./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3876570480
<...>
Warning: Permanently added '10.128.1.29' (ED25519) to the list of known hosts.
execve("./syz-executor3876570480", ["./syz-executor3876570480"], 0x7ffdf1388990 /* 10 vars */) = 0
brk(NULL) = 0x555556952000
brk(0x555556952d00) = 0x555556952d00
arch_prctl(ARCH_SET_FS, 0x555556952380) = 0
set_tid_address(0x555556952650) = 5034
set_robust_list(0x555556952660, 24) = 0
rseq(0x555556952ca0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor3876570480", 4096) = 28
getrandom("\xaf\x05\x73\x1a\x39\x56\x28\xc4", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x555556952d00
brk(0x555556973d00) = 0x555556973d00
brk(0x555556974000) = 0x555556974000
mprotect(0x7f18f3d18000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
mkdir("./syzkaller.5khLCi", 0700) = 0
chmod("./syzkaller.5khLCi", 0777) = 0
chdir("./syzkaller.5khLCi") = 0
mkdir("./0", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5035 attached
, child_tidptr=0x555556952650) = 5035
[pid 5035] set_robust_list(0x555556952660, 24) = 0
[pid 5035] chdir("./0") = 0
[pid 5035] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5035] setpgid(0, 0) = 0
[pid 5035] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5035] write(3, "1000", 4) = 4
[pid 5035] close(3) = 0
[pid 5035] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5035] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5035] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5035] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5035] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5035] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5035] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5035] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5035] write(6, "7", 1) = 1
[ 57.247335][ T5035] FAULT_INJECTION: forcing a failure.
[ 57.247335][ T5035] name failslab, interval 1, probability 0, space 0, times 1
[ 57.260574][ T5035] CPU: 0 PID: 5035 Comm: syz-executor387 Not tainted 6.5.0-syzkaller-04025-g2861f09c1112 #0
[ 57.270666][ T5035] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 57.280984][ T5035] Call Trace:
[ 57.284268][ T5035]
[ 57.287403][ T5035] dump_stack_lvl+0x125/0x1b0
[ 57.292134][ T5035] should_fail_ex+0x496/0x5b0
[ 57.296891][ T5035] should_failslab+0x9/0x20
[ 57.301520][ T5035] __kmem_cache_alloc_node+0x2fd/0x350
[ 57.307120][ T5035] ? tomoyo_supervisor+0x43d/0xea0
[ 57.312287][ T5035] ? common_lsm_audit+0x2210/0x2210
[ 57.317610][ T5035] ? tomoyo_profile+0x47/0x60
[ 57.322487][ T5035] ? tomoyo_supervisor+0x43d/0xea0
[ 57.327740][ T5035] __kmalloc+0x4c/0x100
[ 57.331935][ T5035] tomoyo_supervisor+0x43d/0xea0
[ 57.337007][ T5035] ? tomoyo_profile+0x60/0x60
[ 57.341866][ T5035] ? kasan_set_track+0x25/0x30
[ 57.346751][ T5035] ? tomoyo_check_unix_acl+0xaf/0x120
[ 57.352177][ T5035] ? tomoyo_check_acl+0x1f4/0x410
[ 57.357365][ T5035] tomoyo_unix_entry+0x49b/0x650
[ 57.362332][ T5035] ? tomoyo_check_inet_acl+0x350/0x350
[ 57.367833][ T5035] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 57.373886][ T5035] tomoyo_socket_sendmsg_permission+0x350/0x3c0
[ 57.380151][ T5035] ? tomoyo_socket_bind_permission+0x340/0x340
[ 57.386328][ T5035] ? reacquire_held_locks+0x4b0/0x4b0
[ 57.391755][ T5035] security_socket_sendmsg+0x72/0xb0
[ 57.397338][ T5035] sock_sendmsg+0x42/0x180
[ 57.401789][ T5035] ____sys_sendmsg+0x2ac/0x940
[ 57.406580][ T5035] ? copy_msghdr_from_user+0x10b/0x160
[ 57.412058][ T5035] ? kernel_sendmsg+0x50/0x50
[ 57.417278][ T5035] ? find_held_lock+0x2d/0x110
[ 57.422248][ T5035] ___sys_sendmsg+0x135/0x1d0
[ 57.426970][ T5035] ? do_recvmmsg+0x740/0x740
[ 57.431649][ T5035] ? __lock_acquire+0x182f/0x5de0
