem_cache_alloc+0x11f/0x2e0 [ 121.491271][ T5207] ? mark_lock+0x9a/0x340 [ 121.495621][ T5207] ? __lock_acquire+0x1295/0x2000 [ 121.500663][ T5207] ? do_filp_open+0x490/0x490 [ 121.505367][ T5207] do_filp_open+0x234/0x490 [ 121.509890][ T5207] ? vfs_tmpfile+0x4a0/0x4a0 [ 121.514526][ T5207] ? _raw_spin_unlock+0x28/0x40 [ 121.519388][ T5207] ? alloc_fd+0x59c/0x640 [ 121.523756][ T5207] do_sys_openat2+0x13f/0x500 [ 121.528451][ T5207] ? print_irqtrace_events+0x220/0x220 [ 121.533928][ T5207] ? do_sys_open+0x230/0x230 [ 121.538536][ T5207] ? lockdep_hardirqs_on+0x98/0x140 [ 121.543749][ T5207] ? _raw_spin_unlock_irq+0x2e/0x50 [ 121.548961][ T5207] ? ptrace_notify+0x278/0x380 [ 121.553746][ T5207] __x64_sys_openat+0x247/0x290 [ 121.558703][ T5207] ? __ia32_sys_open+0x270/0x270 [ 121.563664][ T5207] ? syscall_enter_from_user_mode+0x32/0x230 [ 121.569663][ T5207] ? syscall_enter_from_user_mode+0x8c/0x230 [ 121.575659][ T5207] do_syscall_64+0x41/0xc0 [ 121.580122][ T5207] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 121.586132][ T5207] RIP: 0033:0x7f0100724159 [ 121.590558][ T5207] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 121.610265][ T5207] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 121.618705][ T5207] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 121.626693][ T5207] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 121.634697][ T5207] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [pid 5209] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5207] <... openat resumed>) = -1 EIO (Input/output error) [pid 5207] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5207] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5206] exit_group(0 [pid 5207] <... futex resumed>) = ? [pid 5207] +++ exited with 0 +++ [pid 5209] <... futex resumed>) = ? [pid 5209] +++ exited with 0 +++ [pid 5206] <... exit_group resumed>) = ? [pid 5206] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5206, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./48", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./48/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./48/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./48/binderfs") = 0 [ 121.642700][ T5207] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 121.650705][ T5207] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 121.658713][ T5207] umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./48/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./48/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./48") = 0 mkdir("./49", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5210 ./strace-static-x86_64: Process 5210 attached [pid 5210] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5210] chdir("./49") = 0 [pid 5210] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5210] setpgid(0, 0) = 0 [pid 5210] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5210] write(3, "1000", 4) = 4 [pid 5210] close(3) = 0 [pid 5210] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5210] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5210] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5210] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5210] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5211 attached [pid 5211] set_robust_list(0x7f01006c89e0, 24 [pid 5210] <... clone resumed>, parent_tid=[5211], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5211 [pid 5211] <... set_robust_list resumed>) = 0 [pid 5210] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5210] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5211] memfd_create("syzkaller", 0) = 3 [pid 5211] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5211] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5211] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5211] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5211] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5211] close(3) = 0 [pid 5211] mkdir("./file0", 0777) = 0 [ 122.044967][ T5211] loop0: detected capacity change from 0 to 32768 [ 122.057313][ T5211] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 122.065531][ T5211] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 122.074931][ T5211] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 122.083620][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 122.090548][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5211] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5211] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5211] chdir("./file0") = 0 [pid 5211] ioctl(4, LOOP_CLR_FD) = 0 [pid 5211] close(4) = 0 [pid 5211] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5210] <... futex resumed>) = 0 [pid 5210] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5210] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5211] <... futex resumed>) = 1 [ 122.133733][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 122.142398][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 122.148259][ T5211] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5211] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5210] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5210] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 122.176971][ T5211] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 122.186049][ T5211] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 122.186049][ T5211] inode = 12 2341 [ 122.186049][ T5211] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 122.205753][ T5211] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 122.215098][ T5211] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5211 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5210] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5210] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5210] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5213], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5213 [pid 5210] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5210] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5213 attached [pid 5213] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5213] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5213] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5213] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5210] <... futex resumed>) = 0 [pid 5210] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5210] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5213] <... futex resumed>) = 0 [pid 5213] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5213] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5210] <... futex resumed>) = 0 [pid 5213] <... futex resumed>) = 1 [ 122.225729][ T5211] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 122.235005][ T5211] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 122.242663][ T5211] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 122.251843][ T5211] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 122.259491][ T5211] gfs2: fsid=syz:syz.0: File system withdrawn [ 122.265947][ T5211] CPU: 0 PID: 5211 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 122.276380][ T5211] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 122.286449][ T5211] Call Trace: [ 122.289835][ T5211] [ 122.292778][ T5211] dump_stack_lvl+0x1e7/0x2d0 [ 122.297526][ T5211] ? nf_tcp_handle_invalid+0x650/0x650 [ 122.303026][ T5211] ? panic+0x770/0x770 [ 122.307111][ T5211] ? kobject_uevent_env+0x54e/0x8e0 [ 122.312374][ T5211] gfs2_withdraw+0xf48/0x1550 [ 122.317118][ T5211] ? gfs2_lm+0x240/0x240 [ 122.321448][ T5211] ? gfs2_dirent_scan+0xb2/0x640 [pid 5213] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5210] exit_group(0 [pid 5213] <... futex resumed>) = ? [pid 5210] <... exit_group resumed>) = ? [pid 5213] +++ exited with 0 +++ [ 122.326443][ T5211] ? panic+0x770/0x770 [ 122.330578][ T5211] ? gfs2_consist_inode_i+0xf5/0x110 [ 122.335908][ T5211] gfs2_dirent_scan+0x512/0x640 [ 122.340795][ T5211] ? gfs2_permission+0x268/0x3c0 [ 122.345791][ T5211] ? gfs2_dirent_search+0x8c0/0x8c0 [ 122.351027][ T5211] gfs2_dirent_search+0x30e/0x8c0 [ 122.356106][ T5211] ? gfs2_dirent_search+0x8c0/0x8c0 [ 122.361447][ T5211] ? generic_permission+0x1df/0x550 [ 122.366685][ T5211] ? gfs2_dir_search+0x2f0/0x2f0 [ 122.371655][ T5211] ? gfs2_permission+0x34a/0x3c0 [ 122.376686][ T5211] gfs2_dir_search+0xb2/0x2f0 [ 122.381415][ T5211] ? do_filldir_main+0x520/0x520 [ 122.386413][ T5211] ? inode_go_held+0xea/0x200 [ 122.391222][ T5211] ? gfs2_glock_wait+0x21a/0x2b0 [ 122.396203][ T5211] gfs2_lookupi+0x460/0x5d0 [ 122.400737][ T5211] ? gfs2_lookup_simple+0x180/0x180 [ 122.405970][ T5211] ? __gfs2_lookup+0xa4/0x270 [ 122.410676][ T5211] ? d_alloc_parallel+0x1262/0x13a0 [ 122.415915][ T5211] __gfs2_lookup+0xa4/0x270 [ 122.420490][ T5211] ? gfs2_atomic_open+0x230/0x230 [ 122.425563][ T5211] ? __init_waitqueue_head+0xae/0x150 [ 122.430980][ T5211] __lookup_slow+0x282/0x3e0 [ 122.435945][ T5211] ? lookup_one_len+0x2d0/0x2d0 [ 122.440924][ T5211] ? down_read+0x1b5/0x2f0 [ 122.445381][ T5211] lookup_slow+0x53/0x70 [ 122.449649][ T5211] link_path_walk+0x9c8/0xe70 [ 122.454373][ T5211] ? handle_lookup_down+0x130/0x130 [ 122.459622][ T5211] ? lockdep_hardirqs_on+0x98/0x140 [ 122.464842][ T5211] path_lookupat+0xa9/0x450 [ 122.469368][ T5211] do_o_path+0x95/0x230 [ 122.473568][ T5211] ? do_tmpfile+0x330/0x330 [ 122.478088][ T5211] ? __alloc_file+0x15a/0x230 [ 122.482799][ T5211] path_openat+0x29f0/0x3170 [ 122.487432][ T5211] ? __stack_depot_save+0x20/0x650 [ 122.492567][ T5211] ? mark_lock+0x9a/0x340 [ 122.496917][ T5211] ? kmem_cache_alloc+0x11f/0x2e0 [ 122.501979][ T5211] ? mark_lock+0x9a/0x340 [ 122.506353][ T5211] ? __lock_acquire+0x1295/0x2000 [ 122.511405][ T5211] ? do_filp_open+0x490/0x490 [ 122.516127][ T5211] do_filp_open+0x234/0x490 [ 122.520648][ T5211] ? vfs_tmpfile+0x4a0/0x4a0 [ 122.525265][ T5211] ? _raw_spin_unlock+0x28/0x40 [ 122.530121][ T5211] ? alloc_fd+0x59c/0x640 [ 122.534561][ T5211] do_sys_openat2+0x13f/0x500 [ 122.539278][ T5211] ? print_irqtrace_events+0x220/0x220 [ 122.544756][ T5211] ? do_sys_open+0x230/0x230 [ 122.549369][ T5211] ? lockdep_hardirqs_on+0x98/0x140 [ 122.554619][ T5211] ? _raw_spin_unlock_irq+0x2e/0x50 [ 122.559823][ T5211] ? ptrace_notify+0x278/0x380 [ 122.564603][ T5211] __x64_sys_openat+0x247/0x290 [ 122.569494][ T5211] ? __ia32_sys_open+0x270/0x270 [ 122.574477][ T5211] ? syscall_enter_from_user_mode+0x32/0x230 [ 122.580577][ T5211] ? syscall_enter_from_user_mode+0x8c/0x230 [ 122.586600][ T5211] do_syscall_64+0x41/0xc0 [ 122.591033][ T5211] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 122.596938][ T5211] RIP: 0033:0x7f0100724159 [ 122.601363][ T5211] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5211] <... openat resumed>) = ? [pid 5211] +++ exited with 0 +++ [pid 5210] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5210, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- umount2("./49", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./49/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./49/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./49/binderfs") = 0 [ 122.620982][ T5211] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 122.629407][ T5211] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 122.637418][ T5211] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 122.645457][ T5211] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 122.653443][ T5211] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 122.661438][ T5211] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 122.669466][ T5211] umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./49/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./49/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./49") = 0 mkdir("./50", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5214 ./strace-static-x86_64: Process 5214 attached [pid 5214] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5214] chdir("./50") = 0 [pid 5214] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5214] setpgid(0, 0) = 0 [pid 5214] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5214] write(3, "1000", 4) = 4 [pid 5214] close(3) = 0 [pid 5214] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5214] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5214] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5214] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5214] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5215], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5215 [pid 5214] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5214] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5215 attached [pid 5215] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5215] memfd_create("syzkaller", 0) = 3 [pid 5215] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5215] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5215] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5215] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5215] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5215] close(3) = 0 [pid 5215] mkdir("./file0", 0777) = 0 [ 123.087378][ T5215] loop0: detected capacity change from 0 to 32768 [ 123.100175][ T5215] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 123.108880][ T5215] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 123.119862][ T5215] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 123.129022][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 123.135811][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5215] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5215] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5215] chdir("./file0") = 0 [pid 5215] ioctl(4, LOOP_CLR_FD) = 0 [pid 5215] close(4) = 0 [pid 5215] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5214] <... futex resumed>) = 0 [pid 5214] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5214] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 123.173830][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 123.183051][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 123.188696][ T5215] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 123.210223][ T5215] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5215] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5214] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5214] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5214] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5214] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [ 123.218797][ T5215] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 123.218797][ T5215] inode = 12 2341 [ 123.218797][ T5215] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 123.237582][ T5215] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 123.246667][ T5215] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5215 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 123.256761][ T5215] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 123.265297][ T5215] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5214] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5217], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5217 ./strace-static-x86_64: Process 5217 attached [pid 5214] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5214] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5217] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5217] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5217] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5217] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5214] <... futex resumed>) = 0 [pid 5214] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5217] <... futex resumed>) = 0 [pid 5214] <... futex resumed>) = 1 [pid 5217] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5217] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5217] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5214] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [ 123.273703][ T5215] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 123.282950][ T5215] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 123.292346][ T5215] gfs2: fsid=syz:syz.0: File system withdrawn [ 123.299087][ T5215] CPU: 0 PID: 5215 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 123.309539][ T5215] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 123.319684][ T5215] Call Trace: [ 123.322962][ T5215] [ 123.325893][ T5215] dump_stack_lvl+0x1e7/0x2d0 [ 123.330591][ T5215] ? nf_tcp_handle_invalid+0x650/0x650 [ 123.336163][ T5215] ? panic+0x770/0x770 [ 123.340243][ T5215] ? kobject_uevent_env+0x54e/0x8e0 [ 123.345456][ T5215] gfs2_withdraw+0xf48/0x1550 [ 123.350157][ T5215] ? gfs2_lm+0x240/0x240 [ 123.354407][ T5215] ? gfs2_dirent_scan+0xb2/0x640 [ 123.359362][ T5215] ? panic+0x770/0x770 [ 123.363467][ T5215] ? gfs2_consist_inode_i+0xf5/0x110 [ 123.368817][ T5215] gfs2_dirent_scan+0x512/0x640 [ 123.373727][ T5215] ? gfs2_permission+0x268/0x3c0 [ 123.378705][ T5215] ? gfs2_dirent_search+0x8c0/0x8c0 [ 123.383933][ T5215] gfs2_dirent_search+0x30e/0x8c0 [ 123.389002][ T5215] ? gfs2_dirent_search+0x8c0/0x8c0 [ 123.394227][ T5215] ? generic_permission+0x1df/0x550 [ 123.399473][ T5215] ? gfs2_dir_search+0x2f0/0x2f0 [ 123.404458][ T5215] ? gfs2_permission+0x34a/0x3c0 [ 123.409532][ T5215] gfs2_dir_search+0xb2/0x2f0 [ 123.414225][ T5215] ? do_filldir_main+0x520/0x520 [ 123.419186][ T5215] ? inode_go_held+0xea/0x200 [ 123.423894][ T5215] ? gfs2_glock_wait+0x21a/0x2b0 [ 123.428850][ T5215] gfs2_lookupi+0x460/0x5d0 [ 123.433376][ T5215] ? gfs2_lookup_simple+0x180/0x180 [ 123.438614][ T5215] ? __gfs2_lookup+0xa4/0x270 [ 123.443306][ T5215] ? d_alloc_parallel+0x1262/0x13a0 [ 123.448526][ T5215] __gfs2_lookup+0xa4/0x270 [ 123.453041][ T5215] ? gfs2_atomic_open+0x230/0x230 [ 123.458093][ T5215] ? __init_waitqueue_head+0xae/0x150 [ 123.463502][ T5215] __lookup_slow+0x282/0x3e0 [ 123.468113][ T5215] ? lookup_one_len+0x2d0/0x2d0 [ 123.473000][ T5215] ? down_read+0x1b5/0x2f0 [ 123.477473][ T5215] lookup_slow+0x53/0x70 [ 123.481737][ T5215] link_path_walk+0x9c8/0xe70 [ 123.486473][ T5215] ? handle_lookup_down+0x130/0x130 [ 123.491695][ T5215] ? lockdep_hardirqs_on+0x98/0x140 [ 123.496921][ T5215] path_lookupat+0xa9/0x450 [ 123.501484][ T5215] do_o_path+0x95/0x230 [ 123.505690][ T5215] ? do_tmpfile+0x330/0x330 [ 123.510253][ T5215] ? __alloc_file+0x15a/0x230 [ 123.514967][ T5215] path_openat+0x29f0/0x3170 [ 123.519665][ T5215] ? __stack_depot_save+0x20/0x650 [pid 5214] exit_group(0) = ? [ 123.524794][ T5215] ? mark_lock+0x9a/0x340 [ 123.529140][ T5215] ? kmem_cache_alloc+0x11f/0x2e0 [ 123.534195][ T5215] ? mark_lock+0x9a/0x340 [ 123.538586][ T5215] ? __lock_acquire+0x1295/0x2000 [ 123.543667][ T5215] ? do_filp_open+0x490/0x490 [ 123.548387][ T5215] do_filp_open+0x234/0x490 [ 123.552915][ T5215] ? vfs_tmpfile+0x4a0/0x4a0 [ 123.557573][ T5215] ? _raw_spin_unlock+0x28/0x40 [ 123.562468][ T5215] ? alloc_fd+0x59c/0x640 [ 123.566875][ T5215] do_sys_openat2+0x13f/0x500 [ 123.571600][ T5215] ? print_irqtrace_events+0x220/0x220 [ 123.577102][ T5215] ? do_sys_open+0x230/0x230 [ 123.581734][ T5215] ? lockdep_hardirqs_on+0x98/0x140 [ 123.586999][ T5215] ? _raw_spin_unlock_irq+0x2e/0x50 [ 123.592245][ T5215] ? ptrace_notify+0x278/0x380 [ 123.597048][ T5215] __x64_sys_openat+0x247/0x290 [ 123.601963][ T5215] ? __ia32_sys_open+0x270/0x270 [ 123.606932][ T5215] ? syscall_enter_from_user_mode+0x32/0x230 [ 123.612938][ T5215] ? syscall_enter_from_user_mode+0x8c/0x230 [ 123.618971][ T5215] do_syscall_64+0x41/0xc0 [ 123.623448][ T5215] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 123.629449][ T5215] RIP: 0033:0x7f0100724159 [ 123.633921][ T5215] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 123.653566][ T5215] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 123.661993][ T5215] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5217] <... futex resumed>) = ? [pid 5217] +++ exited with 0 +++ [pid 5215] <... openat resumed>) = ? [pid 5215] +++ exited with 0 +++ [pid 5214] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5214, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=34 /* 0.34 s */} --- umount2("./50", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./50", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./50/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./50/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./50/binderfs") = 0 [ 123.669976][ T5215] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 123.677972][ T5215] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 123.685972][ T5215] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 123.693984][ T5215] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 123.702006][ T5215] umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./50/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./50/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./50/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./50") = 0 mkdir("./51", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5218 ./strace-static-x86_64: Process 5218 attached [pid 5218] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5218] chdir("./51") = 0 [pid 5218] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5218] setpgid(0, 0) = 0 [pid 5218] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5218] write(3, "1000", 4) = 4 [pid 5218] close(3) = 0 [pid 5218] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5218] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5218] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5218] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5218] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5219 attached [pid 5219] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5219] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5218] <... clone resumed>, parent_tid=[5219], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5219 [pid 5218] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5218] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5219] <... futex resumed>) = 0 [pid 5219] memfd_create("syzkaller", 0) = 3 [pid 5219] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5219] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5219] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5219] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5219] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5219] close(3) = 0 [pid 5219] mkdir("./file0", 0777) = 0 [ 124.096934][ T5219] loop0: detected capacity change from 0 to 32768 [ 124.111091][ T5219] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 124.119437][ T5219] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 124.129839][ T5219] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 124.138951][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 124.145796][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [ 124.182492][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 124.191686][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [pid 5219] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5219] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5219] chdir("./file0") = 0 [pid 5219] ioctl(4, LOOP_CLR_FD) = 0 [pid 5219] close(4) = 0 [pid 5219] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5218] <... futex resumed>) = 0 [pid 5218] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5218] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 124.196947][ T5219] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 124.230568][ T5219] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 124.239130][ T5219] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5219] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5218] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5218] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5218] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5218] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5218] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5221], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5221 [pid 5218] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5218] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5221 attached [pid 5221] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5221] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5221] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5218] <... futex resumed>) = 0 [pid 5218] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5218] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5221] <... futex resumed>) = 1 [pid 5221] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5221] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5218] <... futex resumed>) = 0 [pid 5221] <... futex resumed>) = 1 [ 124.239130][ T5219] inode = 12 2341 [ 124.239130][ T5219] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 124.257972][ T5219] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 124.267300][ T5219] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5219 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 124.277700][ T5219] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 124.286259][ T5219] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 124.293859][ T5219] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 124.302728][ T5219] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 124.311033][ T5219] gfs2: fsid=syz:syz.0: File system withdrawn [ 124.317264][ T5219] CPU: 0 PID: 5219 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 124.327720][ T5219] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 124.337967][ T5219] Call Trace: [ 124.341267][ T5219] [ 124.344226][ T5219] dump_stack_lvl+0x1e7/0x2d0 [ 124.348947][ T5219] ? nf_tcp_handle_invalid+0x650/0x650 [ 124.354435][ T5219] ? panic+0x770/0x770 [ 124.358542][ T5219] ? kobject_uevent_env+0x54e/0x8e0 [ 124.363779][ T5219] gfs2_withdraw+0xf48/0x1550 [ 124.368501][ T5219] ? gfs2_lm+0x240/0x240 [ 124.372778][ T5219] ? gfs2_dirent_scan+0xb2/0x640 [ 124.377739][ T5219] ? panic+0x770/0x770 [ 124.381843][ T5219] ? gfs2_consist_inode_i+0xf5/0x110 [ 124.387180][ T5219] gfs2_dirent_scan+0x512/0x640 [ 124.392060][ T5219] ? gfs2_permission+0x268/0x3c0 [pid 5221] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5218] exit_group(0 [pid 5221] <... futex resumed>) = ? [pid 5218] <... exit_group resumed>) = ? [pid 5221] +++ exited with 0 +++ [ 124.397042][ T5219] ? gfs2_dirent_search+0x8c0/0x8c0 [ 124.402292][ T5219] gfs2_dirent_search+0x30e/0x8c0 [ 124.407349][ T5219] ? gfs2_dirent_search+0x8c0/0x8c0 [ 124.412575][ T5219] ? generic_permission+0x1df/0x550 [ 124.417825][ T5219] ? gfs2_dir_search+0x2f0/0x2f0 [ 124.422792][ T5219] ? gfs2_permission+0x34a/0x3c0 [ 124.427769][ T5219] gfs2_dir_search+0xb2/0x2f0 [ 124.432457][ T5219] ? do_filldir_main+0x520/0x520 [ 124.437408][ T5219] ? inode_go_held+0xea/0x200 [ 124.442095][ T5219] ? gfs2_glock_wait+0x21a/0x2b0 [ 124.447059][ T5219] gfs2_lookupi+0x460/0x5d0 [ 124.451599][ T5219] ? gfs2_lookup_simple+0x180/0x180 [ 124.456828][ T5219] ? __gfs2_lookup+0xa4/0x270 [ 124.461539][ T5219] ? d_alloc_parallel+0x1262/0x13a0 [ 124.466774][ T5219] __gfs2_lookup+0xa4/0x270 [ 124.471314][ T5219] ? gfs2_atomic_open+0x230/0x230 [ 124.476368][ T5219] ? __init_waitqueue_head+0xae/0x150 [ 124.481755][ T5219] __lookup_slow+0x282/0x3e0 [ 124.486351][ T5219] ? lookup_one_len+0x2d0/0x2d0 [ 124.491222][ T5219] ? down_read+0x1b5/0x2f0 [ 124.495651][ T5219] lookup_slow+0x53/0x70 [ 124.499899][ T5219] link_path_walk+0x9c8/0xe70 [ 124.504596][ T5219] ? handle_lookup_down+0x130/0x130 [ 124.509808][ T5219] ? lockdep_hardirqs_on+0x98/0x140 [ 124.515043][ T5219] path_lookupat+0xa9/0x450 [ 124.519578][ T5219] do_o_path+0x95/0x230 [ 124.523747][ T5219] ? do_tmpfile+0x330/0x330 [ 124.528276][ T5219] ? __alloc_file+0x15a/0x230 [ 124.532962][ T5219] path_openat+0x29f0/0x3170 [ 124.537578][ T5219] ? __stack_depot_save+0x20/0x650 [ 124.542724][ T5219] ? mark_lock+0x9a/0x340 [ 124.547063][ T5219] ? kmem_cache_alloc+0x11f/0x2e0 [ 124.552094][ T5219] ? mark_lock+0x9a/0x340 [ 124.556434][ T5219] ? __lock_acquire+0x1295/0x2000 [ 124.561481][ T5219] ? do_filp_open+0x490/0x490 [ 124.566199][ T5219] do_filp_open+0x234/0x490 [ 124.570714][ T5219] ? vfs_tmpfile+0x4a0/0x4a0 [ 124.575328][ T5219] ? _raw_spin_unlock+0x28/0x40 [ 124.580202][ T5219] ? alloc_fd+0x59c/0x640 [ 124.584583][ T5219] do_sys_openat2+0x13f/0x500 [ 124.589301][ T5219] ? print_irqtrace_events+0x220/0x220 [ 124.594778][ T5219] ? do_sys_open+0x230/0x230 [ 124.599389][ T5219] ? lockdep_hardirqs_on+0x98/0x140 [ 124.604596][ T5219] ? _raw_spin_unlock_irq+0x2e/0x50 [ 124.609812][ T5219] ? ptrace_notify+0x278/0x380 [ 124.614620][ T5219] __x64_sys_openat+0x247/0x290 [ 124.619489][ T5219] ? __ia32_sys_open+0x270/0x270 [ 124.624442][ T5219] ? syscall_enter_from_user_mode+0x32/0x230 [ 124.630439][ T5219] ? syscall_enter_from_user_mode+0x8c/0x230 [ 124.636453][ T5219] do_syscall_64+0x41/0xc0 [ 124.640888][ T5219] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 124.646816][ T5219] RIP: 0033:0x7f0100724159 [ 124.651332][ T5219] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 124.670969][ T5219] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 124.679428][ T5219] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 124.687452][ T5219] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5219] <... openat resumed>) = ? [pid 5219] +++ exited with 0 +++ [pid 5218] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5218, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- umount2("./51", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./51/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./51/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./51/binderfs") = 0 [ 124.695495][ T5219] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 124.703488][ T5219] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 124.711476][ T5219] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 124.719504][ T5219] umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./51/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./51/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./51") = 0 mkdir("./52", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5222 ./strace-static-x86_64: Process 5222 attached [pid 5222] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5222] chdir("./52") = 0 [pid 5222] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5222] setpgid(0, 0) = 0 [pid 5222] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5222] write(3, "1000", 4) = 4 [pid 5222] close(3) = 0 [pid 5222] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5222] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5222] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5222] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5223], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5223 [pid 5222] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5223 attached [pid 5223] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5223] memfd_create("syzkaller", 0) = 3 [pid 5223] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5223] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5223] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5223] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5223] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5223] close(3) = 0 [pid 5223] mkdir("./file0", 0777) = 0 [ 125.095691][ T5223] loop0: detected capacity change from 0 to 32768 [ 125.108423][ T5223] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 125.116659][ T5223] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 125.126766][ T5223] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 125.135540][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 125.142472][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5223] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5223] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5223] chdir("./file0") = 0 [pid 5223] ioctl(4, LOOP_CLR_FD) = 0 [pid 5223] close(4) = 0 [pid 5223] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5222] <... futex resumed>) = 0 [pid 5222] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5223] <... futex resumed>) = 1 [ 125.187328][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 125.196387][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 125.201760][ T5223] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 125.228404][ T5223] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 125.236975][ T5223] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 125.236975][ T5223] inode = 12 2341 [ 125.236975][ T5223] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 125.255746][ T5223] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 125.265245][ T5223] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5223 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5223] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5222] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5222] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5222] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5222] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5225], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5225 [pid 5222] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5225 attached [pid 5225] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5225] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5225] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5222] <... futex resumed>) = 0 [pid 5222] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5222] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5225] <... futex resumed>) = 1 [pid 5225] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5225] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5222] <... futex resumed>) = 0 [pid 5225] <... futex resumed>) = 1 [ 125.275387][ T5223] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 125.284097][ T5223] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 125.291756][ T5223] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 125.300950][ T5223] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 125.308609][ T5223] gfs2: fsid=syz:syz.0: File system withdrawn [ 125.315217][ T5223] CPU: 1 PID: 5223 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 125.325671][ T5223] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 125.335742][ T5223] Call Trace: [ 125.339029][ T5223] [ 125.341988][ T5223] dump_stack_lvl+0x1e7/0x2d0 [ 125.346712][ T5223] ? nf_tcp_handle_invalid+0x650/0x650 [ 125.352218][ T5223] ? panic+0x770/0x770 [ 125.356313][ T5223] ? kobject_uevent_env+0x54e/0x8e0 [ 125.361568][ T5223] gfs2_withdraw+0xf48/0x1550 [ 125.366304][ T5223] ? gfs2_lm+0x240/0x240 [ 125.370613][ T5223] ? gfs2_dirent_scan+0xb2/0x640 [ 125.375576][ T5223] ? panic+0x770/0x770 [ 125.379685][ T5223] ? gfs2_consist_inode_i+0xf5/0x110 [ 125.384990][ T5223] gfs2_dirent_scan+0x512/0x640 [ 125.389858][ T5223] ? gfs2_permission+0x268/0x3c0 [ 125.394831][ T5223] ? gfs2_dirent_search+0x8c0/0x8c0 [ 125.400072][ T5223] gfs2_dirent_search+0x30e/0x8c0 [ 125.405126][ T5223] ? gfs2_dirent_search+0x8c0/0x8c0 [ 125.410366][ T5223] ? generic_permission+0x1df/0x550 [ 125.415682][ T5223] ? gfs2_dir_search+0x2f0/0x2f0 [ 125.420678][ T5223] ? gfs2_permission+0x34a/0x3c0 [ 125.425662][ T5223] gfs2_dir_search+0xb2/0x2f0 [ 125.430363][ T5223] ? do_filldir_main+0x520/0x520 [ 125.435320][ T5223] ? inode_go_held+0xea/0x200 [ 125.440014][ T5223] ? gfs2_glock_wait+0x21a/0x2b0 [ 125.444974][ T5223] gfs2_lookupi+0x460/0x5d0 [ 125.449502][ T5223] ? gfs2_lookup_simple+0x180/0x180 [ 125.454723][ T5223] ? __gfs2_lookup+0xa4/0x270 [ 125.459410][ T5223] ? d_alloc_parallel+0x1262/0x13a0 [ 125.464624][ T5223] __gfs2_lookup+0xa4/0x270 [ 125.469141][ T5223] ? gfs2_atomic_open+0x230/0x230 [ 125.474183][ T5223] ? __init_waitqueue_head+0xae/0x150 [ 125.479596][ T5223] __lookup_slow+0x282/0x3e0 [ 125.484208][ T5223] ? lookup_one_len+0x2d0/0x2d0 [ 125.489082][ T5223] ? down_read+0x1b5/0x2f0 [ 125.493519][ T5223] lookup_slow+0x53/0x70 [ 125.497774][ T5223] link_path_walk+0x9c8/0xe70 [ 125.502477][ T5223] ? handle_lookup_down+0x130/0x130 [ 125.507704][ T5223] ? lockdep_hardirqs_on+0x98/0x140 [ 125.512916][ T5223] path_lookupat+0xa9/0x450 [ 125.517449][ T5223] do_o_path+0x95/0x230 [ 125.521630][ T5223] ? do_tmpfile+0x330/0x330 [ 125.526148][ T5223] ? __alloc_file+0x15a/0x230 [ 125.530842][ T5223] path_openat+0x29f0/0x3170 [ 125.535446][ T5223] ? __stack_depot_save+0x20/0x650 [ 125.540580][ T5223] ? mark_lock+0x9a/0x340 [ 125.544923][ T5223] ? kmem_cache_alloc+0x11f/0x2e0 [ 125.549957][ T5223] ? mark_lock+0x9a/0x340 [ 125.554304][ T5223] ? __lock_acquire+0x1295/0x2000 [ 125.559432][ T5223] ? do_filp_open+0x490/0x490 [ 125.564159][ T5223] do_filp_open+0x234/0x490 [ 