./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4277499243

<...>
Warning: Permanently added '10.128.1.97' (ECDSA) to the list of known hosts.
execve("./syz-executor4277499243", ["./syz-executor4277499243"], 0x7ffc120f3580 /* 10 vars */) = 0
brk(NULL)                               = 0x555556732000
brk(0x555556732c40)                     = 0x555556732c40
arch_prctl(ARCH_SET_FS, 0x555556732300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor4277499243", 4096) = 28
brk(0x555556753c40)                     = 0x555556753c40
brk(0x555556754000)                     = 0x555556754000
mprotect(0x7f63217ed000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
getpid()                                = 5068
mkdir("./syzkaller.rrMiXp", 0700)       = 0
chmod("./syzkaller.rrMiXp", 0777)       = 0
chdir("./syzkaller.rrMiXp")             = 0
mkdir("./0", 0777)                      = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR)  = 3
ioctl(3, LOOP_CLR_FD)                   = -1 ENXIO (No such device or address)
close(3)                                = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555567325d0) = 5069
./strace-static-x86_64: Process 5069 attached
[pid  5069] chdir("./0")                = 0
[pid  5069] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5069] setpgid(0, 0)               = 0
[pid  5069] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5069] write(3, "1000", 4)         = 4
[pid  5069] close(3)                    = 0
[pid  5069] symlink("/dev/binderfs", "./binderfs") = 0
[pid  5069] memfd_create("syzkaller", 0) = 3
[pid  5069] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6319320000
[pid  5069] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\x5c\xdb\x3c\x27\x8b\x67\x89\x70\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 7781212) = 7781212
[pid  5069] munmap(0x7f6319320000, 7781212) = 0
[pid  5069] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid  5069] ioctl(4, LOOP_SET_FD, 3)    = 0
[pid  5069] close(3)                    = 0
[pid  5069] mkdir("./file0", 0777)      = 0
[pid  5069] mount("/dev/loop0", "./file0", "ntfs3", MS_DIRSYNC|MS_POSIXACL|MS_RELATIME, "") = 0
[pid  5069] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid  5069] chdir("./file0")            = 0
[pid  5069] ioctl(4, LOOP_CLR_FD)       = 0
[pid  5069] close(4)                    = 0
[pid  5069] exit_group(0)               = ?
[pid  5069] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5069, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=7 /* 0.07 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x555556733620 /* 4 entries */, 32768) = 112
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./0/binderfs")                  = 0
[   51.104106][ T5069] loop0: detected capacity change from 0 to 15197
[   51.114722][ T5069] ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x55555673b660 /* 2 entries */, 32768) = 48
getdents64(4, 0x55555673b660 /* 0 entries */, 32768) = 0
close(4)                                = 0
rmdir("./0/file0")                      = 0
getdents64(3, 0x555556733620 /* 0 entries */, 32768) = 0
close(3)                                = 0
rmdir("./0")                            = 0
mkdir("./1", 0777)                      = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR)  = 3
ioctl(3, LOOP_CLR_FD)                   = -1 ENXIO (No such device or address)