[ 57.436753][ T5035] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 57.442786][ T5035] ? __fget_light+0x1fc/0x260
[ 57.447659][ T5035] __sys_sendmmsg+0x1a1/0x450
[ 57.452458][ T5035] ? __ia32_sys_sendmsg+0xb0/0xb0
[ 57.457546][ T5035] ? cgroup_update_frozen+0x144/0x6b0
[ 57.462977][ T5035] ? find_held_lock+0x2d/0x110
[ 57.467788][ T5035] ? _raw_spin_unlock_irq+0x23/0x50
[ 57.473017][ T5035] ? lockdep_hardirqs_on+0x7d/0x100
[ 57.478358][ T5035] __x64_sys_sendmmsg+0x9c/0x100
[ 57.483345][ T5035] do_syscall_64+0x38/0xb0
[ 57.487839][ T5035] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 57.493778][ T5035] RIP: 0033:0x7f18f3ca55a9
[ 57.498303][ T5035] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 57.517929][ T5035] RSP: 002b:00007ffc35df4b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 57.526354][ T5035] RAX: ffffffffffffffda RBX: 00007ffc35df4b50 RCX: 00007f18f3ca55a9
[ 57.534331][ T5035] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[pid 5035] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 5035] exit_group(0) = ?
[pid 5035] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5035, si_uid=0, si_status=0, si_utime=0, si_stime=1 /* 0.01 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555569536f0 /* 4 entries */, 32768) = 112
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/binderfs") = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./0/file0") = 0
getdents64(3, 0x5555569536f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./0") = 0
mkdir("./1", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5036 attached
, child_tidptr=0x555556952650) = 5036
[pid 5036] set_robust_list(0x555556952660, 24) = 0
[pid 5036] chdir("./1") = 0
[pid 5036] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5036] setpgid(0, 0) = 0
[pid 5036] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5036] write(3, "1000", 4) = 4
[pid 5036] close(3) = 0
[pid 5036] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5036] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5036] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5036] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5036] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5036] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5036] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5036] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[ 57.542308][ T5035] RBP: 0000000000000001 R08: 00007ffc35df48c7 R09: 00007ffc35dfe1a0
[ 57.550308][ T5035] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 57.558313][ T5035] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 57.566316][ T5035]
[pid 5036] write(6, "7", 1) = 1
[ 57.607413][ T5036] FAULT_INJECTION: forcing a failure.
[ 57.607413][ T5036] name failslab, interval 1, probability 0, space 0, times 0
[ 57.620604][ T5036] CPU: 0 PID: 5036 Comm: syz-executor387 Not tainted 6.5.0-syzkaller-04025-g2861f09c1112 #0
[ 57.631319][ T5036] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 57.642176][ T5036] Call Trace:
[ 57.645471][ T5036]
[ 57.648400][ T5036] dump_stack_lvl+0x125/0x1b0
[ 57.653195][ T5036] should_fail_ex+0x496/0x5b0
[ 57.658272][ T5036] should_failslab+0x9/0x20
[ 57.662970][ T5036] kmem_cache_alloc_node+0x389/0x3f0
[ 57.668292][ T5036] ? __alloc_skb+0x287/0x330
[ 57.673056][ T5036] __alloc_skb+0x287/0x330
[ 57.677590][ T5036] ? __napi_build_skb+0x50/0x50
[ 57.683264][ T5036] ? mark_held_locks+0x9f/0xe0
[ 57.688127][ T5036] ? kasan_quarantine_put+0x102/0x230
[ 57.693727][ T5036] ? find_held_lock+0x2d/0x110
[ 57.698517][ T5036] alloc_skb_with_frags+0xe4/0x710
[ 57.703745][ T5036] sock_alloc_send_pskb+0x7e4/0x970
[ 57.709078][ T5036] ? aa_profile_af_perm+0x470/0x470
[ 57.714864][ T5036] ? tomoyo_unix_entry+0x1d2/0x650
[ 57.720136][ T5036] ? sock_wmalloc+0x120/0x120