125.568684][ T5223] ? vfs_tmpfile+0x4a0/0x4a0 [ 125.573308][ T5223] ? _raw_spin_unlock+0x28/0x40 [ 125.578176][ T5223] ? alloc_fd+0x59c/0x640 [ 125.582546][ T5223] do_sys_openat2+0x13f/0x500 [ 125.587244][ T5223] ? print_irqtrace_events+0x220/0x220 [ 125.592721][ T5223] ? do_sys_open+0x230/0x230 [ 125.597329][ T5223] ? lockdep_hardirqs_on+0x98/0x140 [ 125.602541][ T5223] ? _raw_spin_unlock_irq+0x2e/0x50 [ 125.607758][ T5223] ? ptrace_notify+0x278/0x380 [ 125.612560][ T5223] __x64_sys_openat+0x247/0x290 [ 125.617454][ T5223] ? __ia32_sys_open+0x270/0x270 [ 125.622424][ T5223] ? syscall_enter_from_user_mode+0x32/0x230 [ 125.628449][ T5223] ? syscall_enter_from_user_mode+0x8c/0x230 [ 125.634443][ T5223] do_syscall_64+0x41/0xc0 [ 125.638884][ T5223] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 125.644788][ T5223] RIP: 0033:0x7f0100724159 [ 125.649216][ T5223] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 125.668832][ T5223] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5225] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5223] <... openat resumed>) = -1 EIO (Input/output error) [pid 5223] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5223] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5222] exit_group(0 [pid 5223] <... futex resumed>) = ? [pid 5223] +++ exited with 0 +++ [pid 5222] <... exit_group resumed>) = ? [pid 5225] <... futex resumed>) = ? [pid 5225] +++ exited with 0 +++ [pid 5222] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5222, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=33 /* 0.33 s */} --- umount2("./52", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./52", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./52/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./52/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./52/binderfs") = 0 [ 125.677344][ T5223] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 125.685324][ T5223] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 125.693307][ T5223] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 125.701290][ T5223] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 125.709286][ T5223] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 125.717283][ T5223] umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./52/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./52/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./52/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./52") = 0 mkdir("./53", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5226 ./strace-static-x86_64: Process 5226 attached [pid 5226] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5226] chdir("./53") = 0 [pid 5226] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5226] setpgid(0, 0) = 0 [pid 5226] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5226] write(3, "1000", 4) = 4 [pid 5226] close(3) = 0 [pid 5226] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5226] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5226] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5226] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5226] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5227], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5227 [pid 5226] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5226] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5227 attached [pid 5227] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5227] memfd_create("syzkaller", 0) = 3 [pid 5227] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5227] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5227] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5227] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5227] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5227] close(3) = 0 [pid 5227] mkdir("./file0", 0777) = 0 [ 126.113157][ T5227] loop0: detected capacity change from 0 to 32768 [ 126.125677][ T5227] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 126.134262][ T5227] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 126.143809][ T5227] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 126.152627][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 126.159692][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5227] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5227] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5227] chdir("./file0") = 0 [pid 5227] ioctl(4, LOOP_CLR_FD) = 0 [pid 5227] close(4) = 0 [pid 5227] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5226] <... futex resumed>) = 0 [pid 5227] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5226] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5227] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5226] <... futex resumed>) = 0 [pid 5227] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 126.205051][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 126.212632][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 126.218242][ T5227] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 126.242325][ T5227] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 126.251686][ T5227] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 126.251686][ T5227] inode = 12 2341 [ 126.251686][ T5227] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 126.271105][ T5227] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 126.280404][ T5227] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5227 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 126.290850][ T5227] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5226] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5226] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5226] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5226] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5226] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5229], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5229 [pid 5226] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5226] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5229 attached [pid 5229] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5229] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5229] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5226] <... futex resumed>) = 0 [pid 5226] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5226] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5229] <... futex resumed>) = 1 [pid 5229] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5229] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5226] <... futex resumed>) = 0 [pid 5229] <... futex resumed>) = 1 [ 126.299541][ T5227] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 126.306803][ T5227] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 126.315905][ T5227] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 126.325276][ T5227] gfs2: fsid=syz:syz.0: File system withdrawn [ 126.332046][ T5227] CPU: 1 PID: 5227 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 126.342511][ T5227] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 126.352615][ T5227] Call Trace: [ 126.355950][ T5227] [ 126.358944][ T5227] dump_stack_lvl+0x1e7/0x2d0 [ 126.363673][ T5227] ? nf_tcp_handle_invalid+0x650/0x650 [ 126.369172][ T5227] ? panic+0x770/0x770 [ 126.373272][ T5227] ? kobject_uevent_env+0x54e/0x8e0 [ 126.378492][ T5227] gfs2_withdraw+0xf48/0x1550 [ 126.383202][ T5227] ? gfs2_lm+0x240/0x240 [ 126.387464][ T5227] ? gfs2_dirent_scan+0xb2/0x640 [ 126.392431][ T5227] ? panic+0x770/0x770 [ 126.396540][ T5227] ? gfs2_consist_inode_i+0xf5/0x110 [ 126.401847][ T5227] gfs2_dirent_scan+0x512/0x640 [ 126.406712][ T5227] ? gfs2_permission+0x268/0x3c0 [ 126.411681][ T5227] ? gfs2_dirent_search+0x8c0/0x8c0 [ 126.416918][ T5227] gfs2_dirent_search+0x30e/0x8c0 [ 126.421975][ T5227] ? gfs2_dirent_search+0x8c0/0x8c0 [ 126.427239][ T5227] ? generic_permission+0x1df/0x550 [ 126.432467][ T5227] ? gfs2_dir_search+0x2f0/0x2f0 [ 126.437425][ T5227] ? gfs2_permission+0x34a/0x3c0 [ 126.442417][ T5227] gfs2_dir_search+0xb2/0x2f0 [ 126.447117][ T5227] ? do_filldir_main+0x520/0x520 [ 126.452076][ T5227] ? inode_go_held+0xea/0x200 [ 126.456770][ T5227] ? gfs2_glock_wait+0x21a/0x2b0 [ 126.461728][ T5227] gfs2_lookupi+0x460/0x5d0 [ 126.466255][ T5227] ? gfs2_lookup_simple+0x180/0x180 [ 126.471476][ T5227] ? __gfs2_lookup+0xa4/0x270 [ 126.476165][ T5227] ? d_alloc_parallel+0x1262/0x13a0 [ 126.481383][ T5227] __gfs2_lookup+0xa4/0x270 [ 126.485901][ T5227] ? gfs2_atomic_open+0x230/0x230 [ 126.490945][ T5227] ? __init_waitqueue_head+0xae/0x150 [ 126.496341][ T5227] __lookup_slow+0x282/0x3e0 [ 126.500946][ T5227] ? lookup_one_len+0x2d0/0x2d0 [ 126.505821][ T5227] ? down_read+0x1b5/0x2f0 [ 126.510260][ T5227] lookup_slow+0x53/0x70 [ 126.514512][ T5227] link_path_walk+0x9c8/0xe70 [ 126.519239][ T5227] ? handle_lookup_down+0x130/0x130 [ 126.524458][ T5227] ? lockdep_hardirqs_on+0x98/0x140 [ 126.529695][ T5227] path_lookupat+0xa9/0x450 [ 126.534219][ T5227] do_o_path+0x95/0x230 [ 126.538400][ T5227] ? do_tmpfile+0x330/0x330 [ 126.542933][ T5227] ? __alloc_file+0x15a/0x230 [ 126.547628][ T5227] path_openat+0x29f0/0x3170 [ 126.552236][ T5227] ? __stack_depot_save+0x20/0x650 [ 126.557385][ T5227] ? mark_lock+0x9a/0x340 [ 126.561730][ T5227] ? kmem_cache_alloc+0x11f/0x2e0 [ 126.566778][ T5227] ? mark_lock+0x9a/0x340 [ 126.571128][ T5227] ? __lock_acquire+0x1295/0x2000 [ 126.576168][ T5227] ? do_filp_open+0x490/0x490 [ 126.580872][ T5227] do_filp_open+0x234/0x490 [ 126.585390][ T5227] ? vfs_tmpfile+0x4a0/0x4a0 [ 126.590012][ T5227] ? _raw_spin_unlock+0x28/0x40 [ 126.594873][ T5227] ? alloc_fd+0x59c/0x640 [ 126.599239][ T5227] do_sys_openat2+0x13f/0x500 [ 126.603935][ T5227] ? print_irqtrace_events+0x220/0x220 [ 126.609413][ T5227] ? do_sys_open+0x230/0x230 [ 126.614021][ T5227] ? lockdep_hardirqs_on+0x98/0x140 [ 126.619321][ T5227] ? _raw_spin_unlock_irq+0x2e/0x50 [ 126.624539][ T5227] ? ptrace_notify+0x278/0x380 [ 126.629337][ T5227] __x64_sys_openat+0x247/0x290 [ 126.634208][ T5227] ? __ia32_sys_open+0x270/0x270 [ 126.639165][ T5227] ? syscall_enter_from_user_mode+0x32/0x230 [ 126.645158][ T5227] ? syscall_enter_from_user_mode+0x8c/0x230 [ 126.651164][ T5227] do_syscall_64+0x41/0xc0 [ 126.656915][ T5227] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 126.662823][ T5227] RIP: 0033:0x7f0100724159 [ 126.667252][ T5227] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 126.686866][ T5227] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 126.695289][ T5227] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5229] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5227] <... openat resumed>) = -1 EIO (Input/output error) [pid 5227] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5227] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5226] exit_group(0 [pid 5229] <... futex resumed>) = ? [pid 5227] <... futex resumed>) = ? [pid 5226] <... exit_group resumed>) = ? [pid 5229] +++ exited with 0 +++ [pid 5227] +++ exited with 0 +++ [pid 5226] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5226, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=32 /* 0.32 s */} --- umount2("./53", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./53/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./53/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./53/binderfs") = 0 [ 126.703292][ T5227] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 126.711284][ T5227] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 126.719277][ T5227] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 126.727263][ T5227] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 126.735274][ T5227] umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./53/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./53/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./53") = 0 mkdir("./54", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5230 ./strace-static-x86_64: Process 5230 attached [pid 5230] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5230] chdir("./54") = 0 [pid 5230] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5230] setpgid(0, 0) = 0 [pid 5230] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5230] write(3, "1000", 4) = 4 [pid 5230] close(3) = 0 [pid 5230] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5230] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5230] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5230] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5230] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5231], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5231 [pid 5230] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5230] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5231 attached [pid 5231] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5231] memfd_create("syzkaller", 0) = 3 [pid 5231] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5231] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5231] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5231] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5231] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5231] close(3) = 0 [pid 5231] mkdir("./file0", 0777) = 0 [ 127.129979][ T5231] loop0: detected capacity change from 0 to 32768 [ 127.142101][ T5231] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 127.150630][ T5231] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 127.161624][ T5231] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 127.170418][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 127.177376][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5231] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5231] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5231] chdir("./file0") = 0 [pid 5231] ioctl(4, LOOP_CLR_FD) = 0 [pid 5231] close(4) = 0 [pid 5231] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5230] <... futex resumed>) = 0 [pid 5230] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5230] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5231] <... futex resumed>) = 1 [ 127.223476][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 127.231935][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 127.237736][ T5231] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 127.259328][ T5231] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5231] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5230] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5230] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5230] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5230] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5230] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5230] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5233], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5233 [pid 5230] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5230] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5233 attached [pid 5233] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 127.268456][ T5231] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 127.268456][ T5231] inode = 12 2341 [ 127.268456][ T5231] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 127.288227][ T5231] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 127.297826][ T5231] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5231 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 127.308535][ T5231] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 127.317073][ T5233] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 127.317101][ T5233] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 127.317101][ T5233] inode = 12 2341 [ 127.317101][ T5233] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 127.318214][ T5233] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 127.318253][ T5233] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5231 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5233] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5230] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5230] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5230] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5230] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5230] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5234], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5234 [pid 5230] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5230] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5234 attached [ 127.318294][ T5233] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5233 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 127.318328][ T5233] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 127.318354][ T5233] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 127.318368][ T5233] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 127.318382][ T5233] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 127.318731][ T5233] gfs2: fsid=syz:syz.0: File system withdrawn [ 127.412085][ T5233] CPU: 0 PID: 5233 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 ) = -1 ETIMEDOUT (Connection timed out) [pid 5234] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5234] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5234] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 127.422582][ T5233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 127.432677][ T5233] Call Trace: [ 127.435984][ T5233] [ 127.439104][ T5233] dump_stack_lvl+0x1e7/0x2d0 [ 127.443817][ T5233] ? nf_tcp_handle_invalid+0x650/0x650 [ 127.449321][ T5233] ? panic+0x770/0x770 [ 127.453432][ T5233] ? kobject_uevent_env+0x54e/0x8e0 [ 127.458695][ T5233] gfs2_withdraw+0xf48/0x1550 [ 127.463449][ T5233] ? gfs2_lm+0x240/0x240 [ 127.467733][ T5233] ? gfs2_dirent_scan+0xb2/0x640 [ 127.472696][ T5233] ? panic+0x770/0x770 [ 127.476818][ T5233] ? gfs2_consist_inode_i+0xf5/0x110 [ 127.482144][ T5233] gfs2_dirent_scan+0x512/0x640 [ 127.487027][ T5233] ? gfs2_permission+0x268/0x3c0 [ 127.492012][ T5233] ? gfs2_dirent_search+0x8c0/0x8c0 [ 127.497266][ T5233] gfs2_dirent_search+0x30e/0x8c0 [ 127.502500][ T5233] ? gfs2_dirent_search+0x8c0/0x8c0 [ 127.507739][ T5233] ? generic_permission+0x1df/0x550 [ 127.512976][ T5233] ? gfs2_dir_search+0x2f0/0x2f0 [ 127.518360][ T5233] ? gfs2_permission+0x34a/0x3c0 [pid 5234] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5230] exit_group(0 [pid 5234] <... futex resumed>) = ? [pid 5230] <... exit_group resumed>) = ? [pid 5234] +++ exited with 0 +++ [ 127.523341][ T5233] gfs2_dir_search+0xb2/0x2f0 [ 127.528077][ T5233] ? do_filldir_main+0x520/0x520 [ 127.533071][ T5233] ? inode_go_held+0xea/0x200 [ 127.537761][ T5233] ? gfs2_glock_wait+0x21a/0x2b0 [ 127.542729][ T5233] gfs2_lookupi+0x460/0x5d0 [ 127.547291][ T5233] ? gfs2_lookup_simple+0x180/0x180 [ 127.552558][ T5233] ? __gfs2_lookup+0xa4/0x270 [ 127.557275][ T5233] __gfs2_lookup+0xa4/0x270 [ 127.561824][ T5233] ? gfs2_atomic_open+0x230/0x230 [ 127.566900][ T5233] ? __d_lookup+0x675/0x730 [ 127.571439][ T5233] ? d_hash_and_lookup+0x1b0/0x1b0 [ 127.576581][ T5233] gfs2_atomic_open+0x9e/0x230 [ 127.581395][ T5233] path_openat+0x103c/0x3170 [ 127.586034][ T5233] ? gfs2_rename2+0x25a0/0x25a0 [ 127.590949][ T5233] ? do_filp_open+0x490/0x490 [ 127.595668][ T5233] do_filp_open+0x234/0x490 [ 127.600201][ T5233] ? vfs_tmpfile+0x4a0/0x4a0 [ 127.604848][ T5233] ? _raw_spin_unlock+0x28/0x40 [ 127.609710][ T5233] ? alloc_fd+0x59c/0x640 [ 127.614068][ T5233] do_sys_openat2+0x13f/0x500 [ 127.618778][ T5233] ? print_irqtrace_events+0x220/0x220 [ 127.624283][ T5233] ? do_sys_open+0x230/0x230 [ 127.628913][ T5233] ? lockdep_hardirqs_on+0x98/0x140 [ 127.634148][ T5233] ? _raw_spin_unlock_irq+0x2e/0x50 [ 127.639383][ T5233] ? ptrace_notify+0x278/0x380 [ 127.644181][ T5233] __x64_sys_openat+0x247/0x290 [ 127.649073][ T5233] ? __ia32_sys_open+0x270/0x270 [ 127.654097][ T5233] ? syscall_enter_from_user_mode+0x32/0x230 [ 127.660096][ T5233] ? syscall_enter_from_user_mode+0x8c/0x230 [ 127.666108][ T5233] do_syscall_64+0x41/0xc0 [ 127.670582][ T5233] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 127.676529][ T5233] RIP: 0033:0x7f0100724159 [ 127.680997][ T5233] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 127.700618][ T5233] RSP: 002b:00007f00f92a7318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 127.709068][ T5233] RAX: ffffffffffffffda RBX: 00007f01007b3798 RCX: 00007f0100724159 [ 127.717070][ T5233] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [pid 5233] <... openat resumed>) = ? [pid 5231] <... openat resumed>) = ? [pid 5233] +++ exited with 0 +++ [pid 5231] +++ exited with 0 +++ [pid 5230] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5230, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=39 /* 0.39 s */} --- umount2("./54", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./54/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./54/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./54/binderfs") = 0 [ 127.725080][ T5233] RBP: 00007f01007b3790 R08: 00007f00f92a7700 R09: 0000000000000000 [ 127.733085][ T5233] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 127.741094][ T5233] R13: 00007ffd22ca6a7f R14: 00007f00f92a7400 R15: 0000000000022000 [ 127.749124][ T5233] umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./54/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./54/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./54") = 0 mkdir("./55", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5235 ./strace-static-x86_64: Process 5235 attached [pid 5235] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5235] chdir("./55") = 0 [pid 5235] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5235] setpgid(0, 0) = 0 [pid 5235] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5235] write(3, "1000", 4) = 4 [pid 5235] close(3) = 0 [pid 5235] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5235] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5235] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5235] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5236 attached , parent_tid=[5236], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5236 [pid 5235] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5236] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5236] memfd_create("syzkaller", 0) = 3 [pid 5236] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5236] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5236] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5236] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5236] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5236] close(3) = 0 [pid 5236] mkdir("./file0", 0777) = 0 [ 128.123675][ T5236] loop0: detected capacity change from 0 to 32768 [ 128.135729][ T5236] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 128.144479][ T5236] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 128.154057][ T5236] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 128.162873][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 128.169978][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5236] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5236] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5236] chdir("./file0") = 0 [pid 5236] ioctl(4, LOOP_CLR_FD) = 0 [pid 5236] close(4) = 0 [pid 5236] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5235] <... futex resumed>) = 0 [pid 5235] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 128.213115][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 128.222289][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 128.227734][ T5236] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 128.256904][ T5236] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 128.265901][ T5236] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 128.265901][ T5236] inode = 12 2341 [ 128.265901][ T5236] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 128.285274][ T5236] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 128.294930][ T5236] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5236 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5236] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5235] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5235] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5235] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5235] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5238], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5238 [pid 5235] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 128.305242][ T5236] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 128.314103][ T5236] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 128.321446][ T5236] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 128.330429][ T5236] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 128.338951][ T5236] gfs2: fsid=syz:syz.0: File system withdrawn [ 128.345075][ T5236] CPU: 0 PID: 5236 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [pid 5235] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5235] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [ 128.355543][ T5236] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 128.365642][ T5236] Call Trace: [ 128.368953][ T5236] [ 128.371893][ T5236] dump_stack_lvl+0x1e7/0x2d0 [ 128.376598][ T5236] ? nf_tcp_handle_invalid+0x650/0x650 [ 128.382075][ T5236] ? panic+0x770/0x770 [ 128.386170][ T5236] ? kobject_uevent_env+0x54e/0x8e0 [ 128.391426][ T5236] gfs2_withdraw+0xf48/0x1550 [ 128.396150][ T5236] ? gfs2_lm+0x240/0x240 [ 128.400466][ T5236] ? gfs2_dirent_scan+0xb2/0x640 [pid 5235] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5235] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5239], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5239 [pid 5235] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5235] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5239 attached [pid 5239] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5239] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5239] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5235] <... futex resumed>) = 0 [pid 5239] <... futex resumed>) = 1 [ 128.405467][ T5236] ? panic+0x770/0x770 [ 128.409603][ T5236] ? gfs2_consist_inode_i+0xf5/0x110 [ 128.414987][ T5236] gfs2_dirent_scan+0x512/0x640 [ 128.419898][ T5236] ? gfs2_permission+0x268/0x3c0 [ 128.424872][ T5236] ? gfs2_dirent_search+0x8c0/0x8c0 [ 128.430109][ T5236] gfs2_dirent_search+0x30e/0x8c0 [ 128.435202][ T5236] ? gfs2_dirent_search+0x8c0/0x8c0 [ 128.440442][ T5236] ? generic_permission+0x1df/0x550 [ 128.445688][ T5236] ? gfs2_dir_search+0x2f0/0x2f0 [ 128.450666][ T5236] ? gfs2_permission+0x34a/0x3c0 [ 128.455636][ T5236] gfs2_dir_search+0xb2/0x2f0 [ 128.460333][ T5236] ? do_filldir_main+0x520/0x520 [ 128.465283][ T5236] ? inode_go_held+0xea/0x200 [ 128.469971][ T5236] ? gfs2_glock_wait+0x21a/0x2b0 [ 128.474927][ T5236] gfs2_lookupi+0x460/0x5d0 [ 128.479454][ T5236] ? gfs2_lookup_simple+0x180/0x180 [ 128.484671][ T5236] ? __gfs2_lookup+0xa4/0x270 [ 128.489357][ T5236] ? d_alloc_parallel+0x1262/0x13a0 [ 128.494578][ T5236] __gfs2_lookup+0xa4/0x270 [ 128.499095][ T5236] ? gfs2_atomic_open+0x230/0x230 [ 128.504139][ T5236] ? __init_waitqueue_head+0xae/0x150 [ 128.509534][ T5236] __lookup_slow+0x282/0x3e0 [ 128.514142][ T5236] ? lookup_one_len+0x2d0/0x2d0 [ 128.519046][ T5236] ? down_read+0x1b5/0x2f0 [ 128.523486][ T5236] lookup_slow+0x53/0x70 [ 128.527741][ T5236] link_path_walk+0x9c8/0xe70 [ 128.532447][ T5236] ? handle_lookup_down+0x130/0x130 [ 128.537699][ T5236] ? lockdep_hardirqs_on+0x98/0x140 [ 128.542914][ T5236] path_lookupat+0xa9/0x450 [ 128.547449][ T5236] do_o_path+0x95/0x230 [ 128.551642][ T5236] ? do_tmpfile+0x330/0x330 [ 128.556158][ T5236] ? __alloc_file+0x15a/0x230 [ 128.560852][ T5236] path_openat+0x29f0/0x3170 [ 128.565546][ T5236] ? __stack_depot_save+0x20/0x650 [ 128.570677][ T5236] ? mark_lock+0x9a/0x340 [ 128.575023][ T5236] ? kmem_cache_alloc+0x11f/0x2e0 [ 128.580057][ T5236] ? mark_lock+0x9a/0x340 [ 128.584406][ T5236] ? __lock_acquire+0x1295/0x2000 [ 128.589446][ T5236] ? do_filp_open+0x490/0x490 [ 128.594168][ T5236] do_filp_open+0x234/0x490 [ 128.598690][ T5236] ? vfs_tmpfile+0x4a0/0x4a0 [ 128.603313][ T5236] ? _raw_spin_unlock+0x28/0x40 [ 128.608192][ T5236] ? alloc_fd+0x59c/0x640 [ 128.612553][ T5236] do_sys_openat2+0x13f/0x500 [ 128.617247][ T5236] ? print_irqtrace_events+0x220/0x220 [ 128.622726][ T5236] ? do_sys_open+0x230/0x230 [ 128.627333][ T5236] ? lockdep_hardirqs_on+0x98/0x140 [ 128.632557][ T5236] ? _raw_spin_unlock_irq+0x2e/0x50 [ 128.637768][ T5236] ? ptrace_notify+0x278/0x380 [ 128.642638][ T5236] __x64_sys_openat+0x247/0x290 [ 128.647683][ T5236] ? __ia32_sys_open+0x270/0x270 [ 128.652639][ T5236] ? syscall_enter_from_user_mode+0x32/0x230 [ 128.658647][ T5236] ? syscall_enter_from_user_mode+0x8c/0x230 [ 128.664642][ T5236] do_syscall_64+0x41/0xc0 [ 128.669078][ T5236] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 128.674986][ T5236] RIP: 0033:0x7f0100724159 [ 128.679412][ T5236] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 128.699048][ T5236] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5239] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 5238 attached [pid 5238] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5238] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5238] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5238] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5236] <... openat resumed>) = -1 EIO (Input/output error) [pid 5236] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5236] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5235] exit_group(0 [pid 5238] <... futex resumed>) = ? [pid 5235] <... exit_group resumed>) = ? [pid 5238] +++ exited with 0 +++ [pid 5239] <... futex resumed>) = ? [pid 5236] <... futex resumed>) = ? [pid 5239] +++ exited with 0 +++ [pid 5236] +++ exited with 0 +++ [pid 5235] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5235, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./55", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./55/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./55/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./55/binderfs") = 0 [ 128.707483][ T5236] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 128.715481][ T5236] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 128.723464][ T5236] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 128.731444][ T5236] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 128.739427][ T5236] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 128.747438][ T5236] umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./55/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./55/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./55") = 0 mkdir("./56", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5240 ./strace-static-x86_64: Process 5240 attached [pid 5240] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5240] chdir("./56") = 0 [pid 5240] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5240] setpgid(0, 0) = 0 [pid 5240] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5240] write(3, "1000", 4) = 4 [pid 5240] close(3) = 0 [pid 5240] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5240] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5240] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5240] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5240] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5241 attached , parent_tid=[5241], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5241 [pid 5241] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5241] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5240] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5241] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5240] <... futex resumed>) = 0 [pid 5240] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5241] memfd_create("syzkaller", 0) = 3 [pid 5241] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5241] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5241] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5241] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5241] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5241] close(3) = 0 [pid 5241] mkdir("./file0", 0777) = 0 [ 129.168687][ T5241] loop0: detected capacity change from 0 to 32768 [ 129.183012][ T5241] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 129.191405][ T5241] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 129.201333][ T5241] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 129.210274][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 129.217061][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5241] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5241] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5241] chdir("./file0") = 0 [pid 5241] ioctl(4, LOOP_CLR_FD) = 0 [pid 5241] close(4) = 0 [pid 5241] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5240] <... futex resumed>) = 0 [pid 5241] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 129.256056][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 129.265382][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 129.270761][ T5241] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5240] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 129.309417][ T5241] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 129.318823][ T5241] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 129.318823][ T5241] inode = 12 2341 [ 129.318823][ T5241] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 129.337662][ T5241] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 129.346752][ T5241] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5241 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5240] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5240] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5240] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5240] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5240] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5243], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5243 [pid 5240] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5240] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5243 attached [pid 5243] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5243] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5243] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5240] <... futex resumed>) = 0 [pid 5243] <... futex resumed>) = 1 [pid 5240] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5243] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5240] <... futex resumed>) = 0 [pid 5243] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5240] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5243] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5240] <... futex resumed>) = 0 [ 129.357498][ T5241] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 129.365958][ T5241] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 129.373352][ T5241] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 129.382262][ T5241] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 129.388966][ T5241] gfs2: fsid=syz:syz.0: File system withdrawn [ 129.395079][ T5241] CPU: 0 PID: 5241 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 129.405540][ T5241] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 129.415641][ T5241] Call Trace: [ 129.418978][ T5241] [ 129.421920][ T5241] dump_stack_lvl+0x1e7/0x2d0 [ 129.426621][ T5241] ? nf_tcp_handle_invalid+0x650/0x650 [ 129.432109][ T5241] ? panic+0x770/0x770 [ 129.436213][ T5241] ? kobject_uevent_env+0x54e/0x8e0 [ 129.441461][ T5241] gfs2_withdraw+0xf48/0x1550 [ 129.446209][ T5241] ? gfs2_lm+0x240/0x240 [ 129.450484][ T5241] ? gfs2_dirent_scan+0xb2/0x640 [ 129.455461][ T5241] ? panic+0x770/0x770 [ 129.459562][ T5241] ? gfs2_consist_inode_i+0xf5/0x110 [ 129.464877][ T5241] gfs2_dirent_scan+0x512/0x640 [ 129.469765][ T5241] ? gfs2_permission+0x268/0x3c0 [ 129.474742][ T5241] ? gfs2_dirent_search+0x8c0/0x8c0 [ 129.479983][ T5241] gfs2_dirent_search+0x30e/0x8c0 [ 129.485034][ T5241] ? gfs2_dirent_search+0x8c0/0x8c0 [ 129.490258][ T5241] ? generic_permission+0x1df/0x550 [ 129.495475][ T5241] ? gfs2_dir_search+0x2f0/0x2f0 [ 129.500444][ T5241] ? gfs2_permission+0x34a/0x3c0 [ 129.505407][ T5241] gfs2_dir_search+0xb2/0x2f0 [ 129.510098][ T5241] ? do_filldir_main+0x520/0x520 [ 129.515048][ T5241] ? inode_go_held+0xea/0x200 [ 129.520042][ T5241] ? gfs2_glock_wait+0x21a/0x2b0 [ 129.524995][ T5241] gfs2_lookupi+0x460/0x5d0 [ 129.529522][ T5241] ? gfs2_lookup_simple+0x180/0x180 [ 129.534739][ T5241] ? __gfs2_lookup+0xa4/0x270 [ 129.539531][ T5241] ? d_alloc_parallel+0x1262/0x13a0 [ 129.544748][ T5241] __gfs2_lookup+0xa4/0x270 [ 129.549263][ T5241] ? gfs2_atomic_open+0x230/0x230 [ 129.554327][ T5241] ? __init_waitqueue_head+0xae/0x150 [ 129.559718][ T5241] __lookup_slow+0x282/0x3e0 [ 129.564335][ T5241] ? lookup_one_len+0x2d0/0x2d0 [ 129.569209][ T5241] ? down_read+0x1b5/0x2f0 [ 129.573648][ T5241] lookup_slow+0x53/0x70 [ 129.577905][ T5241] link_path_walk+0x9c8/0xe70 [ 129.582613][ T5241] ? handle_lookup_down+0x130/0x130 [ 129.587901][ T5241] ? lockdep_hardirqs_on+0x98/0x140 [ 129.593162][ T5241] path_lookupat+0xa9/0x450 [ 129.597698][ T5241] do_o_path+0x95/0x230 [ 129.601893][ T5241] ? do_tmpfile+0x330/0x330 [ 129.606425][ T5241] ? __alloc_file+0x15a/0x230 [ 129.611124][ T5241] path_openat+0x29f0/0x3170 [ 129.615753][ T5241] ? __stack_depot_save+0x20/0x650 [ 129.620888][ T5241] ? __lock_acquire+0x1295/0x2000 [ 129.625943][ T5241] ? mark_lock+0x9a/0x340 [ 129.630299][ T5241] ? kmem_cache_alloc+0x11f/0x2e0 [ 129.635334][ T5241] ? mark_lock+0x9a/0x340 [ 129.639683][ T5241] ? __lock_acquire+0x1295/0x2000 [ 129.644723][ T5241] ? do_filp_open+0x490/0x490 [ 129.649427][ T5241] do_filp_open+0x234/0x490 [ 129.653948][ T5241] ? vfs_tmpfile+0x4a0/0x4a0 [ 129.658590][ T5241] ? _raw_spin_unlock+0x28/0x40 [ 129.663451][ T5241] ? alloc_fd+0x59c/0x640 [ 129.667806][ T5241] do_sys_openat2+0x13f/0x500 [ 129.672507][ T5241] ? print_irqtrace_events+0x220/0x220 [ 129.677993][ T5241] ? do_sys_open+0x230/0x230 [ 129.682617][ T5241] ? lockdep_hardirqs_on+0x98/0x140 [ 129.687836][ T5241] ? _raw_spin_unlock_irq+0x2e/0x50 [ 129.693057][ T5241] ? ptrace_notify+0x278/0x380 [ 129.697838][ T5241] __x64_sys_openat+0x247/0x290 [ 129.702709][ T5241] ? __ia32_sys_open+0x270/0x270 [ 129.707679][ T5241] ? syscall_enter_from_user_mode+0x32/0x230 [ 129.713692][ T5241] ? syscall_enter_from_user_mode+0x8c/0x230 [ 129.719721][ T5241] do_syscall_64+0x41/0xc0 [ 129.724168][ T5241] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 129.730076][ T5241] RIP: 0033:0x7f0100724159 [ 129.734505][ T5241] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5243] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5241] <... openat resumed>) = -1 EIO (Input/output error) [pid 5241] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5241] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5240] exit_group(0 [pid 5241] <... futex resumed>) = ? [pid 5240] <... exit_group resumed>) = ? [pid 5243] <... futex resumed>) = ? [pid 5241] +++ exited with 0 +++ [pid 5243] +++ exited with 0 +++ [pid 5240] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5240, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=31 /* 0.31 s */} --- umount2("./56", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./56/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./56/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./56/binderfs") = 0 [ 129.754124][ T5241] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 129.762566][ T5241] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 129.770569][ T5241] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 129.778560][ T5241] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 129.786630][ T5241] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 129.794617][ T5241] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 129.802637][ T5241] umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./56/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./56/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./56") = 0 mkdir("./57", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5244 ./strace-static-x86_64: Process 5244 attached [pid 5244] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5244] chdir("./57") = 0 [pid 5244] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5244] setpgid(0, 0) = 0 [pid 5244] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5244] write(3, "1000", 4) = 4 [pid 5244] close(3) = 0 [pid 5244] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5244] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5244] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5244] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5245 attached [pid 5245] set_robust_list(0x7f01006c89e0, 24 [pid 5244] <... clone resumed>, parent_tid=[5245], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5245 [pid 5244] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5245] <... set_robust_list resumed>) = 0 [pid 5244] <... futex resumed>) = 0 [pid 5244] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5245] memfd_create("syzkaller", 0) = 3 [pid 5245] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5245] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5245] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5245] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5245] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5245] close(3) = 0 [pid 5245] mkdir("./file0", 0777) = 0 [ 130.201629][ T5245] loop0: detected capacity change from 0 to 32768 [ 130.212344][ T5245] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 130.220656][ T5245] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 130.230887][ T5245] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 130.239746][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 130.246576][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5245] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5245] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5245] chdir("./file0") = 0 [pid 5245] ioctl(4, LOOP_CLR_FD) = 0 [pid 5245] close(4) = 0 [pid 5245] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5244] <... futex resumed>) = 0 [pid 5244] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5245] <... futex resumed>) = 1 [ 130.283271][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 130.291784][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 130.297498][ T5245] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 130.313013][ T5245] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 130.321756][ T5245] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 130.321756][ T5245] inode = 12 2341 [pid 5245] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5244] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5244] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5244] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5244] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5247], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5247 [ 130.321756][ T5245] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 130.344938][ T5245] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 130.354848][ T5245] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5245 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 130.365107][ T5245] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 130.374177][ T5245] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5244] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5247 attached ) = 0 [pid 5244] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5247] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5247] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5247] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5244] <... futex resumed>) = 0 [pid 5244] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5247] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5244] <... futex resumed>) = 0 [pid 5247] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5244] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5247] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5244] <... futex resumed>) = 0 [pid 5247] <... futex resumed>) = 1 [ 130.382204][ T5245] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 130.391697][ T5245] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 130.402755][ T5245] gfs2: fsid=syz:syz.0: File system withdrawn [ 130.409849][ T5245] CPU: 0 PID: 5245 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 130.420295][ T5245] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 130.430365][ T5245] Call Trace: [ 130.433664][ T5245] [ 130.436686][ T5245] dump_stack_lvl+0x1e7/0x2d0 [ 130.441381][ T5245] ? nf_tcp_handle_invalid+0x650/0x650 [ 130.446858][ T5245] ? panic+0x770/0x770 [ 130.450945][ T5245] ? kobject_uevent_env+0x54e/0x8e0 [ 130.456160][ T5245] gfs2_withdraw+0xf48/0x1550 [ 130.460878][ T5245] ? gfs2_lm+0x240/0x240 [ 130.465131][ T5245] ? gfs2_dirent_scan+0xb2/0x640 [ 130.470089][ T5245] ? panic+0x770/0x770 [ 130.474188][ T5245] ? gfs2_consist_inode_i+0xf5/0x110 [ 130.479510][ T5245] gfs2_dirent_scan+0x512/0x640 [ 130.484381][ T5245] ? gfs2_permission+0x268/0x3c0 [ 130.489342][ T5245] ? gfs2_dirent_search+0x8c0/0x8c0 [ 130.494655][ T5245] gfs2_dirent_search+0x30e/0x8c0 [ 130.499692][ T5245] ? gfs2_dirent_search+0x8c0/0x8c0 [ 130.504912][ T5245] ? generic_permission+0x1df/0x550 [ 130.510119][ T5245] ? gfs2_dir_search+0x2f0/0x2f0 [ 130.515086][ T5245] ? gfs2_permission+0x34a/0x3c0 [ 130.520051][ T5245] gfs2_dir_search+0xb2/0x2f0 [ 130.524781][ T5245] ? do_filldir_main+0x520/0x520 [ 130.529749][ T5245] ? inode_go_held+0xea/0x200 [ 130.534441][ T5245] ? gfs2_glock_wait+0x21a/0x2b0 [ 130.539402][ T5245] gfs2_lookupi+0x460/0x5d0 [ 130.543930][ T5245] ? gfs2_lookup_simple+0x180/0x180 [ 130.549333][ T5245] ? __gfs2_lookup+0xa4/0x270 [ 130.554020][ T5245] ? d_alloc_parallel+0x1262/0x13a0 [ 130.559323][ T5245] __gfs2_lookup+0xa4/0x270 [ 130.563840][ T5245] ? gfs2_atomic_open+0x230/0x230 [ 130.568882][ T5245] ? __init_waitqueue_head+0xae/0x150 [ 130.574272][ T5245] __lookup_slow+0x282/0x3e0 [ 130.578887][ T5245] ? lookup_one_len+0x2d0/0x2d0 [ 130.583758][ T5245] ? down_read+0x1b5/0x2f0 [ 130.588196][ T5245] lookup_slow+0x53/0x70 [ 130.592449][ T5245] link_path_walk+0x9c8/0xe70 [ 130.597157][ T5245] ? handle_lookup_down+0x130/0x130 [ 130.602372][ T5245] ? lockdep_hardirqs_on+0x98/0x140 [ 130.607589][ T5245] path_lookupat+0xa9/0x450 [ 130.612107][ T5245] do_o_path+0x95/0x230 [ 130.616285][ T5245] ? do_tmpfile+0x330/0x330 [ 130.620807][ T5245] ? __alloc_file+0x15a/0x230 [ 130.625496][ T5245] path_openat+0x29f0/0x3170 [ 130.630101][ T5245] ? __stack_depot_save+0x20/0x650 [ 130.635232][ T5245] ? mark_lock+0x9a/0x340 [ 130.639577][ T5245] ? kmem_cache_alloc+0x11f/0x2e0 [ 130.644612][ T5245] ? mark_lock+0x9a/0x340 [ 130.648963][ T5245] ? __lock_acquire+0x1295/0x2000 [ 130.654013][ T5245] ? do_filp_open+0x490/0x490 [ 130.658715][ T5245] do_filp_open+0x234/0x490 [ 130.663232][ T5245] ? vfs_tmpfile+0x4a0/0x4a0 [ 130.667884][ T5245] ? _raw_spin_unlock+0x28/0x40 [ 130.672775][ T5245] ? alloc_fd+0x59c/0x640 [ 130.677147][ T5245] do_sys_openat2+0x13f/0x500 [ 130.681849][ T5245] ? print_irqtrace_events+0x220/0x220 [ 130.687327][ T5245] ? do_sys_open+0x230/0x230 [ 130.691932][ T5245] ? lockdep_hardirqs_on+0x98/0x140 [ 130.697144][ T5245] ? _raw_spin_unlock_irq+0x2e/0x50 [ 130.702356][ T5245] ? ptrace_notify+0x278/0x380 [ 130.707135][ T5245] __x64_sys_openat+0x247/0x290 [ 130.712032][ T5245] ? __ia32_sys_open+0x270/0x270 [ 130.716998][ T5245] ? syscall_enter_from_user_mode+0x32/0x230 [ 130.723004][ T5245] ? syscall_enter_from_user_mode+0x8c/0x230 [ 130.729179][ T5245] do_syscall_64+0x41/0xc0 [ 130.733626][ T5245] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 130.739538][ T5245] RIP: 0033:0x7f0100724159 [ 130.743967][ T5245] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 130.763587][ T5245] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 130.772013][ T5245] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5247] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5245] <... openat resumed>) = -1 EIO (Input/output error) [pid 5245] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5245] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5244] exit_group(0 [pid 5245] <... futex resumed>) = ? [pid 5245] +++ exited with 0 +++ [pid 5247] <... futex resumed>) = ? [pid 5247] +++ exited with 0 +++ [pid 5244] <... exit_group resumed>) = ? [pid 5244] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5244, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=34 /* 0.34 s */} --- umount2("./57", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./57/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./57/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./57/binderfs") = 0 [ 130.779990][ T5245] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 130.787968][ T5245] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 130.795945][ T5245] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 130.803924][ T5245] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 130.811915][ T5245] umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./57/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./57/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./57") = 0 mkdir("./58", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5248 ./strace-static-x86_64: Process 5248 attached [pid 5248] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5248] chdir("./58") = 0 [pid 5248] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5248] setpgid(0, 0) = 0 [pid 5248] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5248] write(3, "1000", 4) = 4 [pid 5248] close(3) = 0 [pid 5248] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5248] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5248] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5248] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5249 attached [pid 5249] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5249] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5248] <... clone resumed>, parent_tid=[5249], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5249 [pid 5248] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5249] <... futex resumed>) = 0 [pid 5248] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5249] memfd_create("syzkaller", 0) = 3 [pid 5249] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5249] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5249] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5249] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5249] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5249] close(3) = 0 [pid 5249] mkdir("./file0", 0777) = 0 [ 131.194572][ T5249] loop0: detected capacity change from 0 to 32768 [ 131.205364][ T5249] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 131.213825][ T5249] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 131.223087][ T5249] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 131.231682][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 131.238553][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5249] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5249] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5249] chdir("./file0") = 0 [pid 5249] ioctl(4, LOOP_CLR_FD) = 0 [pid 5249] close(4) = 0 [pid 5249] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5248] <... futex resumed>) = 0 [pid 5248] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 131.282876][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 131.292092][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 131.297701][ T5249] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 131.320513][ T5249] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5249] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5248] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5248] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5248] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5248] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5251], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5251 [pid 5248] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5251 attached [pid 5251] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 131.328983][ T5249] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 131.328983][ T5249] inode = 12 2341 [ 131.328983][ T5249] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 131.348031][ T5249] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 131.357324][ T5249] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5249 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 131.367680][ T5249] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 131.372379][ T5251] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 131.376614][ T5249] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 131.392005][ T5249] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 131.392184][ T5251] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 131.400912][ T5249] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 131.416608][ T5249] gfs2: fsid=syz:syz.0: File system withdrawn [ 131.418673][ T5251] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5249 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5251] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5248] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5248] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5248] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5248] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5252], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5252 [pid 5248] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5252 attached [pid 5252] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5252] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5252] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5248] <... futex resumed>) = 0 [pid 5252] <... futex resumed>) = 1 [ 131.422763][ T5249] CPU: 1 PID: 5249 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 131.437514][ T5251] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5251 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 131.443081][ T5249] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 131.443098][ T5249] Call Trace: [ 131.443106][ T5249] [ 131.443115][ T5249] dump_stack_lvl+0x1e7/0x2d0 [ 131.454119][ T5251] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 131.463234][ T5249] ? nf_tcp_handle_invalid+0x650/0x650 [ 131.463275][ T5249] ? panic+0x770/0x770 [ 131.463301][ T5249] ? kobject_uevent_env+0x54e/0x8e0 [ 131.463339][ T5249] gfs2_withdraw+0xf48/0x1550 [ 131.502132][ T5249] ? gfs2_lm+0x240/0x240 [ 131.506411][ T5249] ? gfs2_dirent_scan+0xb2/0x640 [ 131.511364][ T5249] ? panic+0x770/0x770 [ 131.515455][ T5249] ? gfs2_consist_inode_i+0xf5/0x110 [ 131.520776][ T5249] gfs2_dirent_scan+0x512/0x640 [ 131.525649][ T5249] ? gfs2_permission+0x268/0x3c0 [ 131.530607][ T5249] ? gfs2_dirent_search+0x8c0/0x8c0 [ 131.535843][ T5249] gfs2_dirent_search+0x30e/0x8c0 [ 131.540884][ T5249] ? gfs2_dirent_search+0x8c0/0x8c0 [ 131.546094][ T5249] ? generic_permission+0x1df/0x550 [ 131.551304][ T5249] ? gfs2_dir_search+0x2f0/0x2f0 [ 131.556252][ T5249] ? gfs2_permission+0x34a/0x3c0 [ 131.561226][ T5249] gfs2_dir_search+0xb2/0x2f0 [ 131.565917][ T5249] ? do_filldir_main+0x520/0x520 [ 131.570866][ T5249] ? inode_go_held+0xea/0x200 [ 131.575565][ T5249] ? gfs2_glock_wait+0x21a/0x2b0 [ 131.580532][ T5249] gfs2_lookupi+0x460/0x5d0 [ 131.585148][ T5249] ? gfs2_lookup_simple+0x180/0x180 [ 131.590714][ T5249] ? __gfs2_lookup+0xa4/0x270 [ 131.595500][ T5249] ? d_alloc_parallel+0x1262/0x13a0 [ 131.602022][ T5249] __gfs2_lookup+0xa4/0x270 [ 131.606553][ T5249] ? gfs2_atomic_open+0x230/0x230 [ 131.611597][ T5249] ? __init_waitqueue_head+0xae/0x150 [ 131.616992][ T5249] __lookup_slow+0x282/0x3e0 [ 131.621595][ T5249] ? lookup_one_len+0x2d0/0x2d0 [ 131.626485][ T5249] ? down_read+0x1b5/0x2f0 [ 131.630934][ T5249] lookup_slow+0x53/0x70 [ 131.635195][ T5249] link_path_walk+0x9c8/0xe70 [ 131.639905][ T5249] ? handle_lookup_down+0x130/0x130 [ 131.645152][ T5249] ? lockdep_hardirqs_on+0x98/0x140 [ 131.650411][ T5249] path_lookupat+0xa9/0x450 [ 131.654955][ T5249] do_o_path+0x95/0x230 [ 131.660445][ T5249] ? do_tmpfile+0x330/0x330 [ 131.664967][ T5249] ? __alloc_file+0x15a/0x230 [ 131.669668][ T5249] path_openat+0x29f0/0x3170 [ 131.674273][ T5249] ? __stack_depot_save+0x20/0x650 [ 131.679406][ T5249] ? mark_lock+0x9a/0x340 [ 131.683752][ T5249] ? kmem_cache_alloc+0x11f/0x2e0 [ 131.688808][ T5249] ? mark_lock+0x9a/0x340 [ 131.693208][ T5249] ? __lock_acquire+0x1295/0x2000 [ 131.698280][ T5249] ? do_filp_open+0x490/0x490 [ 131.703013][ T5249] do_filp_open+0x234/0x490 [ 131.707545][ T5249] ? vfs_tmpfile+0x4a0/0x4a0 [ 131.712165][ T5249] ? _raw_spin_unlock+0x28/0x40 [ 131.717028][ T5249] ? alloc_fd+0x59c/0x640 [ 131.721388][ T5249] do_sys_openat2+0x13f/0x500 [ 131.726080][ T5249] ? print_irqtrace_events+0x220/0x220 [ 131.731559][ T5249] ? do_sys_open+0x230/0x230 [ 131.736180][ T5249] ? lockdep_hardirqs_on+0x98/0x140 [ 131.741399][ T5249] ? _raw_spin_unlock_irq+0x2e/0x50 [ 131.746604][ T5249] ? ptrace_notify+0x278/0x380 [ 131.751380][ T5249] __x64_sys_openat+0x247/0x290 [ 131.756247][ T5249] ? __ia32_sys_open+0x270/0x270 [ 131.761219][ T5249] ? syscall_enter_from_user_mode+0x32/0x230 [ 131.767213][ T5249] ? syscall_enter_from_user_mode+0x8c/0x230 [ 131.773208][ T5249] do_syscall_64+0x41/0xc0 [ 131.777655][ T5249] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 131.783575][ T5249] RIP: 0033:0x7f0100724159 [ 131.788000][ T5249] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 131.807615][ T5249] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 131.816040][ T5249] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 131.824022][ T5249] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5252] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5249] <... openat resumed>) = -1 EIO (Input/output error) [pid 5249] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5249] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5251] <... openat resumed>) = -1 EIO (Input/output error) [pid 5251] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5251] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5248] exit_group(0 [pid 5252] <... futex resumed>) = ? [pid 5248] <... exit_group resumed>) = ? [pid 5252] +++ exited with 0 +++ [pid 5249] <... futex resumed>) = ? [pid 5251] <... futex resumed>) = ? [pid 5249] +++ exited with 0 +++ [pid 5251] +++ exited with 0 +++ [pid 5248] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5248, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=44 /* 0.44 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./58", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./58/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./58/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./58/binderfs") = 0 [ 131.832001][ T5249] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 131.839985][ T5249] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 131.847989][ T5249] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 131.856024][ T5249] umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./58/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./58/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./58") = 0 mkdir("./59", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5253 ./strace-static-x86_64: Process 5253 attached [pid 5253] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5253] chdir("./59") = 0 [pid 5253] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5253] setpgid(0, 0) = 0 [pid 5253] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5253] write(3, "1000", 4) = 4 [pid 5253] close(3) = 0 [pid 5253] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5253] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5253] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5253] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5253] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5254], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5254 [pid 5253] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5253] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5254 attached [pid 5254] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5254] memfd_create("syzkaller", 0) = 3 [pid 5254] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5254] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5254] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5254] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5254] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5254] close(3) = 0 [pid 5254] mkdir("./file0", 0777) = 0 [ 132.248028][ T5254] loop0: detected capacity change from 0 to 32768 [ 132.258471][ T5254] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 132.267266][ T5254] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 132.277326][ T5254] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 132.286013][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 132.292938][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5254] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5254] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5254] chdir("./file0") = 0 [pid 5254] ioctl(4, LOOP_CLR_FD) = 0 [pid 5254] close(4) = 0 [pid 5254] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5253] <... futex resumed>) = 0 [pid 5254] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5253] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5254] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5253] <... futex resumed>) = 0 [ 132.330228][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 132.337863][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 132.343173][ T5254] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 132.369265][ T5254] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 132.378147][ T5254] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 132.378147][ T5254] inode = 12 2341 [ 132.378147][ T5254] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 132.397158][ T5254] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 132.406336][ T5254] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5254 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 132.416663][ T5254] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5253] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5253] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5253] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5253] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5253] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5256], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5256 [pid 5253] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5253] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5256 attached [pid 5256] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5256] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5256] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5253] <... futex resumed>) = 0 [pid 5253] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5253] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5256] <... futex resumed>) = 1 [pid 5256] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5256] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5253] <... futex resumed>) = 0 [pid 5256] <... futex resumed>) = 1 [ 132.425196][ T5254] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 132.432471][ T5254] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 132.441300][ T5254] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 132.448993][ T5254] gfs2: fsid=syz:syz.0: File system withdrawn [ 132.455253][ T5254] CPU: 1 PID: 5254 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 132.465693][ T5254] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 132.475778][ T5254] Call Trace: [ 132.479081][ T5254] [ 132.482035][ T5254] dump_stack_lvl+0x1e7/0x2d0 [ 132.486736][ T5254] ? nf_tcp_handle_invalid+0x650/0x650 [ 132.492221][ T5254] ? panic+0x770/0x770 [ 132.496317][ T5254] ? kobject_uevent_env+0x54e/0x8e0 [ 132.501568][ T5254] gfs2_withdraw+0xf48/0x1550 [ 132.506310][ T5254] ? gfs2_lm+0x240/0x240 [ 132.510596][ T5254] ? gfs2_dirent_scan+0xb2/0x640 [ 132.515579][ T5254] ? panic+0x770/0x770 [ 132.519687][ T5254] ? gfs2_consist_inode_i+0xf5/0x110 [ 132.525001][ T5254] gfs2_dirent_scan+0x512/0x640 [ 132.529882][ T5254] ? gfs2_permission+0x268/0x3c0 [ 132.534857][ T5254] ? gfs2_dirent_search+0x8c0/0x8c0 [ 132.540084][ T5254] gfs2_dirent_search+0x30e/0x8c0 [ 132.545148][ T5254] ? gfs2_dirent_search+0x8c0/0x8c0 [ 132.550368][ T5254] ? generic_permission+0x1df/0x550 [ 132.555609][ T5254] ? gfs2_dir_search+0x2f0/0x2f0 [ 132.560563][ T5254] ? gfs2_permission+0x34a/0x3c0 [ 132.565528][ T5254] gfs2_dir_search+0xb2/0x2f0 [ 132.570222][ T5254] ? do_filldir_main+0x520/0x520 [ 132.575171][ T5254] ? inode_go_held+0xea/0x200 [ 132.579862][ T5254] ? gfs2_glock_wait+0x21a/0x2b0 [ 132.584819][ T5254] gfs2_lookupi+0x460/0x5d0 [ 132.589350][ T5254] ? gfs2_lookup_simple+0x180/0x180 [ 132.594585][ T5254] ? __gfs2_lookup+0xa4/0x270 [ 132.599293][ T5254] ? d_alloc_parallel+0x1262/0x13a0 [ 132.604513][ T5254] __gfs2_lookup+0xa4/0x270 [ 132.609042][ T5254] ? gfs2_atomic_open+0x230/0x230 [ 132.614093][ T5254] ? __init_waitqueue_head+0xae/0x150 [ 132.619487][ T5254] __lookup_slow+0x282/0x3e0 [ 132.624089][ T5254] ? lookup_one_len+0x2d0/0x2d0 [ 132.628967][ T5254] ? down_read+0x1b5/0x2f0 [ 132.633430][ T5254] lookup_slow+0x53/0x70 [ 132.637693][ T5254] link_path_walk+0x9c8/0xe70 [ 132.642399][ T5254] ? handle_lookup_down+0x130/0x130 [ 132.647623][ T5254] ? lockdep_hardirqs_on+0x98/0x140 [ 132.652927][ T5254] path_lookupat+0xa9/0x450 [ 132.657451][ T5254] do_o_path+0x95/0x230 [ 132.661632][ T5254] ? do_tmpfile+0x330/0x330 [ 132.666153][ T5254] ? __alloc_file+0x15a/0x230 [ 132.670847][ T5254] path_openat+0x29f0/0x3170 [ 132.675479][ T5254] ? __stack_depot_save+0x20/0x650 [ 132.680628][ T5254] ? __lock_acquire+0x1295/0x2000 [ 132.685678][ T5254] ? mark_lock+0x9a/0x340 [ 132.690030][ T5254] ? kmem_cache_alloc+0x11f/0x2e0 [ 132.695063][ T5254] ? mark_lock+0x9a/0x340 [ 132.699413][ T5254] ? __lock_acquire+0x1295/0x2000 [ 132.704451][ T5254] ? do_filp_open+0x490/0x490 [ 132.709154][ T5254] do_filp_open+0x234/0x490 [ 132.713683][ T5254] ? vfs_tmpfile+0x4a0/0x4a0 [ 132.718309][ T5254] ? _raw_spin_unlock+0x28/0x40 [ 132.723169][ T5254] ? alloc_fd+0x59c/0x640 [ 132.727528][ T5254] do_sys_openat2+0x13f/0x500 [ 132.732217][ T5254] ? print_irqtrace_events+0x220/0x220 [ 132.737700][ T5254] ? do_sys_open+0x230/0x230 [ 132.742306][ T5254] ? lockdep_hardirqs_on+0x98/0x140 [ 132.747519][ T5254] ? _raw_spin_unlock_irq+0x2e/0x50 [ 132.752725][ T5254] ? ptrace_notify+0x278/0x380 [ 132.757680][ T5254] __x64_sys_openat+0x247/0x290 [ 132.762550][ T5254] ? __ia32_sys_open+0x270/0x270 [ 132.767508][ T5254] ? syscall_enter_from_user_mode+0x32/0x230 [ 132.773502][ T5254] ? syscall_enter_from_user_mode+0x8c/0x230 [ 132.779495][ T5254] do_syscall_64+0x41/0xc0 [ 132.783930][ T5254] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 132.789842][ T5254] RIP: 0033:0x7f0100724159 [ 132.794267][ T5254] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 132.813885][ T5254] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 132.822318][ T5254] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5256] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5254] <... openat resumed>) = -1 EIO (Input/output error) [pid 5254] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5254] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5253] exit_group(0 [pid 5256] <... futex resumed>) = ? [pid 5254] <... futex resumed>) = ? [pid 5253] <... exit_group resumed>) = ? [pid 5256] +++ exited with 0 +++ [pid 5254] +++ exited with 0 +++ [pid 5253] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5253, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=33 /* 0.33 s */} --- umount2("./59", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./59/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./59/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 [ 132.830302][ T5254] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 132.838283][ T5254] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 132.846258][ T5254] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 132.854244][ T5254] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 132.862251][ T5254] unlink("./59/binderfs") = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./59/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./59/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./59") = 0 mkdir("./60", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5257 ./strace-static-x86_64: Process 5257 attached [pid 5257] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5257] chdir("./60") = 0 [pid 5257] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5257] setpgid(0, 0) = 0 [pid 5257] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5257] write(3, "1000", 4) = 4 [pid 5257] close(3) = 0 [pid 5257] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5257] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5257] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5257] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5257] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5258], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5258 [pid 5257] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5257] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5258 attached [pid 5258] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5258] memfd_create("syzkaller", 0) = 3 [pid 5258] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5258] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5258] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5258] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5258] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5258] close(3) = 0 [pid 5258] mkdir("./file0", 0777) = 0 [ 133.273931][ T5258] loop0: detected capacity change from 0 to 32768 [ 133.286525][ T5258] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 133.295219][ T5258] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 133.304979][ T5258] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 133.314136][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 133.321297][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5258] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5258] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5258] chdir("./file0") = 0 [pid 5258] ioctl(4, LOOP_CLR_FD) = 0 [pid 5258] close(4) = 0 [pid 5258] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5257] <... futex resumed>) = 0 [pid 5258] <... futex resumed>) = 1 [pid 5257] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5258] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5257] <... futex resumed>) = 0 [ 133.363956][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 133.372429][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 133.378052][ T5258] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 133.390737][ T5258] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 133.399497][ T5258] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 133.399497][ T5258] inode = 12 2341 [pid 5257] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 133.399497][ T5258] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 133.418908][ T5258] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 133.428585][ T5258] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5258 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 133.439689][ T5258] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 133.448576][ T5258] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 133.455896][ T5258] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5257] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5257] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5257] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5257] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5260], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5260 [pid 5257] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 133.465205][ T5258] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 133.472438][ T5258] gfs2: fsid=syz:syz.0: File system withdrawn [ 133.479257][ T5258] CPU: 0 PID: 5258 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 133.489722][ T5258] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 133.499898][ T5258] Call Trace: [ 133.503218][ T5258] [ 133.506162][ T5258] dump_stack_lvl+0x1e7/0x2d0 [pid 5257] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5260 attached [pid 5260] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5260] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5260] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5257] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5260] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5257] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5260] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5257] <... futex resumed>) = 0 [pid 5260] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5257] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5260] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5260] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5257] <... futex