close(3)                                = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555567325d0) = 5071
./strace-static-x86_64: Process 5071 attached
[pid  5071] chdir("./1")                = 0
[pid  5071] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5071] setpgid(0, 0)               = 0
[pid  5071] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5071] write(3, "1000", 4)         = 4
[pid  5071] close(3)                    = 0
[pid  5071] symlink("/dev/binderfs", "./binderfs") = 0
[pid  5071] memfd_create("syzkaller", 0) = 3
[pid  5071] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6319320000
[pid  5071] write(3, "\xeb\x52\x90\x4e\x54\x46\x53\x20\x20\x20\x20\x00\x04\x40\x00\x00\x00\x00\x00\x00\x00\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x80\x00\xff\x07\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00\x00\x00\x00\xf6\x00\x00\x00\xf4\x00\x00\x00\x5c\xdb\x3c\x27\x8b\x67\x89\x70\x00\x00\x00\x00\x0e\x1f\xbe\x71\x7c\xac\x22\xc0\x74\x0b\x56\xb4\x0e\xbb\x07\x00"..., 7781212) = 7781212
[pid  5071] munmap(0x7f6319320000, 7781212) = 0
[pid  5071] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid  5071] ioctl(4, LOOP_SET_FD, 3)    = 0
[pid  5071] close(3)                    = 0
[pid  5071] mkdir("./file0", 0777)      = 0
[   51.280233][ T5071] loop0: detected capacity change from 0 to 15197
[   51.289288][ T5071] ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512)
[   51.307945][ T5071] ==================================================================
[   51.316017][ T5071] BUG: KASAN: use-after-free in mi_enum_attr+0x583/0x6a0
[   51.323028][ T5071] Read of size 4 at addr ffff88817bdb888d by task syz-executor427/5071
[   51.331244][ T5071] 
[   51.333553][ T5071] CPU: 0 PID: 5071 Comm: syz-executor427 Not tainted 6.1.0-syzkaller-13139-gf9ff5644bcc0 #0
[   51.343602][ T5071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   51.353645][ T5071] Call Trace:
[   51.356914][ T5071]  <TASK>
[   51.359825][ T5071]  dump_stack_lvl+0x1b1/0x290
[   51.364498][ T5071]  ? nf_tcp_handle_invalid+0x630/0x630
[   51.369939][ T5071]  ? __wake_up_klogd+0xcd/0x100
[   51.374774][ T5071]  ? panic+0x710/0x710
[   51.378828][ T5071]  ? _printk+0xc0/0x100
[   51.382986][ T5071]  ? _raw_spin_lock_irqsave+0x8e/0x100
[   51.388430][ T5071]  print_address_description+0x74/0x340
[   51.393970][ T5071]  print_report+0x107/0x1f0
[   51.398463][ T5071]  ? __virt_addr_valid+0x21b/0x2d0
[   51.403560][ T5071]  ? __phys_addr+0xb5/0x160
[   51.408046][ T5071]  ? mi_enum_attr+0x583/0x6a0
[   51.412709][ T5071]  kasan_report+0xcd/0x100
[   51.417112][ T5071]  ? mi_enum_attr+0x583/0x6a0
[   51.421776][ T5071]  mi_enum_attr+0x583/0x6a0
[   51.426263][ T5071]  ni_enum_attr_ex+0x2f6/0x6d0
[   51.431011][ T5071]  ? ni_find_attr+0x8c0/0x8c0
[   51.435667][ T5071]  ? ntfs_cmp_names_cpu+0x478/0x4f0
[   51.440847][ T5071]  ntfs_iget5+0x1d3e/0x36f0
[   51.445335][ T5071]  ? dir_search_u+0x111/0x320
[   51.450005][ T5071]  ? fs_reclaim_acquire+0xaa/0x120
[   51.455106][ T5071]  ? check_index_root+0x680/0x680
[   51.460114][ T5071]  ? rcu_read_lock_sched_held+0x87/0x110
[   51.465735][ T5071]  ? __bpf_trace_rcu_stall_warning+0x10/0x10
[   51.471701][ T5071]  dir_search_u+0x2aa/0x320
[   51.476188][ T5071]  ? ntfs_nls_to_utf16+0xcb0/0xcb0
[   51.481285][ T5071]  ? evict+0x5d5/0x620
[   51.485338][ T5071]  ntfs_extend_init+0x315/0x5a0
[   51.490194][ T5071]  ? __destroy_inode+0x453/0x5e0