[ 57.725084][ T5036] ? unix_gc+0x12b0/0x12b0
[ 57.729510][ T5036] ? apparmor_socket_getpeersec_dgram+0x9/0x10
[ 57.735756][ T5036] unix_dgram_sendmsg+0x455/0x1c30
[ 57.740999][ T5036] ? aa_sk_perm+0x2c1/0xae0
[ 57.745532][ T5036] ? unix_dgram_connect+0xba0/0xba0
[ 57.750944][ T5036] ? aa_af_perm+0x260/0x260
[ 57.755456][ T5036] ? reacquire_held_locks+0x4b0/0x4b0
[ 57.760865][ T5036] ? bpf_lsm_socket_sendmsg+0x9/0x10
[ 57.766158][ T5036] ? unix_dgram_connect+0xba0/0xba0
[ 57.771360][ T5036] sock_sendmsg+0xd9/0x180
[ 57.775779][ T5036] ____sys_sendmsg+0x2ac/0x940
[ 57.780558][ T5036] ? copy_msghdr_from_user+0x10b/0x160
[ 57.786020][ T5036] ? kernel_sendmsg+0x50/0x50
[ 57.790717][ T5036] ? find_held_lock+0x2d/0x110
[ 57.795696][ T5036] ___sys_sendmsg+0x135/0x1d0
[ 57.800396][ T5036] ? do_recvmmsg+0x740/0x740
[ 57.805016][ T5036] ? __lock_acquire+0x182f/0x5de0
[ 57.810053][ T5036] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 57.816492][ T5036] ? __fget_light+0x1fc/0x260
[ 57.821276][ T5036] __sys_sendmmsg+0x1a1/0x450
[ 57.826048][ T5036] ? __ia32_sys_sendmsg+0xb0/0xb0
[ 57.831444][ T5036] ? cgroup_update_frozen+0x144/0x6b0
[ 57.837011][ T5036] ? find_held_lock+0x2d/0x110
[ 57.841824][ T5036] ? _raw_spin_unlock_irq+0x23/0x50
[ 57.847054][ T5036] ? lockdep_hardirqs_on+0x7d/0x100
[ 57.852540][ T5036] __x64_sys_sendmmsg+0x9c/0x100
[ 57.857587][ T5036] do_syscall_64+0x38/0xb0
[ 57.862147][ T5036] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 57.868055][ T5036] RIP: 0033:0x7f18f3ca55a9
[ 57.872553][ T5036] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 57.893809][ T5036] RSP: 002b:00007ffc35df4b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[pid 5036] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 ENOBUFS (No buffer space available)
[pid 5036] exit_group(0) = ?
[pid 5036] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5036, si_uid=0, si_status=0, si_utime=0, si_stime=2 /* 0.02 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555569536f0 /* 4 entries */, 32768) = 112
umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./1/binderfs") = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./1/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./1/file0") = 0
getdents64(3, 0x5555569536f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./1") = 0
mkdir("./2", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5037 attached
[pid 5037] set_robust_list(0x555556952660, 24) = 0
[pid 5034] <... clone resumed>, child_tidptr=0x555556952650) = 5037
[pid 5037] chdir("./2") = 0
[pid 5037] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5037] setpgid(0, 0) = 0
[pid 5037] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5037] write(3, "1000", 4) = 4
[pid 5037] close(3) = 0
[pid 5037] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5037] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5037] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5037] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5037] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5037] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5037] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5037] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5037] write(6, "7", 1) = 1
[ 57.902580][ T5036] RAX: ffffffffffffffda RBX: 00007ffc35df4b50 RCX: 00007f18f3ca55a9
[ 57.910733][ T5036] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 57.918942][ T5036] RBP: 0000000000000001 R08: 00007ffc35df48c7 R09: 00007ffc35dfe1a0
[ 57.927015][ T5036] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 57.935112][ T5036] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 57.943213][ T5036]
[ 57.982513][ T5037] FAULT_INJECTION: forcing a failure.