resumed>) = 0 [ 133.510879][ T5258] ? nf_tcp_handle_invalid+0x650/0x650 [ 133.516371][ T5258] ? panic+0x770/0x770 [ 133.520479][ T5258] ? kobject_uevent_env+0x54e/0x8e0 [ 133.525728][ T5258] gfs2_withdraw+0xf48/0x1550 [ 133.530450][ T5258] ? gfs2_lm+0x240/0x240 [ 133.534741][ T5258] ? gfs2_dirent_scan+0xb2/0x640 [ 133.539722][ T5258] ? panic+0x770/0x770 [ 133.543853][ T5258] ? gfs2_consist_inode_i+0xf5/0x110 [ 133.549198][ T5258] gfs2_dirent_scan+0x512/0x640 [ 133.554111][ T5258] ? gfs2_permission+0x268/0x3c0 [ 133.559110][ T5258] ? gfs2_dirent_search+0x8c0/0x8c0 [ 133.564356][ T5258] gfs2_dirent_search+0x30e/0x8c0 [ 133.569513][ T5258] ? gfs2_dirent_search+0x8c0/0x8c0 [ 133.574738][ T5258] ? generic_permission+0x1df/0x550 [ 133.579973][ T5258] ? gfs2_dir_search+0x2f0/0x2f0 [ 133.584949][ T5258] ? gfs2_permission+0x34a/0x3c0 [ 133.589925][ T5258] gfs2_dir_search+0xb2/0x2f0 [ 133.594616][ T5258] ? do_filldir_main+0x520/0x520 [ 133.599579][ T5258] ? inode_go_held+0xea/0x200 [ 133.604271][ T5258] ? gfs2_glock_wait+0x21a/0x2b0 [ 133.609273][ T5258] gfs2_lookupi+0x460/0x5d0 [ 133.613837][ T5258] ? gfs2_lookup_simple+0x180/0x180 [ 133.619093][ T5258] ? __gfs2_lookup+0xa4/0x270 [ 133.623808][ T5258] ? d_alloc_parallel+0x1262/0x13a0 [ 133.629047][ T5258] __gfs2_lookup+0xa4/0x270 [ 133.633568][ T5258] ? gfs2_atomic_open+0x230/0x230 [ 133.638723][ T5258] ? __init_waitqueue_head+0xae/0x150 [ 133.644151][ T5258] __lookup_slow+0x282/0x3e0 [ 133.648775][ T5258] ? lookup_one_len+0x2d0/0x2d0 [ 133.653667][ T5258] ? down_read+0x1b5/0x2f0 [ 133.658101][ T5258] lookup_slow+0x53/0x70 [pid 5260] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5257] exit_group(0 [pid 5260] <... futex resumed>) = ? [pid 5257] <... exit_group resumed>) = ? [pid 5260] +++ exited with 0 +++ [ 133.662357][ T5258] link_path_walk+0x9c8/0xe70 [ 133.667059][ T5258] ? handle_lookup_down+0x130/0x130 [ 133.672281][ T5258] ? lockdep_hardirqs_on+0x98/0x140 [ 133.677523][ T5258] path_lookupat+0xa9/0x450 [ 133.682059][ T5258] do_o_path+0x95/0x230 [ 133.686252][ T5258] ? do_tmpfile+0x330/0x330 [ 133.690771][ T5258] ? __alloc_file+0x15a/0x230 [ 133.695475][ T5258] path_openat+0x29f0/0x3170 [ 133.700106][ T5258] ? __stack_depot_save+0x20/0x650 [ 133.705246][ T5258] ? mark_lock+0x9a/0x340 [ 133.709631][ T5258] ? kmem_cache_alloc+0x11f/0x2e0 [ 133.714707][ T5258] ? mark_lock+0x9a/0x340 [ 133.719059][ T5258] ? __lock_acquire+0x1295/0x2000 [ 133.724211][ T5258] ? do_filp_open+0x490/0x490 [ 133.728922][ T5258] do_filp_open+0x234/0x490 [ 133.733453][ T5258] ? vfs_tmpfile+0x4a0/0x4a0 [ 133.738090][ T5258] ? _raw_spin_unlock+0x28/0x40 [ 133.742971][ T5258] ? alloc_fd+0x59c/0x640 [ 133.747323][ T5258] do_sys_openat2+0x13f/0x500 [ 133.752016][ T5258] ? print_irqtrace_events+0x220/0x220 [ 133.757495][ T5258] ? do_sys_open+0x230/0x230 [ 133.762120][ T5258] ? lockdep_hardirqs_on+0x98/0x140 [ 133.767353][ T5258] ? _raw_spin_unlock_irq+0x2e/0x50 [ 133.772564][ T5258] ? ptrace_notify+0x278/0x380 [ 133.777342][ T5258] __x64_sys_openat+0x247/0x290 [ 133.782222][ T5258] ? __ia32_sys_open+0x270/0x270 [ 133.787212][ T5258] ? syscall_enter_from_user_mode+0x32/0x230 [ 133.793219][ T5258] ? syscall_enter_from_user_mode+0x8c/0x230 [ 133.799238][ T5258] do_syscall_64+0x41/0xc0 [ 133.803672][ T5258] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 133.809592][ T5258] RIP: 0033:0x7f0100724159 [ 133.814012][ T5258] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 133.833631][ T5258] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 133.842064][ T5258] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 133.850065][ T5258] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 133.858074][ T5258] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [pid 5258] <... openat resumed>) = ? [pid 5258] +++ exited with 0 +++ [pid 5257] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5257, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./60", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./60/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./60/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./60/binderfs") = 0 [ 133.866184][ T5258] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 133.874181][ T5258] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 133.882184][ T5258] umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./60/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./60/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./60") = 0 mkdir("./61", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5261 ./strace-static-x86_64: Process 5261 attached [pid 5261] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5261] chdir("./61") = 0 [pid 5261] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5261] setpgid(0, 0) = 0 [pid 5261] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5261] write(3, "1000", 4) = 4 [pid 5261] close(3) = 0 [pid 5261] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5261] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5261] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5261] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5261] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5262 attached , parent_tid=[5262], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5262 [pid 5262] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5261] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5261] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5262] memfd_create("syzkaller", 0) = 3 [pid 5262] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5262] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5262] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5262] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5262] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5262] close(3) = 0 [pid 5262] mkdir("./file0", 0777) = 0 [ 134.285569][ T5262] loop0: detected capacity change from 0 to 32768 [ 134.298793][ T5262] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 134.307253][ T5262] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 134.316680][ T5262] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 134.325831][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 134.332758][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5262] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5262] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5262] chdir("./file0") = 0 [pid 5262] ioctl(4, LOOP_CLR_FD) = 0 [pid 5262] close(4) = 0 [pid 5262] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5262] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5261] <... futex resumed>) = 0 [pid 5261] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5261] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5262] <... futex resumed>) = 0 [ 134.376484][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 134.384896][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 134.390454][ T5262] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 134.414486][ T5262] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5262] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5261] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5261] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5261] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5261] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5261] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5264], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5264 [pid 5261] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5261] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5264 attached [pid 5264] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 134.423541][ T5262] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 134.423541][ T5262] inode = 12 2341 [ 134.423541][ T5262] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 134.442424][ T5262] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 134.451603][ T5262] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5262 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 134.462637][ T5262] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 134.471406][ T5262] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 134.471412][ T5264] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 134.471435][ T5264] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 134.479639][ T5262] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 134.487430][ T5264] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5262 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 134.496954][ T5262] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [pid 5264] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5261] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5261] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5261] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5261] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5261] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5265], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5265 [pid 5261] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5261] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5265 attached [pid 5265] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5265] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5265] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5265] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5261] <... futex resumed>) = 0 [ 134.505344][ T5264] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5264 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 134.516220][ T5262] gfs2: fsid=syz:syz.0: File system withdrawn [ 134.523862][ T5264] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 134.539946][ T5262] CPU: 1 PID: 5262 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 134.556922][ T5262] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 134.567003][ T5262] Call Trace: [ 134.570311][ T5262] [ 134.573260][ T5262] dump_stack_lvl+0x1e7/0x2d0 [ 134.577967][ T5262] ? nf_tcp_handle_invalid+0x650/0x650 [ 134.583472][ T5262] ? panic+0x770/0x770 [ 134.587556][ T5262] ? kobject_uevent_env+0x54e/0x8e0 [ 134.592776][ T5262] gfs2_withdraw+0xf48/0x1550 [ 134.597489][ T5262] ? gfs2_lm+0x240/0x240 [ 134.601751][ T5262] ? gfs2_dirent_scan+0xb2/0x640 [ 134.606706][ T5262] ? panic+0x770/0x770 [ 134.610791][ T5262] ? gfs2_consist_inode_i+0xf5/0x110 [ 134.616096][ T5262] gfs2_dirent_scan+0x512/0x640 [ 134.620980][ T5262] ? gfs2_permission+0x268/0x3c0 [pid 5261] exit_group(0 [pid 5265] <... futex resumed>) = ? [ 134.625955][ T5262] ? gfs2_dirent_search+0x8c0/0x8c0 [ 134.631180][ T5262] gfs2_dirent_search+0x30e/0x8c0 [ 134.636242][ T5262] ? gfs2_dirent_search+0x8c0/0x8c0 [ 134.641485][ T5262] ? generic_permission+0x1df/0x550 [ 134.646705][ T5262] ? gfs2_dir_search+0x2f0/0x2f0 [ 134.651677][ T5262] ? gfs2_permission+0x34a/0x3c0 [ 134.656640][ T5262] gfs2_dir_search+0xb2/0x2f0 [ 134.661338][ T5262] ? do_filldir_main+0x520/0x520 [ 134.666290][ T5262] ? inode_go_held+0xea/0x200 [ 134.670996][ T5262] ? gfs2_glock_wait+0x21a/0x2b0 [pid 5261] <... exit_group resumed>) = ? [pid 5265] +++ exited with 0 +++ [ 134.675986][ T5262] gfs2_lookupi+0x460/0x5d0 [ 134.680567][ T5262] ? gfs2_lookup_simple+0x180/0x180 [ 134.685788][ T5262] ? __gfs2_lookup+0xa4/0x270 [ 134.690494][ T5262] ? d_alloc_parallel+0x1262/0x13a0 [ 134.695701][ T5262] __gfs2_lookup+0xa4/0x270 [ 134.700227][ T5262] ? gfs2_atomic_open+0x230/0x230 [ 134.705273][ T5262] ? __init_waitqueue_head+0xae/0x150 [ 134.710755][ T5262] __lookup_slow+0x282/0x3e0 [ 134.715367][ T5262] ? lookup_one_len+0x2d0/0x2d0 [ 134.720262][ T5262] ? down_read+0x1b5/0x2f0 [ 134.724807][ T5262] lookup_slow+0x53/0x70 [ 134.729072][ T5262] link_path_walk+0x9c8/0xe70 [ 134.733792][ T5262] ? handle_lookup_down+0x130/0x130 [ 134.739011][ T5262] ? lockdep_hardirqs_on+0x98/0x140 [ 134.744238][ T5262] path_lookupat+0xa9/0x450 [ 134.748770][ T5262] do_o_path+0x95/0x230 [ 134.752935][ T5262] ? do_tmpfile+0x330/0x330 [ 134.757464][ T5262] ? __alloc_file+0x15a/0x230 [ 134.762148][ T5262] path_openat+0x29f0/0x3170 [ 134.766741][ T5262] ? __stack_depot_save+0x20/0x650 [ 134.771878][ T5262] ? mark_lock+0x9a/0x340 [ 134.776223][ T5262] ? kmem_cache_alloc+0x11f/0x2e0 [ 134.781261][ T5262] ? mark_lock+0x9a/0x340 [ 134.785600][ T5262] ? __lock_acquire+0x1295/0x2000 [ 134.790646][ T5262] ? do_filp_open+0x490/0x490 [ 134.795338][ T5262] do_filp_open+0x234/0x490 [ 134.799848][ T5262] ? vfs_tmpfile+0x4a0/0x4a0 [ 134.804460][ T5262] ? _raw_spin_unlock+0x28/0x40 [ 134.809314][ T5262] ? alloc_fd+0x59c/0x640 [ 134.813679][ T5262] do_sys_openat2+0x13f/0x500 [ 134.818379][ T5262] ? print_irqtrace_events+0x220/0x220 [ 134.823943][ T5262] ? do_sys_open+0x230/0x230 [ 134.828543][ T5262] ? lockdep_hardirqs_on+0x98/0x140 [ 134.833759][ T5262] ? _raw_spin_unlock_irq+0x2e/0x50 [ 134.839047][ T5262] ? ptrace_notify+0x278/0x380 [ 134.843821][ T5262] __x64_sys_openat+0x247/0x290 [ 134.848685][ T5262] ? __ia32_sys_open+0x270/0x270 [ 134.853633][ T5262] ? syscall_enter_from_user_mode+0x32/0x230 [ 134.859632][ T5262] ? syscall_enter_from_user_mode+0x8c/0x230 [ 134.865629][ T5262] do_syscall_64+0x41/0xc0 [ 134.870057][ T5262] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 134.875954][ T5262] RIP: 0033:0x7f0100724159 [ 134.880369][ T5262] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 134.900256][ T5262] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 134.908684][ T5262] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 134.916673][ T5262] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5262] <... openat resumed>) = ? [pid 5262] +++ exited with 0 +++ [pid 5264] <... openat resumed>) = ? [pid 5264] +++ exited with 0 +++ [pid 5261] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5261, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=43 /* 0.43 s */} --- umount2("./61", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./61/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./61/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./61/binderfs") = 0 [ 134.924648][ T5262] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 134.932623][ T5262] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 134.940601][ T5262] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 134.948590][ T5262] umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./61/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./61/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./61") = 0 mkdir("./62", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5266 ./strace-static-x86_64: Process 5266 attached [pid 5266] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5266] chdir("./62") = 0 [pid 5266] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5266] setpgid(0, 0) = 0 [pid 5266] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5266] write(3, "1000", 4) = 4 [pid 5266] close(3) = 0 [pid 5266] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5266] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5266] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5266] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5266] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5267 attached [pid 5267] set_robust_list(0x7f01006c89e0, 24 [pid 5266] <... clone resumed>, parent_tid=[5267], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5267 [pid 5267] <... set_robust_list resumed>) = 0 [pid 5266] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5266] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5267] memfd_create("syzkaller", 0) = 3 [pid 5267] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5267] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5267] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5267] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5267] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5267] close(3) = 0 [pid 5267] mkdir("./file0", 0777) = 0 [ 135.341238][ T5267] loop0: detected capacity change from 0 to 32768 [ 135.353521][ T5267] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 135.361910][ T5267] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 135.372480][ T5267] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 135.381330][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 135.388202][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5267] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5267] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5267] chdir("./file0") = 0 [pid 5267] ioctl(4, LOOP_CLR_FD) = 0 [pid 5267] close(4) = 0 [pid 5267] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5266] <... futex resumed>) = 0 [pid 5266] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5266] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5267] <... futex resumed>) = 1 [ 135.436854][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 48ms [ 135.445351][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 135.451070][ T5267] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 135.470445][ T5267] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 135.479110][ T5267] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5267] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5266] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5266] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5266] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5266] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5266] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5269], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5269 [pid 5266] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5266] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5269 attached [pid 5269] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5269] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5269] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5266] <... futex resumed>) = 0 [pid 5266] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5266] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5269] <... futex resumed>) = 1 [ 135.479110][ T5267] inode = 12 2341 [ 135.479110][ T5267] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 135.498160][ T5267] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 135.508029][ T5267] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5267 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 135.518143][ T5267] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 135.526610][ T5267] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5269] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5269] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5266] <... futex resumed>) = 0 [pid 5269] <... futex resumed>) = 1 [ 135.534676][ T5267] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 135.544278][ T5267] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 135.551035][ T5267] gfs2: fsid=syz:syz.0: File system withdrawn [ 135.557175][ T5267] CPU: 1 PID: 5267 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 135.567622][ T5267] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 135.577691][ T5267] Call Trace: [ 135.580993][ T5267] [ 135.583956][ T5267] dump_stack_lvl+0x1e7/0x2d0 [ 135.588692][ T5267] ? nf_tcp_handle_invalid+0x650/0x650 [ 135.594227][ T5267] ? panic+0x770/0x770 [ 135.598352][ T5267] ? kobject_uevent_env+0x54e/0x8e0 [ 135.603580][ T5267] gfs2_withdraw+0xf48/0x1550 [ 135.608302][ T5267] ? gfs2_lm+0x240/0x240 [ 135.612572][ T5267] ? gfs2_dirent_scan+0xb2/0x640 [ 135.617567][ T5267] ? panic+0x770/0x770 [ 135.621744][ T5267] ? gfs2_consist_inode_i+0xf5/0x110 [ 135.627070][ T5267] gfs2_dirent_scan+0x512/0x640 [ 135.631937][ T5267] ? gfs2_permission+0x268/0x3c0 [ 135.636901][ T5267] ? gfs2_dirent_search+0x8c0/0x8c0 [ 135.642119][ T5267] gfs2_dirent_search+0x30e/0x8c0 [ 135.647164][ T5267] ? gfs2_dirent_search+0x8c0/0x8c0 [ 135.652382][ T5267] ? generic_permission+0x1df/0x550 [ 135.657592][ T5267] ? gfs2_dir_search+0x2f0/0x2f0 [ 135.662541][ T5267] ? gfs2_permission+0x34a/0x3c0 [ 135.667516][ T5267] gfs2_dir_search+0xb2/0x2f0 [ 135.672211][ T5267] ? do_filldir_main+0x520/0x520 [ 135.677164][ T5267] ? inode_go_held+0xea/0x200 [ 135.681860][ T5267] ? gfs2_glock_wait+0x21a/0x2b0 [ 135.686931][ T5267] gfs2_lookupi+0x460/0x5d0 [ 135.691455][ T5267] ? gfs2_lookup_simple+0x180/0x180 [ 135.696674][ T5267] ? __gfs2_lookup+0xa4/0x270 [ 135.701361][ T5267] ? d_alloc_parallel+0x1262/0x13a0 [ 135.706583][ T5267] __gfs2_lookup+0xa4/0x270 [ 135.711099][ T5267] ? gfs2_atomic_open+0x230/0x230 [ 135.716138][ T5267] ? __init_waitqueue_head+0xae/0x150 [ 135.721546][ T5267] __lookup_slow+0x282/0x3e0 [ 135.726148][ T5267] ? lookup_one_len+0x2d0/0x2d0 [ 135.731053][ T5267] ? down_read+0x1b5/0x2f0 [ 135.735509][ T5267] lookup_slow+0x53/0x70 [ 135.739779][ T5267] link_path_walk+0x9c8/0xe70 [ 135.744500][ T5267] ? handle_lookup_down+0x130/0x130 [ 135.749733][ T5267] ? lockdep_hardirqs_on+0x98/0x140 [ 135.754950][ T5267] path_lookupat+0xa9/0x450 [ 135.759484][ T5267] do_o_path+0x95/0x230 [ 135.763658][ T5267] ? do_tmpfile+0x330/0x330 [ 135.768177][ T5267] ? __alloc_file+0x15a/0x230 [ 135.772870][ T5267] path_openat+0x29f0/0x3170 [ 135.777479][ T5267] ? __stack_depot_save+0x20/0x650 [ 135.782607][ T5267] ? mark_lock+0x9a/0x340 [ 135.786950][ T5267] ? kmem_cache_alloc+0x11f/0x2e0 [ 135.792024][ T5267] ? mark_lock+0x9a/0x340 [ 135.796392][ T5267] ? __lock_acquire+0x1295/0x2000 [ 135.801443][ T5267] ? do_filp_open+0x490/0x490 [ 135.806241][ T5267] do_filp_open+0x234/0x490 [ 135.810765][ T5267] ? vfs_tmpfile+0x4a0/0x4a0 [ 135.815401][ T5267] ? _raw_spin_unlock+0x28/0x40 [ 135.820264][ T5267] ? alloc_fd+0x59c/0x640 [ 135.824645][ T5267] do_sys_openat2+0x13f/0x500 [ 135.829459][ T5267] ? print_irqtrace_events+0x220/0x220 [ 135.834949][ T5267] ? do_sys_open+0x230/0x230 [ 135.839562][ T5267] ? lockdep_hardirqs_on+0x98/0x140 [ 135.844773][ T5267] ? _raw_spin_unlock_irq+0x2e/0x50 [ 135.849999][ T5267] ? ptrace_notify+0x278/0x380 [ 135.854790][ T5267] __x64_sys_openat+0x247/0x290 [ 135.859666][ T5267] ? __ia32_sys_open+0x270/0x270 [ 135.864652][ T5267] ? syscall_enter_from_user_mode+0x32/0x230 [ 135.870755][ T5267] ? syscall_enter_from_user_mode+0x8c/0x230 [ 135.876770][ T5267] do_syscall_64+0x41/0xc0 [ 135.881221][ T5267] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 135.887135][ T5267] RIP: 0033:0x7f0100724159 [ 135.891566][ T5267] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 135.911199][ T5267] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 135.919654][ T5267] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 135.927646][ T5267] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5269] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5267] <... openat resumed>) = -1 EIO (Input/output error) [pid 5267] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5267] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5266] exit_group(0 [pid 5267] <... futex resumed>) = ? [pid 5266] <... exit_group resumed>) = ? [pid 5269] <... futex resumed>) = ? [pid 5267] +++ exited with 0 +++ [pid 5269] +++ exited with 0 +++ [pid 5266] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5266, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=38 /* 0.38 s */} --- umount2("./62", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./62/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./62/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./62/binderfs") = 0 [ 135.935634][ T5267] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 135.943615][ T5267] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 135.951608][ T5267] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 135.959603][ T5267] umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./62/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./62/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./62") = 0 mkdir("./63", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5270 ./strace-static-x86_64: Process 5270 attached [pid 5270] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5270] chdir("./63") = 0 [pid 5270] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5270] setpgid(0, 0) = 0 [pid 5270] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5270] write(3, "1000", 4) = 4 [pid 5270] close(3) = 0 [pid 5270] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5270] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5270] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5270] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5270] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5271], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5271 ./strace-static-x86_64: Process 5271 attached [pid 5270] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5271] set_robust_list(0x7f01006c89e0, 24 [pid 5270] <... futex resumed>) = 0 [pid 5271] <... set_robust_list resumed>) = 0 [pid 5270] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5271] memfd_create("syzkaller", 0) = 3 [pid 5271] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5271] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5271] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5271] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5271] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5271] close(3) = 0 [pid 5271] mkdir("./file0", 0777) = 0 [ 136.357100][ T5271] loop0: detected capacity change from 0 to 32768 [ 136.369316][ T5271] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 136.377602][ T5271] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 136.387883][ T5271] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 136.396714][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 136.403627][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5271] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5271] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5271] chdir("./file0") = 0 [pid 5271] ioctl(4, LOOP_CLR_FD) = 0 [pid 5271] close(4) = 0 [pid 5271] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5270] <... futex resumed>) = 0 [pid 5271] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5270] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5271] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 136.449779][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 136.458229][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 136.463748][ T5271] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5271] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5270] <... futex resumed>) = 0 [ 136.494288][ T5271] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 136.503523][ T5271] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 136.503523][ T5271] inode = 12 2341 [ 136.503523][ T5271] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 136.522660][ T5271] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 136.532658][ T5271] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5271 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5270] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5270] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5270] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5270] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5270] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5273], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5273 [pid 5270] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 136.542771][ T5271] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 136.551340][ T5271] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 136.558763][ T5271] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 136.567723][ T5271] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 136.575326][ T5271] gfs2: fsid=syz:syz.0: File system withdrawn [ 136.581832][ T5271] CPU: 0 PID: 5271 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [pid 5270] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5270] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5270] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [ 136.592307][ T5271] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 136.602379][ T5271] Call Trace: [ 136.605670][ T5271] [ 136.608620][ T5271] dump_stack_lvl+0x1e7/0x2d0 [ 136.613340][ T5271] ? nf_tcp_handle_invalid+0x650/0x650 [ 136.618852][ T5271] ? panic+0x770/0x770 [ 136.622948][ T5271] ? kobject_uevent_env+0x54e/0x8e0 [ 136.628169][ T5271] gfs2_withdraw+0xf48/0x1550 [ 136.632873][ T5271] ? gfs2_lm+0x240/0x240 [ 136.637149][ T5271] ? gfs2_dirent_scan+0xb2/0x640 [pid 5270] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5270] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5274], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5274 [pid 5270] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5270] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5274 attached [pid 5274] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5274] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5274] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5270] <... futex resumed>) = 0 [pid 5274] <... futex resumed>) = 1 [ 136.642215][ T5271] ? panic+0x770/0x770 [ 136.646342][ T5271] ? gfs2_consist_inode_i+0xf5/0x110 [ 136.651696][ T5271] gfs2_dirent_scan+0x512/0x640 [ 136.656604][ T5271] ? gfs2_permission+0x268/0x3c0 [ 136.661593][ T5271] ? gfs2_dirent_search+0x8c0/0x8c0 [ 136.666830][ T5271] gfs2_dirent_search+0x30e/0x8c0 [ 136.671892][ T5271] ? gfs2_dirent_search+0x8c0/0x8c0 [ 136.677103][ T5271] ? generic_permission+0x1df/0x550 [ 136.682366][ T5271] ? gfs2_dir_search+0x2f0/0x2f0 [ 136.687467][ T5271] ? gfs2_permission+0x34a/0x3c0 [ 136.692440][ T5271] gfs2_dir_search+0xb2/0x2f0 [ 136.697159][ T5271] ? do_filldir_main+0x520/0x520 [ 136.702148][ T5271] ? inode_go_held+0xea/0x200 [ 136.706857][ T5271] ? gfs2_glock_wait+0x21a/0x2b0 [ 136.711832][ T5271] gfs2_lookupi+0x460/0x5d0 [ 136.716363][ T5271] ? gfs2_lookup_simple+0x180/0x180 [ 136.721585][ T5271] ? __gfs2_lookup+0xa4/0x270 [ 136.726281][ T5271] ? d_alloc_parallel+0x1262/0x13a0 [ 136.731505][ T5271] __gfs2_lookup+0xa4/0x270 [ 136.736108][ T5271] ? gfs2_atomic_open+0x230/0x230 [ 136.741155][ T5271] ? __init_waitqueue_head+0xae/0x150 [ 136.746554][ T5271] __lookup_slow+0x282/0x3e0 [ 136.751167][ T5271] ? lookup_one_len+0x2d0/0x2d0 [ 136.756068][ T5271] ? down_read+0x1b5/0x2f0 [ 136.760522][ T5271] lookup_slow+0x53/0x70 [ 136.764783][ T5271] link_path_walk+0x9c8/0xe70 [ 136.769506][ T5271] ? handle_lookup_down+0x130/0x130 [ 136.774729][ T5271] ? lockdep_hardirqs_on+0x98/0x140 [ 136.779953][ T5271] path_lookupat+0xa9/0x450 [ 136.784481][ T5271] do_o_path+0x95/0x230 [ 136.788679][ T5271] ? do_tmpfile+0x330/0x330 [ 136.793204][ T5271] ? __alloc_file+0x15a/0x230 [ 136.797899][ T5271] path_openat+0x29f0/0x3170 [ 136.802510][ T5271] ? __stack_depot_save+0x20/0x650 [ 136.807640][ T5271] ? mark_lock+0x9a/0x340 [ 136.812001][ T5271] ? kmem_cache_alloc+0x11f/0x2e0 [ 136.817039][ T5271] ? mark_lock+0x9a/0x340 [ 136.821387][ T5271] ? __lock_acquire+0x1295/0x2000 [ 136.826437][ T5271] ? do_filp_open+0x490/0x490 [ 136.831151][ T5271] do_filp_open+0x234/0x490 [ 136.835674][ T5271] ? vfs_tmpfile+0x4a0/0x4a0 [ 136.840308][ T5271] ? _raw_spin_unlock+0x28/0x40 [ 136.845178][ T5271] ? alloc_fd+0x59c/0x640 [ 136.849540][ T5271] do_sys_openat2+0x13f/0x500 [ 136.854240][ T5271] ? print_irqtrace_events+0x220/0x220 [ 136.859827][ T5271] ? do_sys_open+0x230/0x230 [ 136.864433][ T5271] ? lockdep_hardirqs_on+0x98/0x140 [ 136.869647][ T5271] ? _raw_spin_unlock_irq+0x2e/0x50 [ 136.874882][ T5271] ? ptrace_notify+0x278/0x380 [ 136.879681][ T5271] __x64_sys_openat+0x247/0x290 [ 136.884582][ T5271] ? __ia32_sys_open+0x270/0x270 [ 136.889555][ T5271] ? syscall_enter_from_user_mode+0x32/0x230 [ 136.895559][ T5271] ? syscall_enter_from_user_mode+0x8c/0x230 [ 136.901565][ T5271] do_syscall_64+0x41/0xc0 [ 136.906010][ T5271] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 136.911921][ T5271] RIP: 0033:0x7f0100724159 [ 136.916347][ T5271] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 136.935965][ T5271] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5274] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 5273 attached [pid 5273] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5273] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5273] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5273] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5271] <... openat resumed>) = -1 EIO (Input/output error) [pid 5271] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5271] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5270] exit_group(0 [pid 5273] <... futex resumed>) = ? [pid 5270] <... exit_group resumed>) = ? [pid 5273] +++ exited with 0 +++ [pid 5271] <... futex resumed>) = ? [pid 5274] <... futex resumed>) = ? [pid 5271] +++ exited with 0 +++ [pid 5274] +++ exited with 0 +++ [pid 5270] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5270, si_uid=0, si_status=0, si_utime=0, si_stime=37 /* 0.37 s */} --- umount2("./63", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./63/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./63/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./63/binderfs") = 0 [ 136.944497][ T5271] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 136.952478][ T5271] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 136.960458][ T5271] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 136.968447][ T5271] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 136.976513][ T5271] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 136.984507][ T5271] umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./63/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./63/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./63") = 0 mkdir("./64", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5275 ./strace-static-x86_64: Process 5275 attached [pid 5275] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5275] chdir("./64") = 0 [pid 5275] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5275] setpgid(0, 0) = 0 [pid 5275] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5275] write(3, "1000", 4) = 4 [pid 5275] close(3) = 0 [pid 5275] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5275] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5275] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5275] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5276], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5276 [pid 5275] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5276 attached [pid 5276] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5276] memfd_create("syzkaller", 0) = 3 [pid 5276] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5276] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5276] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5276] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5276] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5276] close(3) = 0 [pid 5276] mkdir("./file0", 0777) = 0 [ 137.391151][ T5276] loop0: detected capacity change from 0 to 32768 [ 137.403875][ T5276] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 137.412259][ T5276] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 137.421878][ T5276] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 137.430880][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 137.437826][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5276] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5276] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5276] chdir("./file0") = 0 [pid 5276] ioctl(4, LOOP_CLR_FD) = 0 [pid 5276] close(4) = 0 [pid 5276] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5275] <... futex resumed>) = 0 [pid 5276] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5275] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5276] <... futex resumed>) = 0 [pid 5276] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 137.481032][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 137.489800][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 137.495452][ T5276] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 137.520122][ T5276] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 137.529056][ T5276] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 137.529056][ T5276] inode = 12 2341 [ 137.529056][ T5276] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 137.547864][ T5276] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 137.557035][ T5276] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5276 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 137.567428][ T5276] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5275] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5275] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5275] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5275] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5278], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5278 [pid 5275] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5278 attached [pid 5278] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5278] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5278] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5275] <... futex resumed>) = 0 [pid 5275] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5275] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5278] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5278] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5275] <... futex resumed>) = 0 [ 137.575978][ T5276] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 137.583306][ T5276] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 137.592885][ T5276] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 137.600489][ T5276] gfs2: fsid=syz:syz.0: File system withdrawn [ 137.606752][ T5276] CPU: 1 PID: 5276 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 137.617207][ T5276] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 137.627297][ T5276] Call Trace: [ 137.630625][ T5276] [ 137.633575][ T5276] dump_stack_lvl+0x1e7/0x2d0 [ 137.638462][ T5276] ? nf_tcp_handle_invalid+0x650/0x650 [ 137.643953][ T5276] ? panic+0x770/0x770 [ 137.648052][ T5276] ? kobject_uevent_env+0x54e/0x8e0 [ 137.653297][ T5276] gfs2_withdraw+0xf48/0x1550 [ 137.658025][ T5276] ? gfs2_lm+0x240/0x240 [ 137.662324][ T5276] ? gfs2_dirent_scan+0xb2/0x640 [ 137.667383][ T5276] ? panic+0x770/0x770 [ 137.671471][ T5276] ? gfs2_consist_inode_i+0xf5/0x110 [ 137.676791][ T5276] gfs2_dirent_scan+0x512/0x640 [ 137.681700][ T5276] ? gfs2_permission+0x268/0x3c0 [ 137.686847][ T5276] ? gfs2_dirent_search+0x8c0/0x8c0 [ 137.692082][ T5276] gfs2_dirent_search+0x30e/0x8c0 [ 137.697136][ T5276] ? gfs2_dirent_search+0x8c0/0x8c0 [ 137.702368][ T5276] ? generic_permission+0x1df/0x550 [ 137.708046][ T5276] ? gfs2_dir_search+0x2f0/0x2f0 [ 137.713199][ T5276] ? gfs2_permission+0x34a/0x3c0 [ 137.718178][ T5276] gfs2_dir_search+0xb2/0x2f0 [ 137.722879][ T5276] ? do_filldir_main+0x520/0x520 [ 137.727832][ T5276] ? inode_go_held+0xea/0x200 [ 137.732522][ T5276] ? gfs2_glock_wait+0x21a/0x2b0 [ 137.737507][ T5276] gfs2_lookupi+0x460/0x5d0 [ 137.742058][ T5276] ? gfs2_lookup_simple+0x180/0x180 [ 137.747300][ T5276] ? __gfs2_lookup+0xa4/0x270 [ 137.752008][ T5276] ? d_alloc_parallel+0x1262/0x13a0 [ 137.757241][ T5276] __gfs2_lookup+0xa4/0x270 [ 137.761772][ T5276] ? gfs2_atomic_open+0x230/0x230 [ 137.766818][ T5276] ? __init_waitqueue_head+0xae/0x150 [ 137.772225][ T5276] __lookup_slow+0x282/0x3e0 [ 137.776835][ T5276] ? lookup_one_len+0x2d0/0x2d0 [ 137.781715][ T5276] ? down_read+0x1b5/0x2f0 [ 137.786180][ T5276] lookup_slow+0x53/0x70 [ 137.790439][ T5276] link_path_walk+0x9c8/0xe70 [ 137.795163][ T5276] ? handle_lookup_down+0x130/0x130 [ 137.800386][ T5276] ? lockdep_hardirqs_on+0x98/0x140 [ 137.805618][ T5276] path_lookupat+0xa9/0x450 [ 137.810139][ T5276] do_o_path+0x95/0x230 [ 137.814317][ T5276] ? do_tmpfile+0x330/0x330 [ 137.818842][ T5276] ? __alloc_file+0x15a/0x230 [ 137.823564][ T5276] path_openat+0x29f0/0x3170 [ 137.828177][ T5276] ? __stack_depot_save+0x20/0x650 [ 137.833306][ T5276] ? __lock_acquire+0x1295/0x2000 [ 137.838387][ T5276] ? mark_lock+0x9a/0x340 [ 137.842736][ T5276] ? kmem_cache_alloc+0x11f/0x2e0 [ 137.847782][ T5276] ? mark_lock+0x9a/0x340 [ 137.852143][ T5276] ? __lock_acquire+0x1295/0x2000 [ 137.857278][ T5276] ? do_filp_open+0x490/0x490 [ 137.862007][ T5276] do_filp_open+0x234/0x490 [ 137.866526][ T5276] ? vfs_tmpfile+0x4a0/0x4a0 [ 137.871147][ T5276] ? _raw_spin_unlock+0x28/0x40 [ 137.876009][ T5276] ? alloc_fd+0x59c/0x640 [ 137.880381][ T5276] do_sys_openat2+0x13f/0x500 [ 137.885091][ T5276] ? print_irqtrace_events+0x220/0x220 [ 137.890572][ T5276] ? do_sys_open+0x230/0x230 [ 137.895192][ T5276] ? lockdep_hardirqs_on+0x98/0x140 [ 137.900454][ T5276] ? _raw_spin_unlock_irq+0x2e/0x50 [ 137.905697][ T5276] ? ptrace_notify+0x278/0x380 [ 137.910579][ T5276] __x64_sys_openat+0x247/0x290 [ 137.915489][ T5276] ? __ia32_sys_open+0x270/0x270 [ 137.920758][ T5276] ? syscall_enter_from_user_mode+0x32/0x230 [ 137.927049][ T5276] ? syscall_enter_from_user_mode+0x8c/0x230 [ 137.933060][ T5276] do_syscall_64+0x41/0xc0 [ 137.937509][ T5276] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 137.943421][ T5276] RIP: 0033:0x7f0100724159 [ 137.947879][ T5276] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 137.967500][ T5276] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [pid 5278] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5276] <... openat resumed>) = -1 EIO (Input/output error) [pid 5276] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5276] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5275] exit_group(0 [pid 5276] <... futex resumed>) = ? [pid 5275] <... exit_group resumed>) = ? [pid 5276] +++ exited with 0 +++ [pid 5278] <... futex resumed>) = ? [pid 5278] +++ exited with 0 +++ [pid 5275] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5275, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./64", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./64", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./64/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./64/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./64/binderfs") = 0 [ 137.975962][ T5276] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 137.984190][ T5276] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 137.992173][ T5276] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 138.000240][ T5276] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 138.008224][ T5276] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 138.016237][ T5276] umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./64/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./64/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./64/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./64") = 0 mkdir("./65", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5279 ./strace-static-x86_64: Process 5279 attached [pid 5279] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5279] chdir("./65") = 0 [pid 5279] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5279] setpgid(0, 0) = 0 [pid 5279] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5279] write(3, "1000", 4) = 4 [pid 5279] close(3) = 0 [pid 5279] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5279] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5279] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5279] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5279] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5280], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5280 [pid 5279] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5279] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5280 attached [pid 5280] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5280] memfd_create("syzkaller", 0) = 3 [pid 5280] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5280] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5280] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5280] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5280] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5280] close(3) = 0 [pid 5280] mkdir("./file0", 0777) = 0 [ 138.616323][ T5280] loop0: detected capacity change from 0 to 32768 [ 138.640072][ T5280] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 138.648509][ T5280] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 138.658333][ T5280] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 138.667005][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 138.674270][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5280] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5280] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5280] chdir("./file0") = 0 [pid 5280] ioctl(4, LOOP_CLR_FD) = 0 [pid 5280] close(4) = 0 [pid 5280] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5279] <... futex resumed>) = 0 [pid 5279] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5279] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5280] <... futex resumed>) = 1 [ 138.720777][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 138.730439][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 138.736036][ T5280] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 138.750143][ T5280] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 138.758924][ T5280] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 138.758924][ T5280] inode = 12 2341 [pid 5280] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5279] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5279] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 138.758924][ T5280] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 138.777857][ T5280] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 138.786961][ T5280] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5280 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 138.797120][ T5280] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 138.805711][ T5280] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5279] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5279] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5279] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5282], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5282 [pid 5279] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5279] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5282 attached [pid 5282] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5282] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5282] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5279] <... futex resumed>) = 0 [pid 5279] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5279] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5282] <... futex resumed>) = 1 [pid 5282] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5282] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5279] <... futex resumed>) = 0 [pid 5282] <... futex resumed>) = 1 [ 138.813496][ T5280] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 138.822683][ T5280] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 138.830502][ T5280] gfs2: fsid=syz:syz.0: File system withdrawn [ 138.837004][ T5280] CPU: 1 PID: 5280 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 138.847458][ T5280] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 138.857545][ T5280] Call Trace: [ 138.860861][ T5280] [ 138.863833][ T5280] dump_stack_lvl+0x1e7/0x2d0 [ 138.868574][ T5280] ? nf_tcp_handle_invalid+0x650/0x650 [ 138.874067][ T5280] ? panic+0x770/0x770 [ 138.878180][ T5280] ? kobject_uevent_env+0x54e/0x8e0 [ 138.883426][ T5280] gfs2_withdraw+0xf48/0x1550 [ 138.888129][ T5280] ? gfs2_lm+0x240/0x240 [ 138.892473][ T5280] ? gfs2_dirent_scan+0xb2/0x640 [ 138.897441][ T5280] ? panic+0x770/0x770 [ 138.901565][ T5280] ? gfs2_consist_inode_i+0xf5/0x110 [ 138.906909][ T5280] gfs2_dirent_scan+0x512/0x640 [ 138.911957][ T5280] ? gfs2_permission+0x268/0x3c0 [ 138.916962][ T5280] ? gfs2_dirent_search+0x8c0/0x8c0 [ 138.922208][ T5280] gfs2_dirent_search+0x30e/0x8c0 [ 138.927287][ T5280] ? gfs2_dirent_search+0x8c0/0x8c0 [ 138.932513][ T5280] ? generic_permission+0x1df/0x550 [ 138.937727][ T5280] ? gfs2_dir_search+0x2f0/0x2f0 [ 138.942680][ T5280] ? gfs2_permission+0x34a/0x3c0 [ 138.947641][ T5280] gfs2_dir_search+0xb2/0x2f0 [ 138.952339][ T5280] ? do_filldir_main+0x520/0x520 [ 138.957294][ T5280] ? inode_go_held+0xea/0x200 [ 138.962005][ T5280] ? gfs2_glock_wait+0x21a/0x2b0 [ 138.966965][ T5280] gfs2_lookupi+0x460/0x5d0 [ 138.971494][ T5280] ? gfs2_lookup_simple+0x180/0x180 [ 138.976718][ T5280] ? __gfs2_lookup+0xa4/0x270 [ 138.981406][ T5280] ? d_alloc_parallel+0x1262/0x13a0 [ 138.986639][ T5280] __gfs2_lookup+0xa4/0x270 [ 138.991165][ T5280] ? gfs2_atomic_open+0x230/0x230 [ 138.996218][ T5280] ? __init_waitqueue_head+0xae/0x150 [ 139.001618][ T5280] __lookup_slow+0x282/0x3e0 [ 139.006224][ T5280] ? lookup_one_len+0x2d0/0x2d0 [ 139.011121][ T5280] ? down_read+0x1b5/0x2f0 [ 139.015663][ T5280] lookup_slow+0x53/0x70 [ 139.019920][ T5280] link_path_walk+0x9c8/0xe70 [ 139.024625][ T5280] ? handle_lookup_down+0x130/0x130 [ 139.029939][ T5280] ? lockdep_hardirqs_on+0x98/0x140 [ 139.035155][ T5280] path_lookupat+0xa9/0x450 [ 139.039678][ T5280] do_o_path+0x95/0x230 [ 139.043938][ T5280] ? do_tmpfile+0x330/0x330 [ 139.048631][ T5280] ? __alloc_file+0x15a/0x230 [ 139.053411][ T5280] path_openat+0x29f0/0x3170 [ 139.058030][ T5280] ? __stack_depot_save+0x20/0x650 [ 139.063162][ T5280] ? mark_lock+0x9a/0x340 [ 139.067506][ T5280] ? kmem_cache_alloc+0x11f/0x2e0 [ 139.072541][ T5280] ? mark_lock+0x9a/0x340 [ 139.076889][ T5280] ? __lock_acquire+0x1295/0x2000 [ 139.081929][ T5280] ? do_filp_open+0x490/0x490 [ 139.086637][ T5280] do_filp_open+0x234/0x490 [ 139.091247][ T5280] ? vfs_tmpfile+0x4a0/0x4a0 [ 139.095870][ T5280] ? _raw_spin_unlock+0x28/0x40 [ 139.100736][ T5280] ? alloc_fd+0x59c/0x640 [ 139.105095][ T5280] do_sys_openat2+0x13f/0x500 [ 139.109790][ T5280] ? print_irqtrace_events+0x220/0x220 [ 139.115270][ T5280] ? do_sys_open+0x230/0x230 [ 139.119877][ T5280] ? lockdep_hardirqs_on+0x98/0x140 [ 139.125102][ T5280] ? _raw_spin_unlock_irq+0x2e/0x50 [ 139.130312][ T5280] ? ptrace_notify+0x278/0x380 [ 139.135093][ T5280] __x64_sys_openat+0x247/0x290 [ 139.139971][ T5280] ? __ia32_sys_open+0x270/0x270 [ 139.144931][ T5280] ? syscall_enter_from_user_mode+0x32/0x230 [ 139.150926][ T5280] ? syscall_enter_from_user_mode+0x8c/0x230 [ 139.157009][ T5280] do_syscall_64+0x41/0xc0 [ 139.161458][ T5280] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 139.167381][ T5280] RIP: 0033:0x7f0100724159 [ 139.171805][ T5280] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 139.191425][ T5280] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 139.199855][ T5280] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 139.207836][ T5280] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5282] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5280] <... openat resumed>) = -1 EIO (Input/output error) [pid 5280] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5280] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5279] exit_group(0 [pid 5280] <... futex resumed>) = ? [pid 5282] <... futex resumed>) = ? [pid 5280] +++ exited with 0 +++ [pid 5282] +++ exited with 0 +++ [pid 5279] <... exit_group resumed>) = ? [pid 5279] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5279, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./65", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./65/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./65/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./65/binderfs") = 0 [ 139.215820][ T5280] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 139.223799][ T5280] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 139.231783][ T5280] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 139.239781][ T5280] umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./65/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./65/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./65") = 0 mkdir("./66", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5283 ./strace-static-x86_64: Process 5283 attached [pid 5283] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5283] chdir("./66") = 0 [pid 5283] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5283] setpgid(0, 0) = 0 [pid 5283] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5283] write(3, "1000", 4) = 4 [pid 5283] close(3) = 0 [pid 5283] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5283] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5283] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5283] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5283] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5284 attached , parent_tid=[5284], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5284 [pid 5284] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5283] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5283] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5284] memfd_create("syzkaller", 0) = 3 [pid 5284] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5284] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5284] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5284] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5284] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5284] close(3) = 0 [pid 5284] mkdir("./file0", 0777) = 0 [ 139.649467][ T5284] loop0: detected capacity change from 0 to 32768 [ 139.662874][ T5284] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 139.671140][ T5284] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 139.681679][ T5284] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 139.690707][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 139.698306][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5284] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5284] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5284] chdir("./file0") = 0 [pid 5284] ioctl(4, LOOP_CLR_FD) = 0 [pid 5284] close(4) = 0 [pid 5284] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5284] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5283] <... futex resumed>) = 0 [pid 5283] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5284] <... futex resumed>) = 0 [pid 5283] <... futex resumed>) = 1 [pid 5284] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 139.747035][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 48ms [ 139.756234][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 139.761833][ T5284] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 139.800687][ T5284] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 139.809721][ T5284] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 139.809721][ T5284] inode = 12 2341 [ 139.809721][ T5284] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 139.829226][ T5284] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 139.838672][ T5284] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5284 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5283] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5283] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5283] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5283] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5283] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5286], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5286 [pid 5283] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5283] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5286 attached [pid 5286] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5286] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5286] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5283] <... futex resumed>) = 0 [pid 5286] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5283] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000 [pid 5286] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 139.849746][ T5284] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 139.858894][ T5284] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 139.866589][ T5284] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 139.876206][ T5284] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 139.883215][ T5284] gfs2: fsid=syz:syz.0: File system withdrawn [ 139.889623][ T5284] CPU: 0 PID: 5284 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [pid 5283] <... futex resumed>) = 0 [pid 5286] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5283] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5286] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5286] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5283] <... futex resumed>) = 0 [ 139.900086][ T5284] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 139.910189][ T5284] Call Trace: [ 139.913502][ T5284] [ 139.916464][ T5284] dump_stack_lvl+0x1e7/0x2d0 [ 139.921168][ T5284] ? nf_tcp_handle_invalid+0x650/0x650 [ 139.926667][ T5284] ? panic+0x770/0x770 [ 139.930776][ T5284] ? kobject_uevent_env+0x54e/0x8e0 [ 139.936018][ T5284] gfs2_withdraw+0xf48/0x1550 [ 139.940752][ T5284] ? gfs2_lm+0x240/0x240 [ 139.945040][ T5284] ? gfs2_dirent_scan+0xb2/0x640 [ 139.950003][ T5284] ? panic+0x770/0x770 [ 139.954107][ T5284] ? gfs2_consist_inode_i+0xf5/0x110 [ 139.959415][ T5284] gfs2_dirent_scan+0x512/0x640 [ 139.964286][ T5284] ? gfs2_permission+0x268/0x3c0 [ 139.969244][ T5284] ? gfs2_dirent_search+0x8c0/0x8c0 [ 139.974457][ T5284] gfs2_dirent_search+0x30e/0x8c0 [ 139.979497][ T5284] ? gfs2_dirent_search+0x8c0/0x8c0 [ 139.984724][ T5284] ? generic_permission+0x1df/0x550 [ 139.989934][ T5284] ? gfs2_dir_search+0x2f0/0x2f0 [ 139.994888][ T5284] ? gfs2_permission+0x34a/0x3c0 [ 139.999852][ T5284] gfs2_dir_search+0xb2/0x2f0 [ 140.004632][ T5284] ? do_filldir_main+0x520/0x520 [ 140.009592][ T5284] ? inode_go_held+0xea/0x200 [ 140.014282][ T5284] ? gfs2_glock_wait+0x21a/0x2b0 [ 140.019241][ T5284] gfs2_lookupi+0x460/0x5d0 [ 140.023767][ T5284] ? gfs2_lookup_simple+0x180/0x180 [ 140.028986][ T5284] ? __gfs2_lookup+0xa4/0x270 [ 140.033758][ T5284] ? d_alloc_parallel+0x1262/0x13a0 [ 140.038980][ T5284] __gfs2_lookup+0xa4/0x270 [ 140.043495][ T5284] ? gfs2_atomic_open+0x230/0x230 [ 140.048541][ T5284] ? __init_waitqueue_head+0xae/0x150 [ 140.054033][ T5284] __lookup_slow+0x282/0x3e0 [ 140.058639][ T5284] ? lookup_one_len+0x2d0/0x2d0 [ 140.063509][ T5284] ? down_read+0x1b5/0x2f0 [ 140.067948][ T5284] lookup_slow+0x53/0x70 [ 140.072204][ T5284] link_path_walk+0x9c8/0xe70 [ 140.076909][ T5284] ? handle_lookup_down+0x130/0x130 [ 140.082128][ T5284] ? lockdep_hardirqs_on+0x98/0x140 [ 140.087357][ T5284] path_lookupat+0xa9/0x450 [ 140.091896][ T5284] do_o_path+0x95/0x230 [ 140.096086][ T5284] ? do_tmpfile+0x330/0x330 [ 140.100604][ T5284] ? __alloc_file+0x15a/0x230 [ 140.105298][ T5284] path_openat+0x29f0/0x3170 [ 140.109907][ T5284] ? __stack_depot_save+0x20/0x650 [ 140.115045][ T5284] ? __lock_acquire+0x1295/0x2000 [ 140.120097][ T5284] ? mark_lock+0x9a/0x340 [ 140.124443][ T5284] ? kmem_cache_alloc+0x11f/0x2e0 [ 140.129479][ T5284] ? mark_lock+0x9a/0x340 [ 140.133827][ T5284] ? __lock_acquire+0x1295/0x2000 [ 140.138870][ T5284] ? do_filp_open+0x490/0x490 [ 140.143576][ T5284] do_filp_open+0x234/0x490 [ 140.148101][ T5284] ? vfs_tmpfile+0x4a0/0x4a0 [ 140.152727][ T5284] ? _raw_spin_unlock+0x28/0x40 [ 140.157589][ T5284] ? alloc_fd+0x59c/0x640 [ 140.162205][ T5284] do_sys_openat2+0x13f/0x500 [ 140.166898][ T5284] ? print_irqtrace_events+0x220/0x220 [ 140.172378][ T5284] ? do_sys_open+0x230/0x230 [ 140.176984][ T5284] ? lockdep_hardirqs_on+0x98/0x140 [ 140.182197][ T5284] ? _raw_spin_unlock_irq+0x2e/0x50 [ 140.187408][ T5284] ? ptrace_notify+0x278/0x380 [ 140.192193][ T5284] __x64_sys_openat+0x247/0x290 [ 140.197061][ T5284] ? __ia32_sys_open+0x270/0x270 [ 140.202040][ T5284] ? syscall_enter_from_user_mode+0x32/0x230 [ 140.208036][ T5284] ? syscall_enter_from_user_mode+0x8c/0x230 [ 140.214030][ T5284] do_syscall_64+0x41/0xc0 [ 140.218467][ T5284] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 140.224373][ T5284] RIP: 0033:0x7f0100724159 [ 140.228795][ T5284] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5286] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5284] <... openat resumed>) = -1 EIO (Input/output error) [pid 5284] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5283] exit_group(0) = ? [pid 5286] <... futex resumed>) = ? [pid 5284] <... futex resumed>) = ? [pid 5286] +++ exited with 0 +++ [pid 5284] +++ exited with 0 +++ [pid 5283] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5283, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=37 /* 0.37 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./66", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./66/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./66/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./66/binderfs") = 0 [ 140.248412][ T5284] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 140.256836][ T5284] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 140.264816][ T5284] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 140.272794][ T5284] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 140.280783][ T5284] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 140.288759][ T5284] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 140.296754][ T5284] umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./66/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./66/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./66") = 0 mkdir("./67", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5287 ./strace-static-x86_64: Process 5287 attached [pid 5287] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5287] chdir("./67") = 0 [pid 5287] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5287] setpgid(0, 0) = 0 [pid 5287] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5287] write(3, "1000", 4) = 4 [pid 5287] close(3) = 0 [pid 5287] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5287] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5287] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5287] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5287] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5288], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5288 [pid 5287] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000./strace-static-x86_64: Process 5288 attached [pid 5288] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5287] <... futex resumed>) = 0 [pid 5287] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5288] memfd_create("syzkaller", 0) = 3 [pid 5288] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5288] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5288] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5288] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5288] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5288] close(3) = 0 [pid 5288] mkdir("./file0", 0777) = 0 [ 140.716859][ T5288] loop0: detected capacity change from 0 to 32768 [ 140.729906][ T5288] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 140.738393][ T5288] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 140.748246][ T5288] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 140.756830][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 140.764149][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5288] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5288] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5288] chdir("./file0") = 0 [pid 5288] ioctl(4, LOOP_CLR_FD) = 0 [pid 5288] close(4) = 0 [pid 5288] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5287] <... futex resumed>) = 0 [pid 5288] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5287] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5288] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5287] <... futex resumed>) = 0 [pid 5288] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [ 140.806860][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 140.814539][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 140.819907][ T5288] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 140.842533][ T5288] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5287] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5287] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5287] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5287] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5287] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5290], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5290 [pid 5287] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 140.851754][ T5288] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 140.851754][ T5288] inode = 12 2341 [ 140.851754][ T5288] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 140.871183][ T5288] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 140.880666][ T5288] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5288 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 140.891487][ T5288] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 140.899998][ T5288] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5287] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5290 attached [pid 5290] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5290] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5290] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5287] <... futex resumed>) = 0 [pid 5287] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5287] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5290] <... futex resumed>) = 1 [pid 5290] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5290] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5287] <... futex resumed>) = 0 [pid 5290] <... futex resumed>) = 1 [ 140.907868][ T5288] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 140.917555][ T5288] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 140.924496][ T5288] gfs2: fsid=syz:syz.0: File system withdrawn [ 140.931086][ T5288] CPU: 0 PID: 5288 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 140.941509][ T5288] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 140.951580][ T5288] Call Trace: [ 140.954859][ T5288] [ 140.957804][ T5288] dump_stack_lvl+0x1e7/0x2d0 [ 140.962498][ T5288] ? nf_tcp_handle_invalid+0x650/0x650 [ 140.967968][ T5288] ? panic+0x770/0x770 [ 140.972040][ T5288] ? kobject_uevent_env+0x54e/0x8e0 [ 140.977252][ T5288] gfs2_withdraw+0xf48/0x1550 [ 140.981950][ T5288] ? gfs2_lm+0x240/0x240 [ 140.986197][ T5288] ? gfs2_dirent_scan+0xb2/0x640 [ 140.991143][ T5288] ? panic+0x770/0x770 [ 140.995236][ T5288] ? gfs2_consist_inode_i+0xf5/0x110 [ 141.000539][ T5288] gfs2_dirent_scan+0x512/0x640 [ 141.005408][ T5288] ? gfs2_permission+0x268/0x3c0 [ 141.010370][ T5288] ? gfs2_dirent_search+0x8c0/0x8c0 [ 141.015666][ T5288] gfs2_dirent_search+0x30e/0x8c0 [ 141.020810][ T5288] ? gfs2_dirent_search+0x8c0/0x8c0 [ 141.026038][ T5288] ? generic_permission+0x1df/0x550 [ 141.031257][ T5288] ? gfs2_dir_search+0x2f0/0x2f0 [ 141.036210][ T5288] ? gfs2_permission+0x34a/0x3c0 [ 141.041169][ T5288] gfs2_dir_search+0xb2/0x2f0 [ 141.045886][ T5288] ? do_filldir_main+0x520/0x520 [ 141.050836][ T5288] ? inode_go_held+0xea/0x200 [ 141.055529][ T5288] ? gfs2_glock_wait+0x21a/0x2b0 [ 141.060486][ T5288] gfs2_lookupi+0x460/0x5d0 [ 141.065015][ T5288] ? gfs2_lookup_simple+0x180/0x180 [ 141.070231][ T5288] ? __gfs2_lookup+0xa4/0x270 [ 141.074954][ T5288] ? d_alloc_parallel+0x1262/0x13a0 [ 141.080169][ T5288] __gfs2_lookup+0xa4/0x270 [ 141.084682][ T5288] ? gfs2_atomic_open+0x230/0x230 [ 141.089723][ T5288] ? __init_waitqueue_head+0xae/0x150 [ 141.095201][ T5288] __lookup_slow+0x282/0x3e0 [ 141.099806][ T5288] ? lookup_one_len+0x2d0/0x2d0 [ 141.104694][ T5288] ? down_read+0x1b5/0x2f0 [ 141.109128][ T5288] lookup_slow+0x53/0x70 [ 141.113395][ T5288] link_path_walk+0x9c8/0xe70 [ 141.118099][ T5288] ? handle_lookup_down+0x130/0x130 [ 141.123317][ T5288] ? lockdep_hardirqs_on+0x98/0x140 [ 141.128532][ T5288] path_lookupat+0xa9/0x450 [ 141.133052][ T5288] do_o_path+0x95/0x230 [ 141.137235][ T5288] ? do_tmpfile+0x330/0x330 [ 141.141764][ T5288] ? __alloc_file+0x15a/0x230 [ 141.146451][ T5288] path_openat+0x29f0/0x3170 [ 141.151052][ T5288] ? __stack_depot_save+0x20/0x650 [ 141.156174][ T5288] ? __lock_acquire+0x1295/0x2000 [ 141.161220][ T5288] ? mark_lock+0x9a/0x340 [ 141.165565][ T5288] ? kmem_cache_alloc+0x11f/0x2e0 [ 141.170596][ T5288] ? mark_lock+0x9a/0x340 [ 141.174943][ T5288] ? __lock_acquire+0x1295/0x2000 [ 141.179981][ T5288] ? do_filp_open+0x490/0x490 [ 141.184681][ T5288] do_filp_open+0x234/0x490 [ 141.189198][ T5288] ? vfs_tmpfile+0x4a0/0x4a0 [ 141.193825][ T5288] ? _raw_spin_unlock+0x28/0x40 [ 141.198689][ T5288] ? alloc_fd+0x59c/0x640 [ 141.203055][ T5288] do_sys_openat2+0x13f/0x500 [ 141.207763][ T5288] ? print_irqtrace_events+0x220/0x220 [ 141.213241][ T5288] ? do_sys_open+0x230/0x230 [ 141.217847][ T5288] ? lockdep_hardirqs_on+0x98/0x140 [ 141.223189][ T5288] ? _raw_spin_unlock_irq+0x2e/0x50 [ 141.228425][ T5288] ? ptrace_notify+0x278/0x380 [ 141.233224][ T5288] __x64_sys_openat+0x247/0x290 [ 141.238101][ T5288] ? __ia32_sys_open+0x270/0x270 [ 141.243059][ T5288] ? syscall_enter_from_user_mode+0x32/0x230 [ 141.249068][ T5288] ? syscall_enter_from_user_mode+0x8c/0x230 [ 141.255069][ T5288] do_syscall_64+0x41/0xc0 [ 141.259504][ T5288] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 141.265409][ T5288] RIP: 0033:0x7f0100724159 [ 141.269832][ T5288] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 141.289451][ T5288] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 141.297882][ T5288] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5290] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5288] <... openat resumed>) = -1 EIO (Input/output error) [pid 5288] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5287] exit_group(0 [pid 5290] <... futex resumed>) = ? [pid 5287] <... exit_group resumed>) = ? [pid 5290] +++ exited with 0 +++ [pid 5288] <... futex resumed>) = ? [pid 5288] +++ exited with 0 +++ [pid 5287] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5287, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./67", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./67/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./67/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./67/binderfs") = 0 [ 141.305870][ T5288] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 141.313855][ T5288] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 141.321835][ T5288] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 141.329813][ T5288] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 141.337805][ T5288] umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./67/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./67/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./67") = 0 mkdir("./68", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5291 ./strace-static-x86_64: Process 5291 attached [pid 5291] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5291] chdir("./68") = 0 [pid 5291] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5291] setpgid(0, 0) = 0 [pid 5291] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5291] write(3, "1000", 4) = 4 [pid 5291] close(3) = 0 [pid 5291] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5291] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5291] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5291] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5291] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5292], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5292 ./strace-static-x86_64: Process 5292 attached [pid 5291] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5292] set_robust_list(0x7f01006c89e0, 24 [pid 5291] <... futex resumed>) = 0 [pid 5292] <... set_robust_list resumed>) = 0 [pid 5291] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5292] memfd_create("syzkaller", 0) = 3 [pid 5292] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5292] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5292] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5292] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5292] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5292] close(3) = 0 [pid 5292] mkdir("./file0", 0777) = 0 [ 141.724559][ T5292] loop0: detected capacity change from 0 to 32768 [ 141.736408][ T5292] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 141.744798][ T5292] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 141.754022][ T5292] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 141.762725][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 141.769568][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5292] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5292] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5292] chdir("./file0") = 0 [pid 5292] ioctl(4, LOOP_CLR_FD) = 0 [pid 5292] close(4) = 0 [pid 5292] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5291] <... futex resumed>) = 0 [pid 5291] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5291] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5292] <... futex resumed>) = 1 [ 141.811985][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 141.819621][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 141.824887][ T5292] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 141.838306][ T5292] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 