[   51.495139][ T5071]  ? ntfs_fix_post_read+0x750/0x750
[   51.500332][ T5071]  ? evict+0x5d5/0x620
[   51.504391][ T5071]  ntfs_fill_super+0x3ff4/0x4370
[   51.509332][ T5071]  ? put_ntfs+0x2a0/0x2a0
[   51.513659][ T5071]  ? set_blocksize+0x1ec/0x390
[   51.518417][ T5071]  ? sb_set_blocksize+0x95/0xf0
[   51.523261][ T5071]  get_tree_bdev+0x400/0x620
[   51.527839][ T5071]  ? put_ntfs+0x2a0/0x2a0
[   51.532156][ T5071]  vfs_get_tree+0x88/0x270
[   51.536554][ T5071]  do_new_mount+0x289/0xad0
[   51.541039][ T5071]  ? do_move_mount_old+0x150/0x150
[   51.546133][ T5071]  ? user_path_at_empty+0x149/0x1a0
[   51.551320][ T5071]  __se_sys_mount+0x2d3/0x3c0
[   51.555977][ T5071]  ? __x64_sys_mount+0xc0/0xc0
[   51.560723][ T5071]  ? syscall_enter_from_user_mode+0x2e/0x1d0
[   51.566691][ T5071]  ? __x64_sys_mount+0x1c/0xc0
[   51.571439][ T5071]  do_syscall_64+0x3d/0xb0
[   51.575839][ T5071]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   51.581714][ T5071] RIP: 0033:0x7f632176ed0a
[   51.586114][ T5071] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   51.605699][ T5071] RSP: 002b:00007fff511dd7b8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[   51.614093][ T5071] RAX: ffffffffffffffda RBX: 00005555567322c0 RCX: 00007f632176ed0a
[   51.622047][ T5071] RDX: 000000002001f800 RSI: 0000000020000000 RDI: 00007fff511dd800
[   51.629998][ T5071] RBP: 0000000000000000 R08: 00007fff511dd840 R09: 0000000000012293
[   51.637949][ T5071] R10: 0000000000210080 R11: 0000000000000286 R12: 0000000000000004
[   51.645902][ T5071] R13: 00007fff511dd840 R14: 0000000000000003 R15: 00007fff511dd800
[   51.653860][ T5071]  </TASK>
[   51.656860][ T5071] 
[   51.659166][ T5071] The buggy address belongs to the physical page:
[   51.665555][ T5071] page:ffffea0005ef6e00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17bdb8
[   51.675767][ T5071] flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
[   51.682963][ T5071] raw: 057ff00000000000 ffffea0005ef6e08 ffffea0005ef6e08 0000000000000000
[   51.691531][ T5071] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   51.700095][ T5071] page dumped because: kasan: bad access detected
[   51.706504][ T5071] page_owner info is not present (never set?)
[   51.712550][ T5071] 
[   51.714855][ T5071] Memory state around the buggy address:
[   51.720465][ T5071]  ffff88817bdb8780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   51.728517][ T5071]  ffff88817bdb8800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   51.736559][ T5071] >ffff88817bdb8880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   51.744596][ T5071]                       ^
[   51.748901][ T5071]  ffff88817bdb8900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   51.756941][ T5071]  ffff88817bdb8980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   51.764981][ T5071] ==================================================================
[   51.776400][ T5071] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   51.783594][ T5071] CPU: 0 PID: 5071 Comm: syz-executor427 Not tainted 6.1.0-syzkaller-13139-gf9ff5644bcc0 #0
[   51.793636][ T5071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   51.803669][ T5071] Call Trace:
[   51.806931][ T5071]  <TASK>
[   51.809845][ T5071]  dump_stack_lvl+0x1b1/0x290
[   51.814513][ T5071]  ? nf_tcp_handle_invalid+0x630/0x630
[   51.819956][ T5071]  ? panic+0x710/0x710