[ 57.982513][ T5037] name failslab, interval 1, probability 0, space 0, times 0
[ 57.995967][ T5037] CPU: 1 PID: 5037 Comm: syz-executor387 Not tainted 6.5.0-syzkaller-04025-g2861f09c1112 #0
[ 58.006075][ T5037] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 58.016231][ T5037] Call Trace:
[ 58.019700][ T5037]
[ 58.022627][ T5037] dump_stack_lvl+0x125/0x1b0
[ 58.027314][ T5037] should_fail_ex+0x496/0x5b0
[ 58.032365][ T5037] should_failslab+0x9/0x20
[ 58.036892][ T5037] kmem_cache_alloc+0x33a/0x3b0
[ 58.041860][ T5037] ? preempt_count_sub+0x150/0x150
[ 58.047043][ T5037] jbd2__journal_start+0x190/0x690
[ 58.052355][ T5037] __ext4_journal_start_sb+0x40f/0x5c0
[ 58.057922][ T5037] ? ext4_dirty_inode+0xa1/0x130
[ 58.063309][ T5037] ? ext4_setattr+0x29a0/0x29a0
[ 58.068173][ T5037] ext4_dirty_inode+0xa1/0x130
[ 58.072970][ T5037] ? rcu_is_watching+0x12/0xb0
[ 58.077747][ T5037] __mark_inode_dirty+0x1e0/0xd50
[ 58.082789][ T5037] generic_update_time+0xcf/0xf0
[ 58.087753][ T5037] touch_atime+0x4eb/0x5d0
[ 58.092199][ T5037] unix_find_other+0x6c4/0x820
[ 58.096986][ T5037] ? unix_bind+0x1440/0x1440
[ 58.101608][ T5037] unix_dgram_sendmsg+0xdc8/0x1c30
[ 58.106762][ T5037] ? aa_sk_perm+0x2c1/0xae0
[ 58.111306][ T5037] ? unix_dgram_connect+0xba0/0xba0
[ 58.116524][ T5037] ? aa_af_perm+0x260/0x260
[ 58.121143][ T5037] ? reacquire_held_locks+0x4b0/0x4b0
[ 58.126722][ T5037] ? bpf_lsm_socket_sendmsg+0x9/0x10
[ 58.132029][ T5037] ? unix_dgram_connect+0xba0/0xba0
[ 58.137256][ T5037] sock_sendmsg+0xd9/0x180
[ 58.141693][ T5037] ____sys_sendmsg+0x2ac/0x940
[ 58.146475][ T5037] ? copy_msghdr_from_user+0x10b/0x160
[ 58.151956][ T5037] ? kernel_sendmsg+0x50/0x50
[ 58.156660][ T5037] ? find_held_lock+0x2d/0x110
[ 58.161453][ T5037] ___sys_sendmsg+0x135/0x1d0
[ 58.166173][ T5037] ? do_recvmmsg+0x740/0x740
[ 58.170794][ T5037] ? __lock_acquire+0x182f/0x5de0
[ 58.176465][ T5037] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 58.182481][ T5037] ? __fget_light+0x1fc/0x260
[ 58.187175][ T5037] __sys_sendmmsg+0x1a1/0x450
[ 58.193189][ T5037] ? __ia32_sys_sendmsg+0xb0/0xb0
[ 58.198235][ T5037] ? cgroup_update_frozen+0x144/0x6b0
[ 58.203650][ T5037] ? find_held_lock+0x2d/0x110
[ 58.208451][ T5037] ? _raw_spin_unlock_irq+0x23/0x50
[ 58.213683][ T5037] ? lockdep_hardirqs_on+0x7d/0x100
[ 58.218911][ T5037] __x64_sys_sendmmsg+0x9c/0x100
[ 58.223892][ T5037] do_syscall_64+0x38/0xb0
[ 58.228330][ T5037] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 58.234248][ T5037] RIP: 0033:0x7f18f3ca55a9
[ 58.238675][ T5037] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 58.259249][ T5037] RSP: 002b:00007ffc35df4b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 58.267936][ T5037] RAX: ffffffffffffffda RBX: 00007ffc35df4b50 RCX: 00007f18f3ca55a9
[ 58.275920][ T5037] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[pid 5037] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 5037] exit_group(0) = ?