141.846706][ T5292] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 141.846706][ T5292] inode = 12 2341 [pid 5292] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5291] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5291] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5291] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5291] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5291] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5294], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5294 [pid 5291] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5291] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5294 attached [pid 5294] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 141.846706][ T5292] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 141.865606][ T5292] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 141.875280][ T5292] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5292 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 141.885538][ T5292] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 141.891952][ T5294] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 141.895326][ T5292] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5294] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5291] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 141.903386][ T5294] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 141.910053][ T5292] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 141.919821][ T5294] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5292 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 141.937889][ T5294] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5294 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 141.938065][ T5292] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [pid 5291] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5291] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5291] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5291] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5295], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5295 [pid 5291] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5291] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5295 attached [pid 5295] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5295] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5295] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5291] <... futex resumed>) = 0 [pid 5295] <... futex resumed>) = 1 [ 141.955018][ T5294] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 141.957843][ T5292] gfs2: fsid=syz:syz.0: File system withdrawn [ 141.969766][ T5292] CPU: 0 PID: 5292 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 141.980227][ T5292] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 141.990318][ T5292] Call Trace: [ 141.993606][ T5292] [ 141.996542][ T5292] dump_stack_lvl+0x1e7/0x2d0 [ 142.001257][ T5292] ? nf_tcp_handle_invalid+0x650/0x650 [ 142.006733][ T5292] ? panic+0x770/0x770 [ 142.010813][ T5292] ? kobject_uevent_env+0x54e/0x8e0 [ 142.016058][ T5292] gfs2_withdraw+0xf48/0x1550 [ 142.020788][ T5292] ? gfs2_lm+0x240/0x240 [ 142.025041][ T5292] ? gfs2_dirent_scan+0xb2/0x640 [ 142.029992][ T5292] ? panic+0x770/0x770 [ 142.034075][ T5292] ? gfs2_consist_inode_i+0xf5/0x110 [ 142.039378][ T5292] gfs2_dirent_scan+0x512/0x640 [ 142.044241][ T5292] ? gfs2_permission+0x268/0x3c0 [ 142.049192][ T5292] ? gfs2_dirent_search+0x8c0/0x8c0 [ 142.054409][ T5292] gfs2_dirent_search+0x30e/0x8c0 [ 142.059464][ T5292] ? gfs2_dirent_search+0x8c0/0x8c0 [ 142.064672][ T5292] ? generic_permission+0x1df/0x550 [ 142.069882][ T5292] ? gfs2_dir_search+0x2f0/0x2f0 [ 142.074839][ T5292] ? gfs2_permission+0x34a/0x3c0 [ 142.079804][ T5292] gfs2_dir_search+0xb2/0x2f0 [ 142.084501][ T5292] ? do_filldir_main+0x520/0x520 [ 142.089448][ T5292] ? inode_go_held+0xea/0x200 [ 142.094139][ T5292] ? gfs2_glock_wait+0x21a/0x2b0 [ 142.099094][ T5292] gfs2_lookupi+0x460/0x5d0 [ 142.103618][ T5292] ? gfs2_lookup_simple+0x180/0x180 [ 142.108837][ T5292] ? __gfs2_lookup+0xa4/0x270 [ 142.113523][ T5292] ? d_alloc_parallel+0x1262/0x13a0 [ 142.118765][ T5292] __gfs2_lookup+0xa4/0x270 [ 142.123284][ T5292] ? gfs2_atomic_open+0x230/0x230 [ 142.128340][ T5292] ? __init_waitqueue_head+0xae/0x150 [ 142.133733][ T5292] __lookup_slow+0x282/0x3e0 [ 142.138341][ T5292] ? lookup_one_len+0x2d0/0x2d0 [ 142.143213][ T5292] ? down_read+0x1b5/0x2f0 [ 142.147650][ T5292] lookup_slow+0x53/0x70 [ 142.151907][ T5292] link_path_walk+0x9c8/0xe70 [ 142.156614][ T5292] ? handle_lookup_down+0x130/0x130 [ 142.161833][ T5292] ? lockdep_hardirqs_on+0x98/0x140 [ 142.167043][ T5292] path_lookupat+0xa9/0x450 [ 142.171578][ T5292] do_o_path+0x95/0x230 [ 142.175753][ T5292] ? do_tmpfile+0x330/0x330 [ 142.180273][ T5292] ? __alloc_file+0x15a/0x230 [ 142.184964][ T5292] path_openat+0x29f0/0x3170 [ 142.189573][ T5292] ? __stack_depot_save+0x20/0x650 [ 142.194702][ T5292] ? mark_lock+0x9a/0x340 [ 142.199050][ T5292] ? kmem_cache_alloc+0x11f/0x2e0 [ 142.204084][ T5292] ? mark_lock+0x9a/0x340 [ 142.208435][ T5292] ? __lock_acquire+0x1295/0x2000 [ 142.213473][ T5292] ? do_filp_open+0x490/0x490 [ 142.218176][ T5292] do_filp_open+0x234/0x490 [ 142.222714][ T5292] ? vfs_tmpfile+0x4a0/0x4a0 [ 142.227332][ T5292] ? _raw_spin_unlock+0x28/0x40 [ 142.232191][ T5292] ? alloc_fd+0x59c/0x640 [ 142.236544][ T5292] do_sys_openat2+0x13f/0x500 [ 142.241239][ T5292] ? print_irqtrace_events+0x220/0x220 [ 142.246714][ T5292] ? do_sys_open+0x230/0x230 [ 142.251322][ T5292] ? lockdep_hardirqs_on+0x98/0x140 [ 142.256550][ T5292] ? _raw_spin_unlock_irq+0x2e/0x50 [ 142.261759][ T5292] ? ptrace_notify+0x278/0x380 [ 142.266538][ T5292] __x64_sys_openat+0x247/0x290 [ 142.271405][ T5292] ? __ia32_sys_open+0x270/0x270 [ 142.276376][ T5292] ? syscall_enter_from_user_mode+0x32/0x230 [ 142.282371][ T5292] ? syscall_enter_from_user_mode+0x8c/0x230 [ 142.288366][ T5292] do_syscall_64+0x41/0xc0 [ 142.292817][ T5292] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 142.298720][ T5292] RIP: 0033:0x7f0100724159 [ 142.303149][ T5292] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 142.322857][ T5292] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 142.331287][ T5292] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 142.339283][ T5292] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 142.347263][ T5292] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 142.355241][ T5292] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5295] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5294] <... openat resumed>) = -1 EIO (Input/output error) [pid 5294] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5292] <... openat resumed>) = -1 EIO (Input/output error) [pid 5294] <... futex resumed>) = 0 [pid 5292] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5294] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5292] <... futex resumed>) = 0 [pid 5291] exit_group(0 [pid 5295] <... futex resumed>) = ? [pid 5294] <... futex resumed>) = ? [pid 5291] <... exit_group resumed>) = ? [pid 5295] +++ exited with 0 +++ [pid 5294] +++ exited with 0 +++ [pid 5292] +++ exited with 0 +++ [pid 5291] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5291, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=41 /* 0.41 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./68", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./68", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./68/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./68/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./68/binderfs") = 0 [ 142.363218][ T5292] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 142.371210][ T5292] umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./68/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./68/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./68/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./68") = 0 mkdir("./69", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5296 ./strace-static-x86_64: Process 5296 attached [pid 5296] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5296] chdir("./69") = 0 [pid 5296] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5296] setpgid(0, 0) = 0 [pid 5296] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5296] write(3, "1000", 4) = 4 [pid 5296] close(3) = 0 [pid 5296] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5296] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5296] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5296] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5297], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5297 ./strace-static-x86_64: Process 5297 attached [pid 5296] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5297] set_robust_list(0x7f01006c89e0, 24 [pid 5296] <... futex resumed>) = 0 [pid 5296] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5297] <... set_robust_list resumed>) = 0 [pid 5297] memfd_create("syzkaller", 0) = 3 [pid 5297] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5297] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5297] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5297] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5297] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5297] close(3) = 0 [pid 5297] mkdir("./file0", 0777) = 0 [ 142.765061][ T5297] loop0: detected capacity change from 0 to 32768 [ 142.777448][ T5297] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 142.785680][ T5297] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 142.796751][ T5297] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 142.806077][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 142.813261][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5297] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5297] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5297] chdir("./file0") = 0 [pid 5297] ioctl(4, LOOP_CLR_FD) = 0 [pid 5297] close(4) = 0 [pid 5297] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5296] <... futex resumed>) = 0 [pid 5296] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5297] <... futex resumed>) = 1 [ 142.858298][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 142.865834][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 142.872012][ T5297] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 142.891325][ T5297] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 142.900313][ T5297] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5297] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5296] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5296] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5296] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5296] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5299], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5299 [pid 5296] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5299 attached [pid 5299] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5299] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [ 142.900313][ T5297] inode = 12 2341 [ 142.900313][ T5297] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 142.919750][ T5297] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 142.929023][ T5297] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5297 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 142.939749][ T5297] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 142.948493][ T5297] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5299] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5296] <... futex resumed>) = 0 [pid 5296] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5299] <... futex resumed>) = 1 [pid 5299] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5299] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5296] <... futex resumed>) = 0 [pid 5299] <... futex resumed>) = 1 [ 142.956479][ T5297] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 142.966507][ T5297] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 142.973863][ T5297] gfs2: fsid=syz:syz.0: File system withdrawn [ 142.980443][ T5297] CPU: 0 PID: 5297 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 142.990864][ T5297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 143.000938][ T5297] Call Trace: [ 143.004217][ T5297] [ 143.007158][ T5297] dump_stack_lvl+0x1e7/0x2d0 [ 143.011877][ T5297] ? nf_tcp_handle_invalid+0x650/0x650 [ 143.017345][ T5297] ? panic+0x770/0x770 [ 143.021414][ T5297] ? kobject_uevent_env+0x54e/0x8e0 [ 143.026623][ T5297] gfs2_withdraw+0xf48/0x1550 [ 143.031333][ T5297] ? gfs2_lm+0x240/0x240 [ 143.035581][ T5297] ? gfs2_dirent_scan+0xb2/0x640 [ 143.040524][ T5297] ? panic+0x770/0x770 [ 143.044601][ T5297] ? gfs2_consist_inode_i+0xf5/0x110 [ 143.049899][ T5297] gfs2_dirent_scan+0x512/0x640 [ 143.054754][ T5297] ? gfs2_permission+0x268/0x3c0 [ 143.059704][ T5297] ? gfs2_dirent_search+0x8c0/0x8c0 [ 143.064909][ T5297] gfs2_dirent_search+0x30e/0x8c0 [ 143.069959][ T5297] ? gfs2_dirent_search+0x8c0/0x8c0 [ 143.075166][ T5297] ? generic_permission+0x1df/0x550 [ 143.080372][ T5297] ? gfs2_dir_search+0x2f0/0x2f0 [ 143.085328][ T5297] ? gfs2_permission+0x34a/0x3c0 [ 143.090291][ T5297] gfs2_dir_search+0xb2/0x2f0 [ 143.094979][ T5297] ? do_filldir_main+0x520/0x520 [ 143.099923][ T5297] ? inode_go_held+0xea/0x200 [ 143.104605][ T5297] ? gfs2_glock_wait+0x21a/0x2b0 [ 143.109554][ T5297] gfs2_lookupi+0x460/0x5d0 [ 143.114083][ T5297] ? gfs2_lookup_simple+0x180/0x180 [ 143.119294][ T5297] ? __gfs2_lookup+0xa4/0x270 [ 143.123971][ T5297] ? d_alloc_parallel+0x1262/0x13a0 [ 143.129178][ T5297] __gfs2_lookup+0xa4/0x270 [ 143.133777][ T5297] ? gfs2_atomic_open+0x230/0x230 [ 143.138810][ T5297] ? __init_waitqueue_head+0xae/0x150 [ 143.144199][ T5297] __lookup_slow+0x282/0x3e0 [ 143.148794][ T5297] ? lookup_one_len+0x2d0/0x2d0 [ 143.153662][ T5297] ? down_read+0x1b5/0x2f0 [ 143.158091][ T5297] lookup_slow+0x53/0x70 [ 143.162346][ T5297] link_path_walk+0x9c8/0xe70 [ 143.167040][ T5297] ? handle_lookup_down+0x130/0x130 [ 143.172255][ T5297] ? lockdep_hardirqs_on+0x98/0x140 [ 143.177462][ T5297] path_lookupat+0xa9/0x450 [ 143.181971][ T5297] do_o_path+0x95/0x230 [ 143.186136][ T5297] ? do_tmpfile+0x330/0x330 [ 143.190644][ T5297] ? __alloc_file+0x15a/0x230 [ 143.195329][ T5297] path_openat+0x29f0/0x3170 [ 143.199924][ T5297] ? __stack_depot_save+0x20/0x650 [ 143.205042][ T5297] ? mark_lock+0x9a/0x340 [ 143.209380][ T5297] ? kmem_cache_alloc+0x11f/0x2e0 [ 143.214422][ T5297] ? mark_lock+0x9a/0x340 [ 143.218782][ T5297] ? __lock_acquire+0x1295/0x2000 [ 143.223832][ T5297] ? do_filp_open+0x490/0x490 [ 143.228545][ T5297] do_filp_open+0x234/0x490 [ 143.233056][ T5297] ? vfs_tmpfile+0x4a0/0x4a0 [ 143.237680][ T5297] ? _raw_spin_unlock+0x28/0x40 [ 143.242543][ T5297] ? alloc_fd+0x59c/0x640 [ 143.246898][ T5297] do_sys_openat2+0x13f/0x500 [ 143.251582][ T5297] ? print_irqtrace_events+0x220/0x220 [ 143.257048][ T5297] ? do_sys_open+0x230/0x230 [ 143.261645][ T5297] ? lockdep_hardirqs_on+0x98/0x140 [ 143.266848][ T5297] ? _raw_spin_unlock_irq+0x2e/0x50 [ 143.272090][ T5297] ? ptrace_notify+0x278/0x380 [ 143.276859][ T5297] __x64_sys_openat+0x247/0x290 [ 143.281723][ T5297] ? __ia32_sys_open+0x270/0x270 [ 143.286671][ T5297] ? syscall_enter_from_user_mode+0x32/0x230 [ 143.292658][ T5297] ? syscall_enter_from_user_mode+0x8c/0x230 [ 143.298647][ T5297] do_syscall_64+0x41/0xc0 [ 143.303072][ T5297] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 143.309056][ T5297] RIP: 0033:0x7f0100724159 [ 143.313479][ T5297] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 143.333085][ T5297] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 143.341504][ T5297] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 143.349498][ T5297] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5299] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5297] <... openat resumed>) = -1 EIO (Input/output error) [pid 5297] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5297] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5296] exit_group(0) = ? [pid 5299] <... futex resumed>) = ? [pid 5297] <... futex resumed>) = ? [pid 5299] +++ exited with 0 +++ [pid 5297] +++ exited with 0 +++ [pid 5296] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5296, si_uid=0, si_status=0, si_utime=0, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./69", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./69", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./69/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./69/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./69/binderfs") = 0 [ 143.357471][ T5297] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 143.365441][ T5297] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 143.373413][ T5297] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 143.381401][ T5297] umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./69/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./69/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./69/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./69") = 0 mkdir("./70", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5300 ./strace-static-x86_64: Process 5300 attached [pid 5300] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5300] chdir("./70") = 0 [pid 5300] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5300] setpgid(0, 0) = 0 [pid 5300] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5300] write(3, "1000", 4) = 4 [pid 5300] close(3) = 0 [pid 5300] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5300] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5300] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5300] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5300] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5301 attached , parent_tid=[5301], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5301 [pid 5300] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5300] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5301] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5301] memfd_create("syzkaller", 0) = 3 [pid 5301] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5301] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5301] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5301] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5301] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5301] close(3) = 0 [pid 5301] mkdir("./file0", 0777) = 0 [ 143.792766][ T5301] loop0: detected capacity change from 0 to 32768 [ 143.804845][ T5301] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 143.813090][ T5301] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 143.822312][ T5301] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 143.830938][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 143.838212][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5301] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5301] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5301] chdir("./file0") = 0 [pid 5301] ioctl(4, LOOP_CLR_FD) = 0 [pid 5301] close(4) = 0 [pid 5301] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5301] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5300] <... futex resumed>) = 0 [pid 5300] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5300] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5301] <... futex resumed>) = 0 [ 143.879638][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 143.888106][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 143.893421][ T5301] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 143.913866][ T5301] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5301] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5300] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5300] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5300] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5300] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5300] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5303], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5303 [pid 5300] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5300] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5303 attached [pid 5303] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5303] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5303] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5300] <... futex resumed>) = 0 [pid 5300] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5300] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5303] <... futex resumed>) = 1 [pid 5303] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5303] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5300] <... futex resumed>) = 0 [pid 5303] <... futex resumed>) = 1 [ 143.923169][ T5301] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 143.923169][ T5301] inode = 12 2341 [ 143.923169][ T5301] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 143.942498][ T5301] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 143.952084][ T5301] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5301 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 143.962482][ T5301] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 143.971033][ T5301] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 143.978334][ T5301] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 143.987184][ T5301] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 143.995495][ T5301] gfs2: fsid=syz:syz.0: File system withdrawn [ 144.001740][ T5301] CPU: 0 PID: 5301 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 144.012184][ T5301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 144.022332][ T5301] Call Trace: [ 144.025646][ T5301] [ 144.028655][ T5301] dump_stack_lvl+0x1e7/0x2d0 [ 144.033406][ T5301] ? nf_tcp_handle_invalid+0x650/0x650 [ 144.038921][ T5301] ? panic+0x770/0x770 [ 144.043011][ T5301] ? kobject_uevent_env+0x54e/0x8e0 [ 144.048258][ T5301] gfs2_withdraw+0xf48/0x1550 [ 144.052987][ T5301] ? gfs2_lm+0x240/0x240 [ 144.057249][ T5301] ? gfs2_dirent_scan+0xb2/0x640 [ 144.062243][ T5301] ? panic+0x770/0x770 [ 144.066346][ T5301] ? gfs2_consist_inode_i+0xf5/0x110 [ 144.071648][ T5301] gfs2_dirent_scan+0x512/0x640 [pid 5303] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5300] exit_group(0 [pid 5303] <... futex resumed>) = ? [pid 5300] <... exit_group resumed>) = ? [pid 5303] +++ exited with 0 +++ [ 144.076509][ T5301] ? gfs2_permission+0x268/0x3c0 [ 144.081473][ T5301] ? gfs2_dirent_search+0x8c0/0x8c0 [ 144.086707][ T5301] gfs2_dirent_search+0x30e/0x8c0 [ 144.091756][ T5301] ? gfs2_dirent_search+0x8c0/0x8c0 [ 144.097000][ T5301] ? generic_permission+0x1df/0x550 [ 144.102234][ T5301] ? gfs2_dir_search+0x2f0/0x2f0 [ 144.107190][ T5301] ? gfs2_permission+0x34a/0x3c0 [ 144.112185][ T5301] gfs2_dir_search+0xb2/0x2f0 [ 144.116912][ T5301] ? do_filldir_main+0x520/0x520 [ 144.121874][ T5301] ? inode_go_held+0xea/0x200 [ 144.126576][ T5301] ? gfs2_glock_wait+0x21a/0x2b0 [ 144.131553][ T5301] gfs2_lookupi+0x460/0x5d0 [ 144.136100][ T5301] ? gfs2_lookup_simple+0x180/0x180 [ 144.141318][ T5301] ? __gfs2_lookup+0xa4/0x270 [ 144.146003][ T5301] ? d_alloc_parallel+0x1262/0x13a0 [ 144.151307][ T5301] __gfs2_lookup+0xa4/0x270 [ 144.155821][ T5301] ? gfs2_atomic_open+0x230/0x230 [ 144.160866][ T5301] ? __init_waitqueue_head+0xae/0x150 [ 144.166269][ T5301] __lookup_slow+0x282/0x3e0 [ 144.170912][ T5301] ? lookup_one_len+0x2d0/0x2d0 [ 144.175794][ T5301] ? down_read+0x1b5/0x2f0 [ 144.180231][ T5301] lookup_slow+0x53/0x70 [ 144.184514][ T5301] link_path_walk+0x9c8/0xe70 [ 144.189256][ T5301] ? handle_lookup_down+0x130/0x130 [ 144.194486][ T5301] ? lockdep_hardirqs_on+0x98/0x140 [ 144.199807][ T5301] path_lookupat+0xa9/0x450 [ 144.204343][ T5301] do_o_path+0x95/0x230 [ 144.208551][ T5301] ? do_tmpfile+0x330/0x330 [ 144.213095][ T5301] ? __alloc_file+0x15a/0x230 [ 144.217860][ T5301] path_openat+0x29f0/0x3170 [ 144.222469][ T5301] ? __stack_depot_save+0x20/0x650 [ 144.227618][ T5301] ? mark_lock+0x9a/0x340 [ 144.232008][ T5301] ? kmem_cache_alloc+0x11f/0x2e0 [ 144.237051][ T5301] ? mark_lock+0x9a/0x340 [ 144.241399][ T5301] ? __lock_acquire+0x1295/0x2000 [ 144.246437][ T5301] ? do_filp_open+0x490/0x490 [ 144.251136][ T5301] do_filp_open+0x234/0x490 [ 144.255665][ T5301] ? vfs_tmpfile+0x4a0/0x4a0 [ 144.260322][ T5301] ? _raw_spin_unlock+0x28/0x40 [ 144.265192][ T5301] ? alloc_fd+0x59c/0x640 [ 144.269540][ T5301] do_sys_openat2+0x13f/0x500 [ 144.274240][ T5301] ? print_irqtrace_events+0x220/0x220 [ 144.279755][ T5301] ? do_sys_open+0x230/0x230 [ 144.284374][ T5301] ? lockdep_hardirqs_on+0x98/0x140 [ 144.289602][ T5301] ? _raw_spin_unlock_irq+0x2e/0x50 [ 144.294829][ T5301] ? ptrace_notify+0x278/0x380 [ 144.299607][ T5301] __x64_sys_openat+0x247/0x290 [ 144.304479][ T5301] ? __ia32_sys_open+0x270/0x270 [ 144.309440][ T5301] ? syscall_enter_from_user_mode+0x8c/0x230 [ 144.315436][ T5301] do_syscall_64+0x41/0xc0 [ 144.319881][ T5301] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 144.325814][ T5301] RIP: 0033:0x7f0100724159 [ 144.330245][ T5301] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 144.349891][ T5301] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 144.358432][ T5301] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 144.366414][ T5301] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5301] <... openat resumed>) = ? [pid 5301] +++ exited with 0 +++ [pid 5300] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5300, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- umount2("./70", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./70", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./70/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./70/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./70/binderfs") = 0 [ 144.374414][ T5301] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 144.382405][ T5301] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 144.390430][ T5301] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 144.398436][ T5301] umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./70/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./70/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./70/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./70") = 0 mkdir("./71", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5304 ./strace-static-x86_64: Process 5304 attached [pid 5304] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5304] chdir("./71") = 0 [pid 5304] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5304] setpgid(0, 0) = 0 [pid 5304] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5304] write(3, "1000", 4) = 4 [pid 5304] close(3) = 0 [pid 5304] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5304] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5304] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5304] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5305], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5305 [pid 5304] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5305 attached [pid 5305] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5305] memfd_create("syzkaller", 0) = 3 [pid 5305] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5305] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5305] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5305] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5305] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5305] close(3) = 0 [pid 5305] mkdir("./file0", 0777) = 0 [ 144.784289][ T5305] loop0: detected capacity change from 0 to 32768 [ 144.794748][ T5305] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 144.803032][ T5305] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 144.813045][ T5305] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 144.821812][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 144.828990][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5305] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5305] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5305] chdir("./file0") = 0 [pid 5305] ioctl(4, LOOP_CLR_FD) = 0 [pid 5305] close(4) = 0 [pid 5305] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5304] <... futex resumed>) = 0 [pid 5304] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 144.870200][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 144.878878][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 144.884218][ T5305] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 144.918776][ T5305] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 144.928396][ T5305] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 144.928396][ T5305] inode = 12 2341 [ 144.928396][ T5305] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 144.947706][ T5305] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 144.957235][ T5305] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5305 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5305] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5304] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5304] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5304] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5304] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5307], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5307 [pid 5304] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5307 attached [pid 5307] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 144.967537][ T5305] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 144.972128][ T5307] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 144.976413][ T5305] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 144.984429][ T5307] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 144.992478][ T5305] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 145.000857][ T5307] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5305 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5307] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5304] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5304] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5304] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5304] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5308], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5308 [pid 5304] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5308 attached [pid 5308] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5308] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5308] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5304] <... futex resumed>) = 0 [ 145.009657][ T5305] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 145.020016][ T5307] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5307 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 145.028592][ T5305] gfs2: fsid=syz:syz.0: File system withdrawn [ 145.039310][ T5307] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 145.042983][ T5305] CPU: 1 PID: 5305 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 145.060998][ T5305] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 145.071077][ T5305] Call Trace: [ 145.074384][ T5305] [ 145.077374][ T5305] dump_stack_lvl+0x1e7/0x2d0 [ 145.082097][ T5305] ? nf_tcp_handle_invalid+0x650/0x650 [ 145.087595][ T5305] ? panic+0x770/0x770 [ 145.091710][ T5305] ? kobject_uevent_env+0x54e/0x8e0 [ 145.096945][ T5305] gfs2_withdraw+0xf48/0x1550 [ 145.101677][ T5305] ? gfs2_lm+0x240/0x240 [ 145.105944][ T5305] ? gfs2_dirent_scan+0xb2/0x640 [ 145.110925][ T5305] ? panic+0x770/0x770 [ 145.115115][ T5305] ? gfs2_consist_inode_i+0xf5/0x110 [ 145.120459][ T5305] gfs2_dirent_scan+0x512/0x640 [ 145.125344][ T5305] ? gfs2_permission+0x268/0x3c0 [ 145.130326][ T5305] ? gfs2_dirent_search+0x8c0/0x8c0 [ 145.135555][ T5305] gfs2_dirent_search+0x30e/0x8c0 [ 145.140626][ T5305] ? gfs2_dirent_search+0x8c0/0x8c0 [ 145.145845][ T5305] ? generic_permission+0x1df/0x550 [ 145.151097][ T5305] ? gfs2_dir_search+0x2f0/0x2f0 [ 145.156083][ T5305] ? gfs2_permission+0x34a/0x3c0 [ 145.161084][ T5305] gfs2_dir_search+0xb2/0x2f0 [pid 5308] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5304] exit_group(0 [pid 5308] <... futex resumed>) = ? [pid 5304] <... exit_group resumed>) = ? [pid 5308] +++ exited with 0 +++ [ 145.165784][ T5305] ? do_filldir_main+0x520/0x520 [ 145.170750][ T5305] ? inode_go_held+0xea/0x200 [ 145.175462][ T5305] ? gfs2_glock_wait+0x21a/0x2b0 [ 145.180439][ T5305] gfs2_lookupi+0x460/0x5d0 [ 145.184980][ T5305] ? gfs2_lookup_simple+0x180/0x180 [ 145.190225][ T5305] ? __gfs2_lookup+0xa4/0x270 [ 145.194914][ T5305] ? d_alloc_parallel+0x1262/0x13a0 [ 145.200151][ T5305] __gfs2_lookup+0xa4/0x270 [ 145.204697][ T5305] ? gfs2_atomic_open+0x230/0x230 [ 145.209738][ T5305] ? __init_waitqueue_head+0xae/0x150 [ 145.215146][ T5305] __lookup_slow+0x282/0x3e0 [ 145.219749][ T5305] ? lookup_one_len+0x2d0/0x2d0 [ 145.224634][ T5305] ? down_read+0x1b5/0x2f0 [ 145.229072][ T5305] lookup_slow+0x53/0x70 [ 145.233326][ T5305] link_path_walk+0x9c8/0xe70 [ 145.238029][ T5305] ? handle_lookup_down+0x130/0x130 [ 145.243246][ T5305] ? lockdep_hardirqs_on+0x98/0x140 [ 145.248499][ T5305] path_lookupat+0xa9/0x450 [ 145.253057][ T5305] do_o_path+0x95/0x230 [ 145.257240][ T5305] ? do_tmpfile+0x330/0x330 [ 145.261770][ T5305] ? __alloc_file+0x15a/0x230 [ 145.266461][ T5305] path_openat+0x29f0/0x3170 [ 145.271066][ T5305] ? __stack_depot_save+0x20/0x650 [ 145.276233][ T5305] ? mark_lock+0x9a/0x340 [ 145.280674][ T5305] ? kmem_cache_alloc+0x11f/0x2e0 [ 145.285739][ T5305] ? mark_lock+0x9a/0x340 [ 145.290103][ T5305] ? __lock_acquire+0x1295/0x2000 [ 145.295150][ T5305] ? do_filp_open+0x490/0x490 [ 145.299871][ T5305] do_filp_open+0x234/0x490 [ 145.304390][ T5305] ? vfs_tmpfile+0x4a0/0x4a0 [ 145.309007][ T5305] ? _raw_spin_unlock+0x28/0x40 [ 145.314046][ T5305] ? alloc_fd+0x59c/0x640 [ 145.318405][ T5305] do_sys_openat2+0x13f/0x500 [ 145.323097][ T5305] ? print_irqtrace_events+0x220/0x220 [ 145.328580][ T5305] ? do_sys_open+0x230/0x230 [ 145.333189][ T5305] ? lockdep_hardirqs_on+0x98/0x140 [ 145.338421][ T5305] ? _raw_spin_unlock_irq+0x2e/0x50 [ 145.343644][ T5305] ? ptrace_notify+0x278/0x380 [ 145.348443][ T5305] __x64_sys_openat+0x247/0x290 [ 145.353331][ T5305] ? __ia32_sys_open+0x270/0x270 [ 145.358328][ T5305] ? syscall_enter_from_user_mode+0x32/0x230 [ 145.364324][ T5305] ? syscall_enter_from_user_mode+0x8c/0x230 [ 145.370330][ T5305] do_syscall_64+0x41/0xc0 [ 145.374796][ T5305] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 145.380723][ T5305] RIP: 0033:0x7f0100724159 [ 145.385188][ T5305] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 145.404806][ T5305] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 145.413242][ T5305] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5307] <... openat resumed>) = ? [pid 5305] <... openat resumed>) = ? [pid 5305] +++ exited with 0 +++ [pid 5307] +++ exited with 0 +++ [pid 5304] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5304, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=43 /* 0.43 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./71", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./71/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./71/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./71/binderfs") = 0 [ 145.421224][ T5305] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 145.429207][ T5305] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 145.437199][ T5305] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 145.445196][ T5305] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 145.453233][ T5305] umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./71/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./71/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./71") = 0 mkdir("./72", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5309 ./strace-static-x86_64: Process 5309 attached [pid 5309] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5309] chdir("./72") = 0 [pid 5309] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5309] setpgid(0, 0) = 0 [pid 5309] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5309] write(3, "1000", 4) = 4 [pid 5309] close(3) = 0 [pid 5309] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5309] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5309] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5309] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5310 attached [pid 5310] set_robust_list(0x7f01006c89e0, 24 [pid 5309] <... clone resumed>, parent_tid=[5310], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5310 [pid 5309] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5310] <... set_robust_list resumed>) = 0 [pid 