[   51.824011][ T5071]  ? lock_release+0x81/0x820
[   51.828587][ T5071]  ? vscnprintf+0x59/0x80
[   51.832903][ T5071]  panic+0x2d6/0x710
[   51.836783][ T5071]  ? asm_sysvec_apic_timer_interrupt+0x16/0x20
[   51.842920][ T5071]  ? check_panic_on_warn+0x1d/0xa0
[   51.848016][ T5071]  ? memcpy_page_flushcache+0x100/0x100
[   51.853545][ T5071]  ? _raw_spin_unlock_irqrestore+0x110/0x120
[   51.859512][ T5071]  ? _raw_spin_unlock+0x40/0x40
[   51.864342][ T5071]  ? print_report+0x1b4/0x1f0
[   51.869004][ T5071]  check_panic_on_warn+0x80/0xa0
[   51.873922][ T5071]  ? mi_enum_attr+0x583/0x6a0
[   51.878581][ T5071]  end_report+0x47/0x90
[   51.882721][ T5071]  kasan_report+0xda/0x100
[   51.887121][ T5071]  ? mi_enum_attr+0x583/0x6a0
[   51.891784][ T5071]  mi_enum_attr+0x583/0x6a0
[   51.896274][ T5071]  ni_enum_attr_ex+0x2f6/0x6d0
[   51.901021][ T5071]  ? ni_find_attr+0x8c0/0x8c0
[   51.905678][ T5071]  ? ntfs_cmp_names_cpu+0x478/0x4f0
[   51.910859][ T5071]  ntfs_iget5+0x1d3e/0x36f0
[   51.915348][ T5071]  ? dir_search_u+0x111/0x320
[   51.920009][ T5071]  ? fs_reclaim_acquire+0xaa/0x120
[   51.925108][ T5071]  ? check_index_root+0x680/0x680
[   51.930114][ T5071]  ? rcu_read_lock_sched_held+0x87/0x110
[   51.935728][ T5071]  ? __bpf_trace_rcu_stall_warning+0x10/0x10
[   51.941692][ T5071]  dir_search_u+0x2aa/0x320
[   51.946181][ T5071]  ? ntfs_nls_to_utf16+0xcb0/0xcb0
[   51.951278][ T5071]  ? evict+0x5d5/0x620
[   51.955330][ T5071]  ntfs_extend_init+0x315/0x5a0
[   51.960164][ T5071]  ? __destroy_inode+0x453/0x5e0
[   51.965082][ T5071]  ? ntfs_fix_post_read+0x750/0x750
[   51.970266][ T5071]  ? evict+0x5d5/0x620
[   51.974318][ T5071]  ntfs_fill_super+0x3ff4/0x4370
[   51.979249][ T5071]  ? put_ntfs+0x2a0/0x2a0
[   51.983567][ T5071]  ? set_blocksize+0x1ec/0x390
[   51.988313][ T5071]  ? sb_set_blocksize+0x95/0xf0
[   51.993144][ T5071]  get_tree_bdev+0x400/0x620
[   51.997718][ T5071]  ? put_ntfs+0x2a0/0x2a0
[   52.002033][ T5071]  vfs_get_tree+0x88/0x270
[   52.006431][ T5071]  do_new_mount+0x289/0xad0
[   52.010915][ T5071]  ? do_move_mount_old+0x150/0x150
[   52.016010][ T5071]  ? user_path_at_empty+0x149/0x1a0
[   52.021191][ T5071]  __se_sys_mount+0x2d3/0x3c0
[   52.025850][ T5071]  ? __x64_sys_mount+0xc0/0xc0
[   52.030594][ T5071]  ? syscall_enter_from_user_mode+0x2e/0x1d0
[   52.036562][ T5071]  ? __x64_sys_mount+0x1c/0xc0
[   52.041306][ T5071]  do_syscall_64+0x3d/0xb0
[   52.045705][ T5071]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   52.051581][ T5071] RIP: 0033:0x7f632176ed0a
[   52.055979][ T5071] Code: 48 c7 c2 c0 ff ff ff f7 d8 64 89 02 b8 ff ff ff ff eb d2 e8 a8 00 00 00 0f 1f 84 00 00 00 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   52.075569][ T5071] RSP: 002b:00007fff511dd7b8 EFLAGS: 00000286 ORIG_RAX: 00000000000000a5
[   52.083964][ T5071] RAX: ffffffffffffffda RBX: 00005555567322c0 RCX: 00007f632176ed0a
[   52.091918][ T5071] RDX: 000000002001f800 RSI: 0000000020000000 RDI: 00007fff511dd800
[   52.099872][ T5071] RBP: 0000000000000000 R08: 00007fff511dd840 R09: 0000000000012293
[   52.107822][ T5071] R10: 0000000000210080 R11: 0000000000000286 R12: 0000000000000004
[   52.115775][ T5071] R13: 00007fff511dd840 R14: 0000000000000003 R15: 00007fff511dd800
[   52.123735][ T5071]  </TASK>
[   52.126866][ T5071] Kernel Offset: disabled
[   52.131171][ T5071] Rebooting in 86400 seconds..