[pid 5037] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5037, si_uid=0, si_status=0, si_utime=0, si_stime=3 /* 0.03 s */} ---
umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555569536f0 /* 4 entries */, 32768) = 112
umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./2/binderfs") = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./2/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./2/file0") = 0
getdents64(3, 0x5555569536f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./2") = 0
mkdir("./3", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5038 attached
, child_tidptr=0x555556952650) = 5038
[pid 5038] set_robust_list(0x555556952660, 24) = 0
[pid 5038] chdir("./3") = 0
[pid 5038] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5038] setpgid(0, 0) = 0
[pid 5038] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5038] write(3, "1000", 4) = 4
[pid 5038] close(3) = 0
[pid 5038] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5038] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5038] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5038] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5038] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5038] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5038] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5038] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5038] write(6, "7", 1) = 1
[ 58.283899][ T5037] RBP: 0000000000000001 R08: 00007ffc35df48c7 R09: 00007ffc35dfe1a0
[ 58.291877][ T5037] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 58.299856][ T5037] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 58.307854][ T5037]
[ 58.336641][ T5038] FAULT_INJECTION: forcing a failure.
[ 58.336641][ T5038] name failslab, interval 1, probability 0, space 0, times 0
[ 58.349393][ T5038] CPU: 0 PID: 5038 Comm: syz-executor387 Not tainted 6.5.0-syzkaller-04025-g2861f09c1112 #0
[ 58.359547][ T5038] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 58.369786][ T5038] Call Trace:
[ 58.373083][ T5038]
[ 58.376029][ T5038] dump_stack_lvl+0x125/0x1b0
[ 58.380725][ T5038] should_fail_ex+0x496/0x5b0
[ 58.385429][ T5038] should_failslab+0x9/0x20
[ 58.390150][ T5038] kmem_cache_alloc+0x33a/0x3b0
[ 58.395042][ T5038] getname_kernel+0x52/0x360
[ 58.399732][ T5038] kern_path+0x1d/0x50
[ 58.403820][ T5038] unix_find_other+0xdc/0x820
[ 58.408532][ T5038] ? unix_bind+0x1440/0x1440
[ 58.413135][ T5038] ? apparmor_socket_getpeersec_dgram+0x9/0x10
[ 58.419306][ T5038] unix_dgram_sendmsg+0xdc8/0x1c30
[ 58.424474][ T5038] ? aa_sk_perm+0x2c1/0xae0
[ 58.429357][ T5038] ? unix_dgram_connect+0xba0/0xba0
[ 58.434575][ T5038] ? aa_af_perm+0x260/0x260
[ 58.439187][ T5038] ? reacquire_held_locks+0x4b0/0x4b0
[ 58.444616][ T5038] ? bpf_lsm_socket_sendmsg+0x9/0x10
[ 58.449935][ T5038] ? unix_dgram_connect+0xba0/0xba0
[ 58.455143][ T5038] sock_sendmsg+0xd9/0x180
[ 58.459566][ T5038] ____sys_sendmsg+0x2ac/0x940
[ 58.464364][ T5038] ? copy_msghdr_from_user+0x10b/0x160
[ 58.469856][ T5038] ? kernel_sendmsg+0x50/0x50
[ 58.474627][ T5038] ? find_held_lock+0x2d/0x110
[ 58.479417][ T5038] ___sys_sendmsg+0x135/0x1d0
[ 58.484118][ T5038] ? do_recvmmsg+0x740/0x740
[ 58.488737][ T5038] ? __lock_acquire+0x182f/0x5de0
[ 58.493798][ T5038] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 58.499822][ T5038] ? __fget_light+0x1fc/0x260
[ 58.504506][ T5038] __sys_sendmmsg+0x1a1/0x450
[ 58.509199][ T5038] ? __ia32_sys_sendmsg+0xb0/0xb0
[ 58.514254][ T5038] ? cgroup_update_frozen+0x144/0x6b0
[ 58.519645][ T5038] ? find_held_lock+0x2d/0x110
[ 58.524456][ T5038] ? _raw_spin_unlock_irq+0x23/0x50
[ 58.529658][ T5038] ? lockdep_hardirqs_on+0x7d/0x100
[ 58.534869][ T5038] __x64_sys_sendmmsg+0x9c/0x100
[ 58.539817][ T5038] do_syscall_64+0x38/0xb0