5310] memfd_create("syzkaller", 0) = 3 [pid 5310] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5310] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5310] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5310] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5310] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5310] close(3) = 0 [pid 5310] mkdir("./file0", 0777) = 0 [ 145.862199][ T5310] loop0: detected capacity change from 0 to 32768 [ 145.874695][ T5310] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 145.883409][ T5310] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 145.893511][ T5310] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 145.902551][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 145.909717][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5310] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5310] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5310] chdir("./file0") = 0 [pid 5310] ioctl(4, LOOP_CLR_FD) = 0 [pid 5310] close(4) = 0 [pid 5310] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5309] <... futex resumed>) = 0 [pid 5309] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5310] <... futex resumed>) = 1 [ 145.946724][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 145.954385][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 145.959826][ T5310] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 145.982177][ T5310] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5310] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5309] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 145.991148][ T5310] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 145.991148][ T5310] inode = 12 2341 [ 145.991148][ T5310] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 146.010338][ T5310] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 146.019995][ T5310] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5310 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 146.030331][ T5310] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 146.039450][ T5310] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5309] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5309] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5309] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5312], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5312 [pid 5309] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 146.047091][ T5310] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 146.056049][ T5310] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 146.064273][ T5310] gfs2: fsid=syz:syz.0: File system withdrawn [ 146.070667][ T5310] CPU: 0 PID: 5310 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 146.081122][ T5310] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 146.091195][ T5310] Call Trace: [ 146.094493][ T5310] [pid 5309] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5309] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5309] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5309] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5309] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5313], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5313 [pid 5309] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 146.097460][ T5310] dump_stack_lvl+0x1e7/0x2d0 [ 146.102197][ T5310] ? nf_tcp_handle_invalid+0x650/0x650 [ 146.107724][ T5310] ? panic+0x770/0x770 [ 146.111826][ T5310] ? kobject_uevent_env+0x54e/0x8e0 [ 146.117049][ T5310] gfs2_withdraw+0xf48/0x1550 [ 146.121756][ T5310] ? gfs2_lm+0x240/0x240 [ 146.126011][ T5310] ? gfs2_dirent_scan+0xb2/0x640 [ 146.130976][ T5310] ? panic+0x770/0x770 [ 146.135091][ T5310] ? gfs2_consist_inode_i+0xf5/0x110 [ 146.140434][ T5310] gfs2_dirent_scan+0x512/0x640 [pid 5309] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5313 attached [pid 5313] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5313] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5313] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5309] <... futex resumed>) = 0 [pid 5313] <... futex resumed>) = 1 [ 146.145332][ T5310] ? gfs2_permission+0x268/0x3c0 [ 146.150333][ T5310] ? gfs2_dirent_search+0x8c0/0x8c0 [ 146.155594][ T5310] gfs2_dirent_search+0x30e/0x8c0 [ 146.160667][ T5310] ? gfs2_dirent_search+0x8c0/0x8c0 [ 146.165989][ T5310] ? generic_permission+0x1df/0x550 [ 146.171223][ T5310] ? gfs2_dir_search+0x2f0/0x2f0 [ 146.176213][ T5310] ? gfs2_permission+0x34a/0x3c0 [ 146.181195][ T5310] gfs2_dir_search+0xb2/0x2f0 [ 146.185898][ T5310] ? do_filldir_main+0x520/0x520 [ 146.190860][ T5310] ? inode_go_held+0xea/0x200 [ 146.195574][ T5310] ? gfs2_glock_wait+0x21a/0x2b0 [ 146.200534][ T5310] gfs2_lookupi+0x460/0x5d0 [ 146.205063][ T5310] ? gfs2_lookup_simple+0x180/0x180 [ 146.210304][ T5310] ? __gfs2_lookup+0xa4/0x270 [ 146.215001][ T5310] ? d_alloc_parallel+0x1262/0x13a0 [ 146.220229][ T5310] __gfs2_lookup+0xa4/0x270 [ 146.224796][ T5310] ? gfs2_atomic_open+0x230/0x230 [ 146.229868][ T5310] ? __init_waitqueue_head+0xae/0x150 [ 146.235289][ T5310] __lookup_slow+0x282/0x3e0 [ 146.239909][ T5310] ? lookup_one_len+0x2d0/0x2d0 [ 146.244796][ T5310] ? down_read+0x1b5/0x2f0 [ 146.249243][ T5310] lookup_slow+0x53/0x70 [ 146.253503][ T5310] link_path_walk+0x9c8/0xe70 [ 146.258213][ T5310] ? handle_lookup_down+0x130/0x130 [ 146.263433][ T5310] ? lockdep_hardirqs_on+0x98/0x140 [ 146.268651][ T5310] path_lookupat+0xa9/0x450 [ 146.273179][ T5310] do_o_path+0x95/0x230 [ 146.277443][ T5310] ? do_tmpfile+0x330/0x330 [ 146.281960][ T5310] ? __alloc_file+0x15a/0x230 [ 146.286653][ T5310] path_openat+0x29f0/0x3170 [ 146.291256][ T5310] ? __stack_depot_save+0x20/0x650 [ 146.296379][ T5310] ? __lock_acquire+0x1295/0x2000 [ 146.301429][ T5310] ? mark_lock+0x9a/0x340 [ 146.305789][ T5310] ? kmem_cache_alloc+0x11f/0x2e0 [ 146.310912][ T5310] ? mark_lock+0x9a/0x340 [ 146.315267][ T5310] ? __lock_acquire+0x1295/0x2000 [ 146.320305][ T5310] ? do_filp_open+0x490/0x490 [ 146.325007][ T5310] do_filp_open+0x234/0x490 [ 146.329533][ T5310] ? vfs_tmpfile+0x4a0/0x4a0 [ 146.334156][ T5310] ? _raw_spin_unlock+0x28/0x40 [ 146.339018][ T5310] ? alloc_fd+0x59c/0x640 [ 146.343377][ T5310] do_sys_openat2+0x13f/0x500 [ 146.348072][ T5310] ? print_irqtrace_events+0x220/0x220 [ 146.353549][ T5310] ? do_sys_open+0x230/0x230 [ 146.358155][ T5310] ? lockdep_hardirqs_on+0x98/0x140 [ 146.363369][ T5310] ? _raw_spin_unlock_irq+0x2e/0x50 [ 146.368599][ T5310] ? ptrace_notify+0x278/0x380 [ 146.373419][ T5310] __x64_sys_openat+0x247/0x290 [ 146.378308][ T5310] ? __ia32_sys_open+0x270/0x270 [ 146.383269][ T5310] ? syscall_enter_from_user_mode+0x32/0x230 [ 146.389270][ T5310] ? syscall_enter_from_user_mode+0x8c/0x230 [ 146.395281][ T5310] do_syscall_64+0x41/0xc0 [ 146.399720][ T5310] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 146.405637][ T5310] RIP: 0033:0x7f0100724159 [ 146.410065][ T5310] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 146.429684][ T5310] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 146.438127][ T5310] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [pid 5313] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 5312 attached [pid 5312] set_robust_list(0x7f00f92a79e0, 24 [pid 5310] <... openat resumed>) = -1 EIO (Input/output error) [pid 5312] <... set_robust_list resumed>) = 0 [pid 5310] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5312] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5310] <... futex resumed>) = 0 [pid 5312] <... openat resumed>) = -1 EIO (Input/output error) [pid 5310] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5312] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5312] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5309] exit_group(0 [pid 5312] <... futex resumed>) = ? [pid 5310] <... futex resumed>) = ? [pid 5312] +++ exited with 0 +++ [pid 5310] +++ exited with 0 +++ [pid 5309] <... exit_group resumed>) = ? [pid 5313] <... futex resumed>) = ? [pid 5313] +++ exited with 0 +++ [pid 5309] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5309, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./72", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./72/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./72/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./72/binderfs") = 0 [ 146.446107][ T5310] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 146.454092][ T5310] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 146.462078][ T5310] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 146.470057][ T5310] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 146.478052][ T5310] umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./72/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./72/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./72") = 0 mkdir("./73", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5314 ./strace-static-x86_64: Process 5314 attached [pid 5314] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5314] chdir("./73") = 0 [pid 5314] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5314] setpgid(0, 0) = 0 [pid 5314] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5314] write(3, "1000", 4) = 4 [pid 5314] close(3) = 0 [pid 5314] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5314] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5314] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5314] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5314] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5315 attached , parent_tid=[5315], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5315 [pid 5314] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5314] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5315] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5315] memfd_create("syzkaller", 0) = 3 [pid 5315] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5315] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5315] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5315] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5315] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5315] close(3) = 0 [pid 5315] mkdir("./file0", 0777) = 0 [ 146.914192][ T5315] loop0: detected capacity change from 0 to 32768 [ 146.926525][ T5315] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 146.934793][ T5315] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 146.944714][ T5315] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 146.953624][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 146.960636][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5315] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5315] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5315] chdir("./file0") = 0 [pid 5315] ioctl(4, LOOP_CLR_FD) = 0 [pid 5315] close(4) = 0 [pid 5315] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5314] <... futex resumed>) = 0 [pid 5314] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5314] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5315] <... futex resumed>) = 1 [ 147.003356][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 147.012801][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 147.018445][ T5315] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 147.032765][ T5315] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 147.041710][ T5315] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 147.041710][ T5315] inode = 12 2341 [pid 5315] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5314] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5314] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5314] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5314] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5314] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5317], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5317 [pid 5314] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5314] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5317 attached [pid 5317] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5317] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5317] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5314] <... futex resumed>) = 0 [pid 5314] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5314] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5317] <... futex resumed>) = 1 [pid 5317] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5317] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5314] <... futex resumed>) = 0 [pid 5317] <... futex resumed>) = 1 [ 147.041710][ T5315] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 147.060955][ T5315] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 147.070547][ T5315] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5315 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 147.081206][ T5315] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 147.090284][ T5315] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 147.097765][ T5315] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 147.106574][ T5315] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 147.113238][ T5315] gfs2: fsid=syz:syz.0: File system withdrawn [ 147.119396][ T5315] CPU: 0 PID: 5315 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 147.129838][ T5315] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 147.139929][ T5315] Call Trace: [ 147.143216][ T5315] [ 147.146164][ T5315] dump_stack_lvl+0x1e7/0x2d0 [ 147.150908][ T5315] ? nf_tcp_handle_invalid+0x650/0x650 [ 147.156417][ T5315] ? panic+0x770/0x770 [ 147.160604][ T5315] ? kobject_uevent_env+0x54e/0x8e0 [ 147.165864][ T5315] gfs2_withdraw+0xf48/0x1550 [ 147.170596][ T5315] ? gfs2_lm+0x240/0x240 [ 147.174873][ T5315] ? gfs2_dirent_scan+0xb2/0x640 [ 147.179838][ T5315] ? panic+0x770/0x770 [ 147.183950][ T5315] ? gfs2_consist_inode_i+0xf5/0x110 [ 147.189254][ T5315] gfs2_dirent_scan+0x512/0x640 [ 147.194144][ T5315] ? gfs2_permission+0x268/0x3c0 [ 147.199127][ T5315] ? gfs2_dirent_search+0x8c0/0x8c0 [ 147.204356][ T5315] gfs2_dirent_search+0x30e/0x8c0 [ 147.209391][ T5315] ? gfs2_dirent_search+0x8c0/0x8c0 [ 147.214599][ T5315] ? generic_permission+0x1df/0x550 [ 147.219812][ T5315] ? gfs2_dir_search+0x2f0/0x2f0 [ 147.224761][ T5315] ? gfs2_permission+0x34a/0x3c0 [ 147.229728][ T5315] gfs2_dir_search+0xb2/0x2f0 [ 147.234426][ T5315] ? do_filldir_main+0x520/0x520 [ 147.239378][ T5315] ? inode_go_held+0xea/0x200 [ 147.244078][ T5315] ? gfs2_glock_wait+0x21a/0x2b0 [ 147.249037][ T5315] gfs2_lookupi+0x460/0x5d0 [ 147.253581][ T5315] ? gfs2_lookup_simple+0x180/0x180 [ 147.258809][ T5315] ? __gfs2_lookup+0xa4/0x270 [ 147.263512][ T5315] ? d_alloc_parallel+0x1262/0x13a0 [ 147.268729][ T5315] __gfs2_lookup+0xa4/0x270 [ 147.273242][ T5315] ? gfs2_atomic_open+0x230/0x230 [ 147.278285][ T5315] ? __init_waitqueue_head+0xae/0x150 [ 147.283677][ T5315] __lookup_slow+0x282/0x3e0 [ 147.288295][ T5315] ? lookup_one_len+0x2d0/0x2d0 [ 147.293167][ T5315] ? down_read+0x1b5/0x2f0 [ 147.297603][ T5315] lookup_slow+0x53/0x70 [ 147.301861][ T5315] link_path_walk+0x9c8/0xe70 [ 147.306592][ T5315] ? handle_lookup_down+0x130/0x130 [ 147.311813][ T5315] ? lockdep_hardirqs_on+0x98/0x140 [ 147.317025][ T5315] path_lookupat+0xa9/0x450 [ 147.321556][ T5315] do_o_path+0x95/0x230 [ 147.325738][ T5315] ? do_tmpfile+0x330/0x330 [ 147.330259][ T5315] ? __alloc_file+0x15a/0x230 [ 147.334967][ T5315] path_openat+0x29f0/0x3170 [ 147.339573][ T5315] ? __stack_depot_save+0x20/0x650 [ 147.344699][ T5315] ? mark_lock+0x9a/0x340 [ 147.349050][ T5315] ? kmem_cache_alloc+0x11f/0x2e0 [ 147.354096][ T5315] ? mark_lock+0x9a/0x340 [ 147.358456][ T5315] ? __lock_acquire+0x1295/0x2000 [ 147.363496][ T5315] ? do_filp_open+0x490/0x490 [ 147.368199][ T5315] do_filp_open+0x234/0x490 [ 147.372714][ T5315] ? vfs_tmpfile+0x4a0/0x4a0 [ 147.377332][ T5315] ? _raw_spin_unlock+0x28/0x40 [ 147.382191][ T5315] ? alloc_fd+0x59c/0x640 [ 147.386567][ T5315] do_sys_openat2+0x13f/0x500 [ 147.391259][ T5315] ? print_irqtrace_events+0x220/0x220 [ 147.396750][ T5315] ? do_sys_open+0x230/0x230 [ 147.401363][ T5315] ? lockdep_hardirqs_on+0x98/0x140 [ 147.406571][ T5315] ? _raw_spin_unlock_irq+0x2e/0x50 [ 147.411791][ T5315] ? ptrace_notify+0x278/0x380 [ 147.416573][ T5315] __x64_sys_openat+0x247/0x290 [ 147.421443][ T5315] ? __ia32_sys_open+0x270/0x270 [ 147.426415][ T5315] ? syscall_enter_from_user_mode+0x32/0x230 [ 147.432410][ T5315] ? syscall_enter_from_user_mode+0x8c/0x230 [ 147.438425][ T5315] do_syscall_64+0x41/0xc0 [ 147.442901][ T5315] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 147.448808][ T5315] RIP: 0033:0x7f0100724159 [ 147.453239][ T5315] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 147.472868][ T5315] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 147.481297][ T5315] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 147.489280][ T5315] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 147.497283][ T5315] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [pid 5317] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5315] <... openat resumed>) = -1 EIO (Input/output error) [pid 5315] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5314] exit_group(0 [pid 5315] <... futex resumed>) = ? [pid 5314] <... exit_group resumed>) = ? [pid 5315] +++ exited with 0 +++ [pid 5317] <... futex resumed>) = ? [pid 5317] +++ exited with 0 +++ [pid 5314] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5314, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./73", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./73", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./73/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./73/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./73/binderfs") = 0 [ 147.505265][ T5315] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 147.513248][ T5315] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 147.521240][ T5315] umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./73/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./73/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./73/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./73") = 0 mkdir("./74", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5318 ./strace-static-x86_64: Process 5318 attached [pid 5318] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5318] chdir("./74") = 0 [pid 5318] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5318] setpgid(0, 0) = 0 [pid 5318] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5318] write(3, "1000", 4) = 4 [pid 5318] close(3) = 0 [pid 5318] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5318] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5318] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5318] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5318] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5319 attached , parent_tid=[5319], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5319 [pid 5318] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5318] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5319] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5319] memfd_create("syzkaller", 0) = 3 [pid 5319] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5319] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5319] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5319] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5319] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5319] close(3) = 0 [pid 5319] mkdir("./file0", 0777) = 0 [ 147.900044][ T5319] loop0: detected capacity change from 0 to 32768 [ 147.911644][ T5319] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 147.919959][ T5319] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 147.930225][ T5319] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 147.939205][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 147.946074][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5319] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5319] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5319] chdir("./file0") = 0 [pid 5319] ioctl(4, LOOP_CLR_FD) = 0 [pid 5319] close(4) = 0 [pid 5319] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5318] <... futex resumed>) = 0 [pid 5318] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5318] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5319] <... futex resumed>) = 1 [ 147.983774][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 147.991920][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 147.997261][ T5319] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 148.012335][ T5319] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 148.020955][ T5319] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 148.020955][ T5319] inode = 12 2341 [pid 5319] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5318] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5318] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5318] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5318] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5318] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5321], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5321 [pid 5318] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5318] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5321 attached [pid 5321] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5321] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5321] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5318] <... futex resumed>) = 0 [pid 5318] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5318] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5321] <... futex resumed>) = 1 [pid 5321] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5321] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5318] <... futex resumed>) = 0 [pid 5321] <... futex resumed>) = 1 [ 148.020955][ T5319] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 148.043186][ T5319] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 148.052544][ T5319] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5319 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 148.063139][ T5319] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 148.072118][ T5319] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 148.079607][ T5319] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 148.088600][ T5319] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 148.095228][ T5319] gfs2: fsid=syz:syz.0: File system withdrawn [ 148.101565][ T5319] CPU: 0 PID: 5319 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 148.112015][ T5319] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 148.122080][ T5319] Call Trace: [ 148.125370][ T5319] [ 148.128307][ T5319] dump_stack_lvl+0x1e7/0x2d0 [ 148.133009][ T5319] ? nf_tcp_handle_invalid+0x650/0x650 [ 148.138486][ T5319] ? panic+0x770/0x770 [ 148.142565][ T5319] ? kobject_uevent_env+0x54e/0x8e0 [ 148.147787][ T5319] gfs2_withdraw+0xf48/0x1550 [ 148.152502][ T5319] ? gfs2_lm+0x240/0x240 [ 148.156775][ T5319] ? gfs2_dirent_scan+0xb2/0x640 [ 148.161726][ T5319] ? panic+0x770/0x770 [ 148.165819][ T5319] ? gfs2_consist_inode_i+0xf5/0x110 [ 148.171126][ T5319] gfs2_dirent_scan+0x512/0x640 [ 148.175990][ T5319] ? gfs2_permission+0x268/0x3c0 [ 148.180946][ T5319] ? gfs2_dirent_search+0x8c0/0x8c0 [ 148.186165][ T5319] gfs2_dirent_search+0x30e/0x8c0 [ 148.191201][ T5319] ? gfs2_dirent_search+0x8c0/0x8c0 [ 148.196432][ T5319] ? generic_permission+0x1df/0x550 [ 148.201642][ T5319] ? gfs2_dir_search+0x2f0/0x2f0 [ 148.206593][ T5319] ? gfs2_permission+0x34a/0x3c0 [ 148.211551][ T5319] gfs2_dir_search+0xb2/0x2f0 [ 148.216240][ T5319] ? do_filldir_main+0x520/0x520 [ 148.221187][ T5319] ? inode_go_held+0xea/0x200 [ 148.225876][ T5319] ? gfs2_glock_wait+0x21a/0x2b0 [ 148.230839][ T5319] gfs2_lookupi+0x460/0x5d0 [ 148.235374][ T5319] ? gfs2_lookup_simple+0x180/0x180 [ 148.240607][ T5319] ? __gfs2_lookup+0xa4/0x270 [ 148.245288][ T5319] ? d_alloc_parallel+0x1262/0x13a0 [ 148.250505][ T5319] __gfs2_lookup+0xa4/0x270 [ 148.255017][ T5319] ? gfs2_atomic_open+0x230/0x230 [ 148.260057][ T5319] ? __init_waitqueue_head+0xae/0x150 [ 148.265444][ T5319] __lookup_slow+0x282/0x3e0 [ 148.270045][ T5319] ? lookup_one_len+0x2d0/0x2d0 [ 148.274927][ T5319] ? down_read+0x1b5/0x2f0 [ 148.279366][ T5319] lookup_slow+0x53/0x70 [ 148.283622][ T5319] link_path_walk+0x9c8/0xe70 [ 148.288323][ T5319] ? handle_lookup_down+0x130/0x130 [ 148.293557][ T5319] ? lockdep_hardirqs_on+0x98/0x140 [ 148.298771][ T5319] path_lookupat+0xa9/0x450 [ 148.303290][ T5319] do_o_path+0x95/0x230 [ 148.307552][ T5319] ? do_tmpfile+0x330/0x330 [ 148.312073][ T5319] ? __alloc_file+0x15a/0x230 [ 148.316768][ T5319] path_openat+0x29f0/0x3170 [ 148.321393][ T5319] ? __stack_depot_save+0x20/0x650 [ 148.326517][ T5319] ? __lock_acquire+0x1295/0x2000 [ 148.331562][ T5319] ? mark_lock+0x9a/0x340 [ 148.335903][ T5319] ? kmem_cache_alloc+0x11f/0x2e0 [ 148.340942][ T5319] ? mark_lock+0x9a/0x340 [ 148.345378][ T5319] ? __lock_acquire+0x1295/0x2000 [ 148.350419][ T5319] ? do_filp_open+0x490/0x490 [ 148.355213][ T5319] do_filp_open+0x234/0x490 [ 148.359734][ T5319] ? vfs_tmpfile+0x4a0/0x4a0 [ 148.364358][ T5319] ? _raw_spin_unlock+0x28/0x40 [ 148.369215][ T5319] ? alloc_fd+0x59c/0x640 [ 148.373571][ T5319] do_sys_openat2+0x13f/0x500 [ 148.378266][ T5319] ? print_irqtrace_events+0x220/0x220 [ 148.383745][ T5319] ? do_sys_open+0x230/0x230 [ 148.388355][ T5319] ? lockdep_hardirqs_on+0x98/0x140 [ 148.393567][ T5319] ? _raw_spin_unlock_irq+0x2e/0x50 [ 148.398781][ T5319] ? ptrace_notify+0x278/0x380 [ 148.403585][ T5319] __x64_sys_openat+0x247/0x290 [ 148.408466][ T5319] ? __ia32_sys_open+0x270/0x270 [ 148.413421][ T5319] ? syscall_enter_from_user_mode+0x32/0x230 [ 148.419416][ T5319] ? syscall_enter_from_user_mode+0x8c/0x230 [ 148.425419][ T5319] do_syscall_64+0x41/0xc0 [ 148.429861][ T5319] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 148.435765][ T5319] RIP: 0033:0x7f0100724159 [ 148.440192][ T5319] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 148.459811][ T5319] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 148.468242][ T5319] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 148.476220][ T5319] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5321] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5319] <... openat resumed>) = -1 EIO (Input/output error) [pid 5319] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5319] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5318] exit_group(0 [pid 5321] <... futex resumed>) = ? [pid 5319] <... futex resumed>) = ? [pid 5318] <... exit_group resumed>) = ? [pid 5321] +++ exited with 0 +++ [pid 5319] +++ exited with 0 +++ [pid 5318] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5318, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./74", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./74", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./74/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./74/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 [ 148.484199][ T5319] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 148.492180][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 148.500162][ T5319] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 148.508154][ T5319] unlink("./74/binderfs") = 0 umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./74/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./74/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./74/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./74") = 0 mkdir("./75", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5322 ./strace-static-x86_64: Process 5322 attached [pid 5322] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5322] chdir("./75") = 0 [pid 5322] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5322] setpgid(0, 0) = 0 [pid 5322] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5322] write(3, "1000", 4) = 4 [pid 5322] close(3) = 0 [pid 5322] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5322] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5322] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5322] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5322] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5323], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5323 [pid 5322] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5322] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5323 attached [pid 5323] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5323] memfd_create("syzkaller", 0) = 3 [pid 5323] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5323] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5323] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5323] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5323] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5323] close(3) = 0 [pid 5323] mkdir("./file0", 0777) = 0 [ 148.939564][ T5323] loop0: detected capacity change from 0 to 32768 [ 148.954062][ T5323] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 148.962513][ T5323] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 148.973212][ T5323] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 148.982612][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 148.989945][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5323] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5323] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5323] chdir("./file0") = 0 [pid 5323] ioctl(4, LOOP_CLR_FD) = 0 [pid 5323] close(4) = 0 [pid 5323] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5322] <... futex resumed>) = 0 [pid 5322] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5322] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5323] <... futex resumed>) = 1 [ 149.031879][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 149.039450][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 149.044713][ T5323] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 149.060044][ T5323] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 149.068950][ T5323] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 149.068950][ T5323] inode = 12 2341 [pid 5323] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5322] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 149.068950][ T5323] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 149.088244][ T5323] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 149.097755][ T5323] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5323 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 149.108314][ T5323] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 149.116921][ T5323] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5322] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5322] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5322] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5322] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5325], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5325 [pid 5322] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 149.124687][ T5323] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 149.133863][ T5323] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 149.140784][ T5323] gfs2: fsid=syz:syz.0: File system withdrawn [ 149.147116][ T5323] CPU: 0 PID: 5323 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 149.157563][ T5323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 149.167651][ T5323] Call Trace: [ 149.170950][ T5323] [ 149.173905][ T5323] dump_stack_lvl+0x1e7/0x2d0 [pid 5322] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5322] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5322] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5322] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5322] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5326], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5326 [pid 5322] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5322] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5326 attached [pid 5326] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5326] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5326] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5322] <... futex resumed>) = 0 [pid 5326] <... futex resumed>) = 1 [ 149.178603][ T5323] ? nf_tcp_handle_invalid+0x650/0x650 [ 149.184085][ T5323] ? panic+0x770/0x770 [ 149.188163][ T5323] ? kobject_uevent_env+0x54e/0x8e0 [ 149.193383][ T5323] gfs2_withdraw+0xf48/0x1550 [ 149.198088][ T5323] ? gfs2_lm+0x240/0x240 [ 149.202782][ T5323] ? gfs2_dirent_scan+0xb2/0x640 [ 149.207750][ T5323] ? panic+0x770/0x770 [ 149.211854][ T5323] ? gfs2_consist_inode_i+0xf5/0x110 [ 149.217193][ T5323] gfs2_dirent_scan+0x512/0x640 [ 149.222109][ T5323] ? gfs2_permission+0x268/0x3c0 [ 149.227110][ T5323] ? gfs2_dirent_search+0x8c0/0x8c0 [ 149.232365][ T5323] gfs2_dirent_search+0x30e/0x8c0 [ 149.237412][ T5323] ? gfs2_dirent_search+0x8c0/0x8c0 [ 149.242638][ T5323] ? generic_permission+0x1df/0x550 [ 149.247855][ T5323] ? gfs2_dir_search+0x2f0/0x2f0 [ 149.252808][ T5323] ? gfs2_permission+0x34a/0x3c0 [ 149.257772][ T5323] gfs2_dir_search+0xb2/0x2f0 [ 149.262465][ T5323] ? do_filldir_main+0x520/0x520 [ 149.267414][ T5323] ? inode_go_held+0xea/0x200 [ 149.272102][ T5323] ? gfs2_glock_wait+0x21a/0x2b0 [ 149.277061][ T5323] gfs2_lookupi+0x460/0x5d0 [ 149.281588][ T5323] ? gfs2_lookup_simple+0x180/0x180 [ 149.286807][ T5323] ? __gfs2_lookup+0xa4/0x270 [ 149.291498][ T5323] ? d_alloc_parallel+0x1262/0x13a0 [ 149.296713][ T5323] __gfs2_lookup+0xa4/0x270 [ 149.301227][ T5323] ? gfs2_atomic_open+0x230/0x230 [ 149.306300][ T5323] ? __init_waitqueue_head+0xae/0x150 [ 149.311698][ T5323] __lookup_slow+0x282/0x3e0 [ 149.316305][ T5323] ? lookup_one_len+0x2d0/0x2d0 [ 149.321181][ T5323] ? down_read+0x1b5/0x2f0 [ 149.325648][ T5323] lookup_slow+0x53/0x70 [ 149.329901][ T5323] link_path_walk+0x9c8/0xe70 [ 149.334608][ T5323] ? handle_lookup_down+0x130/0x130 [ 149.339826][ T5323] ? lockdep_hardirqs_on+0x98/0x140 [ 149.345046][ T5323] path_lookupat+0xa9/0x450 [ 149.349570][ T5323] do_o_path+0x95/0x230 [ 149.354091][ T5323] ? do_tmpfile+0x330/0x330 [ 149.358609][ T5323] ? __alloc_file+0x15a/0x230 [ 149.363305][ T5323] path_openat+0x29f0/0x3170 [ 149.367908][ T5323] ? __stack_depot_save+0x20/0x650 [ 149.373051][ T5323] ? mark_lock+0x9a/0x340 [ 149.377395][ T5323] ? kmem_cache_alloc+0x11f/0x2e0 [ 149.382432][ T5323] ? mark_lock+0x9a/0x340 [ 149.386780][ T5323] ? __lock_acquire+0x1295/0x2000 [ 149.391821][ T5323] ? do_filp_open+0x490/0x490 [ 149.396527][ T5323] do_filp_open+0x234/0x490 [ 149.401048][ T5323] ? vfs_tmpfile+0x4a0/0x4a0 [ 149.405671][ T5323] ? _raw_spin_unlock+0x28/0x40 [ 149.410532][ T5323] ? alloc_fd+0x59c/0x640 [ 149.414888][ T5323] do_sys_openat2+0x13f/0x500 [ 149.419587][ T5323] ? print_irqtrace_events+0x220/0x220 [ 149.425063][ T5323] ? do_sys_open+0x230/0x230 [ 149.429670][ T5323] ? lockdep_hardirqs_on+0x98/0x140 [ 149.434880][ T5323] ? _raw_spin_unlock_irq+0x2e/0x50 [ 149.440087][ T5323] ? ptrace_notify+0x278/0x380 [ 149.444864][ T5323] __x64_sys_openat+0x247/0x290 [ 149.449737][ T5323] ? __ia32_sys_open+0x270/0x270 [ 149.454695][ T5323] ? syscall_enter_from_user_mode+0x32/0x230 [ 149.460692][ T5323] ? syscall_enter_from_user_mode+0x8c/0x230 [ 149.466686][ T5323] do_syscall_64+0x41/0xc0 [ 149.471120][ T5323] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 149.477038][ T5323] RIP: 0033:0x7f0100724159 [ 149.481462][ T5323] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 149.501082][ T5323] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 149.509507][ T5323] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 149.517491][ T5323] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 149.525471][ T5323] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [pid 5326] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 5325 attached [pid 5323] <... openat resumed>) = -1 EIO (Input/output error) [pid 5325] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5325] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5325] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5325] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5323] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5323] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5322] exit_group(0 [pid 5325] <... futex resumed>) = ? [pid 5323] <... futex resumed>) = ? [pid 5322] <... exit_group resumed>) = ? [pid 5325] +++ exited with 0 +++ [pid 5323] +++ exited with 0 +++ [pid 5326] <... futex resumed>) = ? [pid 5326] +++ exited with 0 +++ [pid 5322] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5322, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./75", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./75/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./75/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./75/binderfs") = 