[ 58.544250][ T5038] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 58.550202][ T5038] RIP: 0033:0x7f18f3ca55a9
[ 58.554619][ T5038] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 58.575493][ T5038] RSP: 002b:00007ffc35df4b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[pid 5038] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}}], 1, 0) = -1 ENOMEM (Cannot allocate memory)
[pid 5038] exit_group(0) = ?
[pid 5038] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5038, si_uid=0, si_status=0, si_utime=0, si_stime=2 /* 0.02 s */} ---
umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555569536f0 /* 4 entries */, 32768) = 112
umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./3/binderfs") = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./3/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./3/file0") = 0
getdents64(3, 0x5555569536f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./3") = 0
mkdir("./4", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5039 attached
[pid 5039] set_robust_list(0x555556952660, 24) = 0
[pid 5039] chdir("./4") = 0
[pid 5039] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5039] setpgid(0, 0) = 0
[pid 5039] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5039] write(3, "1000", 4) = 4
[pid 5039] close(3) = 0
[pid 5039] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5039] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5034] <... clone resumed>, child_tidptr=0x555556952650) = 5039
[pid 5039] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5039] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5039] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5039] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5039] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5039] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5039] write(6, "7", 1) = 1
[pid 5039] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 5039] exit_group(0) = ?
[pid 5039] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5039, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555569536f0 /* 4 entries */, 32768) = 112
umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./4/binderfs") = 0
umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./4/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./4/file0") = 0
getdents64(3, 0x5555569536f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./4") = 0
mkdir("./5", 0777) = 0
[ 58.584025][ T5038] RAX: ffffffffffffffda RBX: 00007ffc35df4b50 RCX: 00007f18f3ca55a9
[ 58.592008][ T5038] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 58.599996][ T5038] RBP: 0000000000000001 R08: 00007ffc35df48c7 R09: 00007ffc35dfe1a0
[ 58.607969][ T5038] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 58.615951][ T5038] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 58.623952][ T5038]
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5040 attached
[pid 5040] set_robust_list(0x555556952660, 24) = 0
[pid 5034] <... clone resumed>, child_tidptr=0x555556952650) = 5040
[pid 5040] chdir("./5") = 0
[pid 5040] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5040] setpgid(0, 0) = 0
[pid 5040] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5040] write(3, "1000", 4) = 4
[pid 5040] close(3) = 0
[pid 5040] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5040] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5040] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5040] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5040] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5040] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5040] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5040] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5040] write(6, "7", 1) = 1
[pid 5040] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 5040] exit_group(0) = ?