0 [ 149.533451][ T5323] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 149.541435][ T5323] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 149.549432][ T5323] umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./75/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./75/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./75") = 0 mkdir("./76", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5327 ./strace-static-x86_64: Process 5327 attached [pid 5327] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5327] chdir("./76") = 0 [pid 5327] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5327] setpgid(0, 0) = 0 [pid 5327] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5327] write(3, "1000", 4) = 4 [pid 5327] close(3) = 0 [pid 5327] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5327] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5327] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5327] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5327] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5328], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5328 [pid 5327] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5327] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5328 attached [pid 5328] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5328] memfd_create("syzkaller", 0) = 3 [pid 5328] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5328] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5328] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5328] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5328] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5328] close(3) = 0 [pid 5328] mkdir("./file0", 0777) = 0 [ 149.937104][ T5328] loop0: detected capacity change from 0 to 32768 [ 149.947505][ T5328] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 149.955725][ T5328] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 149.965176][ T5328] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 149.973853][ T22] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 149.980751][ T22] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5328] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5328] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5328] chdir("./file0") = 0 [pid 5328] ioctl(4, LOOP_CLR_FD) = 0 [pid 5328] close(4) = 0 [pid 5328] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5327] <... futex resumed>) = 0 [pid 5327] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5327] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5328] <... futex resumed>) = 1 [ 150.024994][ T22] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 150.033308][ T22] gfs2: fsid=syz:syz.0: jid=0: Done [ 150.038761][ T5328] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 150.056556][ T5328] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5328] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5327] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5327] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5327] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5327] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5327] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5327] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5330], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5330 [pid 5327] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5327] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5330 attached [pid 5330] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 150.075602][ T5328] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 150.075602][ T5328] inode = 12 2341 [ 150.075602][ T5328] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 150.094846][ T5328] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 150.104449][ T5328] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5328 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 150.114917][ T5330] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5330] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5327] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5327] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5327] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5327] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5327] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5331], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5331 [pid 5327] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 150.115489][ T5328] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5330 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 150.124269][ T5330] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 150.124269][ T5330] inode = 12 2341 [ 150.124269][ T5330] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 150.133408][ T5328] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 150.160821][ T5328] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5327] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5331 attached [pid 5331] set_robust_list(0x7f00f92869e0, 24) = 0 [pid 5331] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5331] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5327] <... futex resumed>) = 0 [pid 5331] <... futex resumed>) = 1 [ 150.168100][ T5328] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 150.177536][ T5330] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 150.177584][ T5330] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5328 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 150.177626][ T5330] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5330 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 150.177662][ T5330] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 150.216216][ T5328] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 150.223007][ T5328] gfs2: fsid=syz:syz.0: File system withdrawn [ 150.229608][ T5328] CPU: 0 PID: 5328 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 150.240032][ T5328] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 150.250103][ T5328] Call Trace: [ 150.253383][ T5328] [ 150.256325][ T5328] dump_stack_lvl+0x1e7/0x2d0 [ 150.261022][ T5328] ? nf_tcp_handle_invalid+0x650/0x650 [ 150.266489][ T5328] ? panic+0x770/0x770 [ 150.270574][ T5328] ? kobject_uevent_env+0x54e/0x8e0 [ 150.275784][ T5328] gfs2_withdraw+0xf48/0x1550 [ 150.280481][ T5328] ? gfs2_lm+0x240/0x240 [ 150.284729][ T5328] ? gfs2_dirent_scan+0xb2/0x640 [ 150.289760][ T5328] ? panic+0x770/0x770 [ 150.293837][ T5328] ? gfs2_consist_inode_i+0xf5/0x110 [ 150.299150][ T5328] gfs2_dirent_scan+0x512/0x640 [ 150.304002][ T5328] ? gfs2_permission+0x268/0x3c0 [ 150.308950][ T5328] ? gfs2_dirent_search+0x8c0/0x8c0 [ 150.314154][ T5328] gfs2_dirent_search+0x30e/0x8c0 [ 150.319201][ T5328] ? gfs2_dirent_search+0x8c0/0x8c0 [ 150.324411][ T5328] ? generic_permission+0x1df/0x550 [ 150.329634][ T5328] ? gfs2_dir_search+0x2f0/0x2f0 [ 150.334592][ T5328] ? gfs2_permission+0x34a/0x3c0 [ 150.339556][ T5328] gfs2_dir_search+0xb2/0x2f0 [ 150.344245][ T5328] ? do_filldir_main+0x520/0x520 [ 150.349187][ T5328] ? inode_go_held+0xea/0x200 [ 150.353880][ T5328] ? gfs2_glock_wait+0x21a/0x2b0 [ 150.358915][ T5328] gfs2_lookupi+0x460/0x5d0 [ 150.363437][ T5328] ? gfs2_lookup_simple+0x180/0x180 [ 150.368645][ T5328] ? __gfs2_lookup+0xa4/0x270 [ 150.373329][ T5328] ? d_alloc_parallel+0x1262/0x13a0 [ 150.378536][ T5328] __gfs2_lookup+0xa4/0x270 [ 150.383054][ T5328] ? gfs2_atomic_open+0x230/0x230 [ 150.388094][ T5328] ? __init_waitqueue_head+0xae/0x150 [ 150.393482][ T5328] __lookup_slow+0x282/0x3e0 [ 150.398080][ T5328] ? lookup_one_len+0x2d0/0x2d0 [ 150.402943][ T5328] ? down_read+0x1b5/0x2f0 [ 150.407374][ T5328] lookup_slow+0x53/0x70 [ 150.411619][ T5328] link_path_walk+0x9c8/0xe70 [ 150.416323][ T5328] ? handle_lookup_down+0x130/0x130 [ 150.421528][ T5328] ? lockdep_hardirqs_on+0x98/0x140 [ 150.426740][ T5328] path_lookupat+0xa9/0x450 [ 150.431255][ T5328] do_o_path+0x95/0x230 [ 150.435423][ T5328] ? do_tmpfile+0x330/0x330 [ 150.439938][ T5328] ? __alloc_file+0x15a/0x230 [ 150.444624][ T5328] path_openat+0x29f0/0x3170 [ 150.449225][ T5328] ? __stack_depot_save+0x20/0x650 [ 150.454342][ T5328] ? __lock_acquire+0x1295/0x2000 [ 150.459377][ T5328] ? mark_lock+0x9a/0x340 [ 150.463710][ T5328] ? kmem_cache_alloc+0x11f/0x2e0 [ 150.468739][ T5328] ? mark_lock+0x9a/0x340 [ 150.473096][ T5328] ? __lock_acquire+0x1295/0x2000 [ 150.478145][ T5328] ? do_filp_open+0x490/0x490 [ 150.482853][ T5328] do_filp_open+0x234/0x490 [ 150.487373][ T5328] ? vfs_tmpfile+0x4a0/0x4a0 [ 150.491985][ T5328] ? _raw_spin_unlock+0x28/0x40 [ 150.496839][ T5328] ? alloc_fd+0x59c/0x640 [ 150.501195][ T5328] do_sys_openat2+0x13f/0x500 [ 150.505880][ T5328] ? print_irqtrace_events+0x220/0x220 [ 150.511546][ T5328] ? do_sys_open+0x230/0x230 [ 150.516146][ T5328] ? lockdep_hardirqs_on+0x98/0x140 [ 150.521353][ T5328] ? _raw_spin_unlock_irq+0x2e/0x50 [ 150.526558][ T5328] ? ptrace_notify+0x278/0x380 [ 150.531337][ T5328] __x64_sys_openat+0x247/0x290 [ 150.536199][ T5328] ? __ia32_sys_open+0x270/0x270 [ 150.541152][ T5328] ? syscall_enter_from_user_mode+0x32/0x230 [ 150.547149][ T5328] ? syscall_enter_from_user_mode+0x8c/0x230 [ 150.553172][ T5328] do_syscall_64+0x41/0xc0 [ 150.557600][ T5328] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 150.563496][ T5328] RIP: 0033:0x7f0100724159 [ 150.567913][ T5328] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 150.587521][ T5328] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 150.595937][ T5328] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 150.603911][ T5328] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 150.611894][ T5328] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 150.619868][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5331] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5328] <... openat resumed>) = -1 EIO (Input/output error) [pid 5330] <... openat resumed>) = -1 EIO (Input/output error) [pid 5328] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5328] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5330] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5330] futex(0x7f01007b3798, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5327] exit_group(0 [pid 5331] <... futex resumed>) = ? [pid 5330] <... futex resumed>) = ? [pid 5327] <... exit_group resumed>) = ? [pid 5331] +++ exited with 0 +++ [pid 5330] +++ exited with 0 +++ [pid 5328] <... futex resumed>) = ? [pid 5328] +++ exited with 0 +++ [pid 5327] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5327, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=42 /* 0.42 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./76", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./76", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./76/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./76/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./76/binderfs") = 0 [ 150.627847][ T5328] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 150.635830][ T5328] umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./76/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./76/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./76/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./76") = 0 mkdir("./77", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5332 ./strace-static-x86_64: Process 5332 attached [pid 5332] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5332] chdir("./77") = 0 [pid 5332] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5332] setpgid(0, 0) = 0 [pid 5332] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5332] write(3, "1000", 4) = 4 [pid 5332] close(3) = 0 [pid 5332] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5332] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5332] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5332] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5332] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5333], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5333 [pid 5332] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5332] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5333 attached [pid 5333] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5333] memfd_create("syzkaller", 0) = 3 [pid 5333] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5333] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5333] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5333] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5333] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5333] close(3) = 0 [pid 5333] mkdir("./file0", 0777) = 0 [ 151.007806][ T5333] loop0: detected capacity change from 0 to 32768 [ 151.019396][ T5333] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 151.027780][ T5333] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 151.037095][ T5333] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 151.045765][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 151.052662][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5333] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5333] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5333] chdir("./file0") = 0 [pid 5333] ioctl(4, LOOP_CLR_FD) = 0 [pid 5333] close(4) = 0 [pid 5333] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5332] <... futex resumed>) = 0 [pid 5333] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5332] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 151.097707][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 151.105256][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 151.110726][ T5333] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 151.125519][ T5333] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 151.134494][ T5333] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 151.134494][ T5333] inode = 12 2341 [pid 5332] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 151.134494][ T5333] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 151.153384][ T5333] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 151.162667][ T5333] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5333 [syz-executor173] __gfs2_lookup+0xa4/0x270 [ 151.172799][ T5333] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 151.181493][ T5333] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 151.188842][ T5333] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5332] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 151.197738][ T5333] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 151.204384][ T5333] gfs2: fsid=syz:syz.0: File system withdrawn [ 151.210638][ T5333] CPU: 0 PID: 5333 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 151.221090][ T5333] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 151.231157][ T5333] Call Trace: [ 151.234444][ T5333] [ 151.237383][ T5333] dump_stack_lvl+0x1e7/0x2d0 [ 151.242086][ T5333] ? nf_tcp_handle_invalid+0x650/0x650 [ 151.247564][ T5333] ? panic+0x770/0x770 [ 151.251649][ T5333] ? kobject_uevent_env+0x54e/0x8e0 [ 151.256866][ T5333] gfs2_withdraw+0xf48/0x1550 [ 151.261569][ T5333] ? gfs2_lm+0x240/0x240 [ 151.265830][ T5333] ? gfs2_dirent_scan+0xb2/0x640 [ 151.270794][ T5333] ? panic+0x770/0x770 [ 151.274878][ T5333] ? gfs2_consist_inode_i+0xf5/0x110 [ 151.280182][ T5333] gfs2_dirent_scan+0x512/0x640 [ 151.285043][ T5333] ? gfs2_permission+0x268/0x3c0 [ 151.290011][ T5333] ? gfs2_dirent_search+0x8c0/0x8c0 [ 151.295227][ T5333] gfs2_dirent_search+0x30e/0x8c0 [ 151.300267][ T5333] ? gfs2_dirent_search+0x8c0/0x8c0 [ 151.305476][ T5333] ? generic_permission+0x1df/0x550 [ 151.310686][ T5333] ? gfs2_dir_search+0x2f0/0x2f0 [ 151.315637][ T5333] ? gfs2_permission+0x34a/0x3c0 [ 151.320607][ T5333] gfs2_dir_search+0xb2/0x2f0 [ 151.325302][ T5333] ? do_filldir_main+0x520/0x520 [ 151.330253][ T5333] ? inode_go_held+0xea/0x200 [ 151.334941][ T5333] ? gfs2_glock_wait+0x21a/0x2b0 [ 151.339897][ T5333] gfs2_lookupi+0x460/0x5d0 [ 151.344423][ T5333] ? gfs2_lookup_simple+0x180/0x180 [ 151.349642][ T5333] ? __gfs2_lookup+0xa4/0x270 [ 151.354329][ T5333] ? d_alloc_parallel+0x1262/0x13a0 [ 151.359544][ T5333] __gfs2_lookup+0xa4/0x270 [ 151.364065][ T5333] ? gfs2_atomic_open+0x230/0x230 [ 151.369109][ T5333] ? __init_waitqueue_head+0xae/0x150 [ 151.374503][ T5333] __lookup_slow+0x282/0x3e0 [ 151.379119][ T5333] ? lookup_one_len+0x2d0/0x2d0 [ 151.383990][ T5333] ? down_read+0x1b5/0x2f0 [ 151.388425][ T5333] lookup_slow+0x53/0x70 [ 151.392680][ T5333] link_path_walk+0x9c8/0xe70 [ 151.397403][ T5333] ? handle_lookup_down+0x130/0x130 [ 151.402631][ T5333] ? lockdep_hardirqs_on+0x98/0x140 [ 151.407840][ T5333] path_lookupat+0xa9/0x450 [ 151.412358][ T5333] do_o_path+0x95/0x230 [ 151.416527][ T5333] ? do_tmpfile+0x330/0x330 [ 151.421063][ T5333] ? __alloc_file+0x15a/0x230 [ 151.425848][ T5333] path_openat+0x29f0/0x3170 [ 151.430455][ T5333] ? __stack_depot_save+0x20/0x650 [ 151.435581][ T5333] ? __lock_acquire+0x1295/0x2000 [ 151.440641][ T5333] ? mark_lock+0x9a/0x340 [ 151.444986][ T5333] ? kmem_cache_alloc+0x11f/0x2e0 [ 151.450020][ T5333] ? mark_lock+0x9a/0x340 [ 151.454368][ T5333] ? __lock_acquire+0x1295/0x2000 [ 151.459406][ T5333] ? do_filp_open+0x490/0x490 [ 151.464196][ T5333] do_filp_open+0x234/0x490 [ 151.468744][ T5333] ? vfs_tmpfile+0x4a0/0x4a0 [ 151.473418][ T5333] ? _raw_spin_unlock+0x28/0x40 [ 151.478305][ T5333] ? alloc_fd+0x59c/0x640 [ 151.482688][ T5333] do_sys_openat2+0x13f/0x500 [ 151.487396][ T5333] ? print_irqtrace_events+0x220/0x220 [ 151.492885][ T5333] ? do_sys_open+0x230/0x230 [ 151.497501][ T5333] ? lockdep_hardirqs_on+0x98/0x140 [ 151.502719][ T5333] ? _raw_spin_unlock_irq+0x2e/0x50 [ 151.507965][ T5333] ? ptrace_notify+0x278/0x380 [ 151.512774][ T5333] __x64_sys_openat+0x247/0x290 [ 151.517671][ T5333] ? __ia32_sys_open+0x270/0x270 [ 151.522634][ T5333] ? syscall_enter_from_user_mode+0x32/0x230 [ 151.528632][ T5333] ? syscall_enter_from_user_mode+0x8c/0x230 [ 151.534629][ T5333] do_syscall_64+0x41/0xc0 [ 151.539152][ T5333] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 151.545072][ T5333] RIP: 0033:0x7f0100724159 [ 151.549500][ T5333] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 151.569120][ T5333] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 151.577548][ T5333] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 151.585528][ T5333] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [pid 5332] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5332] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5332] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5335], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5335 [pid 5332] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5332] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5333] <... openat resumed>) = -1 EIO (Input/output error) [pid 5333] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5333] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 5335 attached [pid 5335] set_robust_list(0x7f00f92a79e0, 24) = 0 [pid 5335] openat(AT_FDCWD, "./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5335] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000 [pid 5332] <... futex resumed>) = 0 [pid 5332] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5333] <... futex resumed>) = 0 [pid 5332] <... futex resumed>) = 1 [pid 5333] ioctl(0, VFAT_IOCTL_READDIR_SHORT [pid 5332] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5333] <... ioctl resumed>, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5333] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5332] <... futex resumed>) = 0 [pid 5333] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5332] exit_group(0 [pid 5333] <... futex resumed>) = ? [pid 5332] <... exit_group resumed>) = ? [pid 5333] +++ exited with 0 +++ [pid 5335] <... futex resumed>) = ? [pid 5335] +++ exited with 0 +++ [pid 5332] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5332, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./77", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./77", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555565eb620 /* 4 entries */, 32768) = 112 umount2("./77/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./77/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./77/binderfs") = 0 [ 151.593598][ T5333] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [ 151.601577][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 151.609579][ T5333] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 151.617578][ T5333] umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./77/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./77/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555565f3660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555565f3660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./77/file0") = 0 getdents64(3, 0x5555565eb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./77") = 0 mkdir("./78", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555565ea5d0) = 5336 ./strace-static-x86_64: Process 5336 attached [pid 5336] set_robust_list(0x5555565ea5e0, 24) = 0 [pid 5336] chdir("./78") = 0 [pid 5336] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5336] setpgid(0, 0) = 0 [pid 5336] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5336] write(3, "1000", 4) = 4 [pid 5336] close(3) = 0 [pid 5336] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5336] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5336] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f01006a8000 [pid 5336] mprotect(0x7f01006a9000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5336] clone(child_stack=0x7f01006c83f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5337], tls=0x7f01006c8700, child_tidptr=0x7f01006c89d0) = 5337 [pid 5336] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5336] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5337 attached [pid 5337] set_robust_list(0x7f01006c89e0, 24) = 0 [pid 5337] memfd_create("syzkaller", 0) = 3 [pid 5337] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f00f82a8000 [pid 5337] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5337] munmap(0x7f00f82a8000, 16777216) = 0 [pid 5337] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5337] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5337] close(3) = 0 [pid 5337] mkdir("./file0", 0777) = 0 [ 152.007582][ T5337] loop0: detected capacity change from 0 to 32768 [ 152.018747][ T5337] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 152.026966][ T5337] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 152.037503][ T5337] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 152.046175][ T901] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 152.053216][ T901] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5337] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5337] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5337] chdir("./file0") = 0 [pid 5337] ioctl(4, LOOP_CLR_FD) = 0 [pid 5337] close(4) = 0 [pid 5337] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5337] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5336] <... futex resumed>) = 0 [pid 5336] futex(0x7f01007b3788, FUTEX_WAKE_PRIVATE, 1000000 [pid 5337] <... futex resumed>) = 0 [pid 5336] <... futex resumed>) = 1 [pid 5336] futex(0x7f01007b378c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 152.090998][ T901] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 152.100285][ T901] gfs2: fsid=syz:syz.0: jid=0: Done [ 152.105575][ T5337] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5337] openat(AT_FDCWD, "./cgroup.cpu/syz1", O_RDWR|O_PATH [pid 5336] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5336] futex(0x7f01007b379c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5336] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9287000 [pid 5336] mprotect(0x7f00f9288000, 131072, PROT_READ|PROT_WRITE) = 0 [ 152.134676][ T5337] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 152.143535][ T5337] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 152.143535][ T5337] inode = 12 2341 [ 152.143535][ T5337] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 152.162864][ T5337] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 152.172459][ T5337] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5337 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5336] clone(child_stack=0x7f00f92a73f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5339], tls=0x7f00f92a7700, child_tidptr=0x7f00f92a79d0) = 5339 [pid 5336] futex(0x7f01007b3798, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5336] futex(0x7f01007b379c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5339 attached [pid 5339] set_robust_list(0x7f00f92a79e0, 24) = 0 [ 152.182805][ T5337] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 152.190199][ T5339] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 152.192362][ T5337] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 152.200083][ T5339] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 152.207138][ T5337] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 152.216463][ T5339] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5337 [syz-executor173] __gfs2_lookup+0xa4/0x270 [pid 5339] openat(AT_FDCWD, "./file0", O_RDONLY [pid 5336] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5336] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5336] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f00f9266000 [pid 5336] mprotect(0x7f00f9267000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5336] clone(child_stack=0x7f00f92863f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5340], tls=0x7f00f9286700, child_tidptr=0x7f00f92869d0) = 5340 [pid 5336] futex(0x7f01007b37a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 152.225389][ T5337] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 152.241679][ T5337] gfs2: fsid=syz:syz.0: File system withdrawn [ 152.248242][ T5337] CPU: 1 PID: 5337 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 152.258692][ T5337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 152.268759][ T5337] Call Trace: [ 152.272045][ T5337] [ 152.274984][ T5337] dump_stack_lvl+0x1e7/0x2d0 [ 152.279690][ T5337] ? nf_tcp_handle_invalid+0x650/0x650 [ 152.285164][ T5337] ? panic+0x770/0x770 [ 152.289244][ T5337] ? kobject_uevent_env+0x54e/0x8e0 [ 152.294470][ T5337] gfs2_withdraw+0xf48/0x1550 [ 152.299180][ T5337] ? gfs2_lm+0x240/0x240 [ 152.303438][ T5337] ? gfs2_dirent_scan+0xb2/0x640 [ 152.308390][ T5337] ? panic+0x770/0x770 [ 152.312478][ T5337] ? gfs2_consist_inode_i+0xf5/0x110 [ 152.317783][ T5337] gfs2_dirent_scan+0x512/0x640 [ 152.322668][ T5337] ? gfs2_permission+0x268/0x3c0 [ 152.327625][ T5337] ? gfs2_dirent_search+0x8c0/0x8c0 [ 152.332840][ T5337] gfs2_dirent_search+0x30e/0x8c0 [ 152.337878][ T5337] ? gfs2_dirent_search+0x8c0/0x8c0 [ 152.343088][ T5337] ? generic_permission+0x1df/0x550 [ 152.348296][ T5337] ? gfs2_dir_search+0x2f0/0x2f0 [ 152.353336][ T5337] ? gfs2_permission+0x34a/0x3c0 [ 152.358476][ T5337] gfs2_dir_search+0xb2/0x2f0 [ 152.363183][ T5337] ? do_filldir_main+0x520/0x520 [ 152.368133][ T5337] ? inode_go_held+0xea/0x200 [ 152.372822][ T5337] ? gfs2_glock_wait+0x21a/0x2b0 [ 152.377780][ T5337] gfs2_lookupi+0x460/0x5d0 [ 152.382307][ T5337] ? gfs2_lookup_simple+0x180/0x180 [ 152.387526][ T5337] ? __gfs2_lookup+0xa4/0x270 [ 152.392212][ T5337] ? d_alloc_parallel+0x1262/0x13a0 [ 152.397429][ T5337] __gfs2_lookup+0xa4/0x270 [ 152.401948][ T5337] ? gfs2_atomic_open+0x230/0x230 [ 152.406997][ T5337] ? __init_waitqueue_head+0xae/0x150 [ 152.412388][ T5337] __lookup_slow+0x282/0x3e0 [ 152.416990][ T5337] ? lookup_one_len+0x2d0/0x2d0 [ 152.421861][ T5337] ? down_read+0x1b5/0x2f0 [ 152.426301][ T5337] lookup_slow+0x53/0x70 [ 152.430558][ T5337] link_path_walk+0x9c8/0xe70 [ 152.435264][ T5337] ? handle_lookup_down+0x130/0x130 [ 152.440485][ T5337] ? lockdep_hardirqs_on+0x98/0x140 [ 152.445721][ T5337] path_lookupat+0xa9/0x450 [ 152.450239][ T5337] do_o_path+0x95/0x230 [ 152.454411][ T5337] ? do_tmpfile+0x330/0x330 [ 152.458933][ T5337] ? __alloc_file+0x15a/0x230 [ 152.463630][ T5337] path_openat+0x29f0/0x3170 [ 152.468241][ T5337] ? __stack_depot_save+0x20/0x650 [ 152.473384][ T5337] ? mark_lock+0x9a/0x340 [ 152.477735][ T5337] ? kmem_cache_alloc+0x11f/0x2e0 [ 152.482826][ T5337] ? mark_lock+0x9a/0x340 [ 152.487178][ T5337] ? __lock_acquire+0x1295/0x2000 [ 152.492221][ T5337] ? do_filp_open+0x490/0x490 [ 152.496956][ T5337] do_filp_open+0x234/0x490 [ 152.501471][ T5337] ? vfs_tmpfile+0x4a0/0x4a0 [ 152.506090][ T5337] ? _raw_spin_unlock+0x28/0x40 [ 152.510953][ T5337] ? alloc_fd+0x59c/0x640 [ 152.515324][ T5337] do_sys_openat2+0x13f/0x500 [ 152.520015][ T5337] ? print_irqtrace_events+0x220/0x220 [ 152.525495][ T5337] ? do_sys_open+0x230/0x230 [ 152.530105][ T5337] ? lockdep_hardirqs_on+0x98/0x140 [ 152.535314][ T5337] ? _raw_spin_unlock_irq+0x2e/0x50 [ 152.540520][ T5337] ? ptrace_notify+0x278/0x380 [ 152.545299][ T5337] __x64_sys_openat+0x247/0x290 [ 152.550169][ T5337] ? __ia32_sys_open+0x270/0x270 [ 152.555126][ T5337] ? syscall_enter_from_user_mode+0x32/0x230 [ 152.561124][ T5337] ? syscall_enter_from_user_mode+0x8c/0x230 [ 152.567118][ T5337] do_syscall_64+0x41/0xc0 [ 152.571565][ T5337] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 152.577469][ T5337] RIP: 0033:0x7f0100724159 [ 152.581897][ T5337] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 152.601517][ T5337] RSP: 002b:00007f01006c8318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 152.609950][ T5337] RAX: ffffffffffffffda RBX: 00007f01007b3788 RCX: 00007f0100724159 [ 152.617938][ T5337] RDX: 0000000000200002 RSI: 00000000200001c0 RDI: ffffffffffffff9c [ 152.625921][ T5337] RBP: 00007f01007b3780 R08: 0000000000000000 R09: 0000000000000000 [pid 5336] futex(0x7f01007b37ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5340 attached [pid 5337] <... openat resumed>) = -1 EIO (Input/output error) [pid 5337] futex(0x7f01007b378c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5340] set_robust_list(0x7f00f92869e0, 24 [pid 5337] futex(0x7f01007b3788, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5340] <... set_robust_list resumed>) = 0 [pid 5340] ioctl(0, VFAT_IOCTL_READDIR_SHORT, 0) = -1 ENOTTY (Inappropriate ioctl for device) [pid 5340] futex(0x7f01007b37ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5340] futex(0x7f01007b37a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5336] <... futex resumed>) = 0 [ 152.633929][ T5337] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 152.641918][ T5337] R13: 00007ffd22ca6a7f R14: 00007f01006c8400 R15: 0000000000022000 [ 152.649922][ T5337] [ 152.661333][ T5339] general protection fault, probably for non-canonical address 0xdffffc000000041a: 0000 [#1] PREEMPT SMP KASAN [ 152.673107][ T5339] KASAN: probably user-memory-access in range [0x00000000000020d0-0x00000000000020d7] [ 152.682652][ T5339] CPU: 0 PID: 5339 Comm: syz-executor173 Not tainted 6.4.0-rc3-syzkaller-00004-g421ca22e3138 #0 [ 152.693070][ T5339] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023 [ 152.703141][ T5339] RIP: 0010:gfs2_dump_glock+0xe85/0x1ad0 [ 152.708789][ T5339] Code: e8 70 dd 2e fe 48 8b 1b 48 85 db 74 2e e8 43 09 d7 fd 4c 8d bb d0 00 00 00 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <0f> b6 04 08 84 c0 0f 85 30 08 00 00 45 8b 3f eb 08 e8 15 09 d7 fd [ 152.728398][ T5339] RSP: 0018:ffffc9000436f140 EFLAGS: 00010202 [ 152.734473][ T5339] RAX: 000000000000041a RBX: 0000000000002001 RCX: dffffc0000000000 [ 152.742453][ T5339] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 152.750423][ T5339] RBP: ffffc9000436f430 R08: ffffffff83b472de R09: fffffbfff206504d [ 152.758404][ T5339] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88807ef63b80 [ 152.766374][ T5339] R13: 1ffff1100fdec774 R14: ffff88807ef63ba0 R15: 00000000000020d1 [ 152.774365][ T5339] FS: 00007f00f92a7700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 [ 152.783304][ T5339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 152.789902][ T5339] CR2: 00007f010075f910 CR3: 00000000286c0000 CR4: 00000000003506f0 [ 152.797879][ T5339] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 152.805859][ T5339] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 152.813859][ T5339] Call Trace: [ 152.817257][ T5339] [ 152.820214][ T5339] ? gfs2_glock_free+0xe60/0xe60 [ 152.825177][ T5339] ? preempt_schedule+0xdd/0xf0 [ 152.830136][ T5339] ? gfs2_dirent_scan+0xb2/0x640 [ 152.835093][ T5339] ? panic+0x770/0x770 [ 152.839162][ T5339] gfs2_consist_inode_i+0xf5/0x110 [ 152.844277][ T5339] gfs2_dirent_scan+0x512/0x640 [ 152.849139][ T5339] ? gfs2_permission+0x268/0x3c0 [ 152.854082][ T5339] ? gfs2_dirent_search+0x8c0/0x8c0 [ 152.859292][ T5339] gfs2_dirent_search+0x30e/0x8c0 [ 152.864317][ T5339] ? gfs2_dirent_search+0x8c0/0x8c0 [ 152.869517][ T5339] ? generic_permission+0x1df/0x550 [ 152.874745][ T5339] ? gfs2_dir_search+0x2f0/0x2f0 [ 152.879704][ T5339] ? gfs2_permission+0x34a/0x3c0 [ 152.884648][ T5339] gfs2_dir_search+0xb2/0x2f0 [ 152.889343][ T5339] ? do_filldir_main+0x520/0x520 [ 152.894287][ T5339] ? inode_go_held+0xea/0x200 [ 152.898969][ T5339] ? gfs2_glock_wait+0x21a/0x2b0 [ 152.903925][ T5339] gfs2_lookupi+0x460/0x5d0 [ 152.908452][ T5339] ? gfs2_lookup_simple+0x180/0x180 [ 152.913656][ T5339] ? __gfs2_lookup+0xa4/0x270 [ 152.918332][ T5339] __gfs2_lookup+0xa4/0x270 [ 152.922830][ T5339] ? gfs2_atomic_open+0x230/0x230 [ 152.927851][ T5339] ? __d_lookup+0x675/0x730 [ 152.932364][ T5339] ? d_hash_and_lookup+0x1b0/0x1b0 [ 152.937478][ T5339] gfs2_atomic_open+0x9e/0x230 [ 152.942241][ T5339] path_openat+0x103c/0x3170 [ 152.946841][ T5339] ? gfs2_rename2+0x25a0/0x25a0 [ 152.951695][ T5339] ? do_filp_open+0x490/0x490 [ 152.956389][ T5339] do_filp_open+0x234/0x490 [ 152.960892][ T5339] ? vfs_tmpfile+0x4a0/0x4a0 [ 152.965489][ T5339] ? _raw_spin_unlock+0x28/0x40 [ 152.970352][ T5339] ? alloc_fd+0x59c/0x640 [ 152.974693][ T5339] do_sys_openat2+0x13f/0x500 [ 152.979375][ T5339] ? print_irqtrace_events+0x220/0x220 [ 152.984835][ T5339] ? do_sys_open+0x230/0x230 [ 152.989429][ T5339] ? lockdep_hardirqs_on+0x98/0x140 [ 152.994625][ T5339] ? _raw_spin_unlock_irq+0x2e/0x50 [ 152.999819][ T5339] ? ptrace_notify+0x278/0x380 [ 153.004584][ T5339] __x64_sys_openat+0x247/0x290 [ 153.009441][ T5339] ? __ia32_sys_open+0x270/0x270 [ 153.014380][ T5339] ? syscall_enter_from_user_mode+0x32/0x230 [ 153.020363][ T5339] ? syscall_enter_from_user_mode+0x8c/0x230 [ 153.026355][ T5339] do_syscall_64+0x41/0xc0 [ 153.030777][ T5339] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 153.036679][ T5339] RIP: 0033:0x7f0100724159 [ 153.041177][ T5339] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 153.060868][ T5339] RSP: 002b:00007f00f92a7318 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 153.069286][ T5339] RAX: ffffffffffffffda RBX: 00007f01007b3798 RCX: 00007f0100724159 [ 153.077257][ T5339] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 00000000ffffff9c [ 153.085222][ T5339] RBP: 00007f01007b3790 R08: 00007f00f92a7700 R09: 0000000000000000 [ 153.093190][ T5339] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 153.101158][ T5339] R13: 00007ffd22ca6a7f R14: 00007f00f92a7400 R15: 0000000000022000 [ 153.109132][ T5339] [ 153.112157][ T5339] Modules linked in: [ 153.117164][ T5339] ---[ end trace 0000000000000000 ]--- [ 153.122905][ T5339] RIP: 0010:gfs2_dump_glock+0xe85/0x1ad0 [ 153.128851][ T5339] Code: e8 70 dd 2e fe 48 8b 1b 48 85 db 74 2e e8 43 09 d7 fd 4c 8d bb d0 00 00 00 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <0f> b6 04 08 84 c0 0f 85 30 08 00 00 45 8b 3f eb 08 e8 15 09 d7 fd [ 153.148694][ T5339] RSP: 0018:ffffc9000436f140 EFLAGS: 00010202 [ 153.154783][ T5339] RAX: 000000000000041a RBX: 0000000000002001 RCX: dffffc0000000000 [ 153.163007][ T5339] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 153.171279][ T5339] RBP: ffffc9000436f430 R08: ffffffff83b472de R09: fffffbfff206504d [ 153.179324][ T5339] R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88807ef63b80 [ 153.187336][ T5339] R13: 1ffff1100fdec774 R14: ffff88807ef63ba0 R15: 00000000000020d1 [ 153.195308][ T5339] FS: 00007f00f92a7700(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 [ 153.204296][ T5339] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 153.210934][ T5339] CR2: 00007f00f92a7000 CR3: 00000000286c0000 CR4: 00000000003506e0 [ 153.218959][ T5339] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 153.226968][ T5339] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 153.235044][ T5339] Kernel panic - not syncing: Fatal exception [ 153.241397][ T5339] Kernel Offset: disabled [ 153.245753][ T5339] Rebooting in 86400 seconds..