[pid 5040] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5040, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555569536f0 /* 4 entries */, 32768) = 112
umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./5/binderfs") = 0
umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./5/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./5/file0") = 0
getdents64(3, 0x5555569536f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./5") = 0
mkdir("./6", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556952650) = 5041
./strace-static-x86_64: Process 5041 attached
[pid 5041] set_robust_list(0x555556952660, 24) = 0
[pid 5041] chdir("./6") = 0
[pid 5041] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5041] setpgid(0, 0) = 0
[pid 5041] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5041] write(3, "1000", 4) = 4
[pid 5041] close(3) = 0
[pid 5041] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5041] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5041] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5041] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5041] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5041] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5041] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5041] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5041] write(6, "7", 1) = 1
[pid 5041] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 58.687627][ T4776] ==================================================================
[ 58.695732][ T4776] BUG: KASAN: slab-use-after-free in consume_skb+0x32/0x170
[ 58.703078][ T4776] Read of size 4 at addr ffff88807ef85224 by task kworker/0:3/4776
[ 58.710999][ T4776]
[ 58.713346][ T4776] CPU: 0 PID: 4776 Comm: kworker/0:3 Not tainted 6.5.0-syzkaller-04025-g2861f09c1112 #0
[ 58.723101][ T4776] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[pid 5041] exit_group(0) = ?
[pid 5041] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5041, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555569536f0 /* 4 entries */, 32768) = 112
umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./6/binderfs") = 0
umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./6/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./6/file0") = 0
getdents64(3, 0x5555569536f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./6") = 0
mkdir("./7", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5042 attached
[pid 5042] set_robust_list(0x555556952660, 24) = 0
[pid 5042] chdir("./7") = 0
[pid 5042] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5042] setpgid(0, 0) = 0
[pid 5042] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5042] write(3, "1000", 4) = 4
[pid 5042] close(3
[pid 5034] <... clone resumed>, child_tidptr=0x555556952650) = 5042
[pid 5042] <... close resumed>) = 0
[pid 5042] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5042] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5042] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5042] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5042] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5042] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5042] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5042] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5042] write(6, "7", 1) = 1
[pid 5042] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[ 58.733187][ T4776] Workqueue: events sk_psock_destroy
[ 58.738540][ T4776] Call Trace:
[ 58.741841][ T4776]
[ 58.744793][ T4776] dump_stack_lvl+0xd9/0x1b0
[ 58.749434][ T4776] print_report+0xc4/0x620
[ 58.754348][ T4776] ? __virt_addr_valid+0x5e/0x2d0
[ 58.759419][ T4776] ? __phys_addr+0xc6/0x140
[ 58.763968][ T4776] kasan_report+0xda/0x110
[ 58.768797][ T4776] ? consume_skb+0x32/0x170
[ 58.773357][ T4776] ? consume_skb+0x32/0x170
[ 58.777915][ T4776] kasan_check_range+0xef/0x190
[ 58.782811][ T4776] consume_skb+0x32/0x170
[pid 5042] exit_group(0) = ?
[pid 5042] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5042, si_uid=0, si_status=0, si_utime=0, si_stime=2 /* 0.02 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555569536f0 /* 4 entries */, 32768) = 112
umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./7/binderfs") = 0
umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./7/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./7/file0") = 0
getdents64(3, 0x5555569536f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./7") = 0
mkdir("./8", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5043 attached
, child_tidptr=0x555556952650) = 5043
[pid 5043] set_robust_list(0x555556952660, 24) = 0
[pid 5043] chdir("./8") = 0
[pid 5043] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5043] setpgid(0, 0) = 0
[pid 5043] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5043] write(3, "1000", 4) = 4
[pid 5043] close(3) = 0
[pid 5043] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5043] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5043] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5043] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5043] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5043] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5043] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5043] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5043] write(6, "7", 1) = 1
[ 58.787202][ T4776] __sk_msg_free+0x230/0x380
[ 58.791842][ T4776] ? lockdep_hardirqs_on+0x7d/0x100
[ 58.797094][ T4776] ? _raw_spin_unlock_irqrestore+0x3b/0x70
[ 58.802959][ T4776] sk_psock_destroy+0x335/0xa50
[ 58.807866][ T4776] process_one_work+0xaa2/0x16f0
[ 58.812862][ T4776] ? lock_sync+0x190/0x190
[ 58.817331][ T4776] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 58.822755][ T4776] ? spin_bug+0x1d0/0x1d0
[ 58.827138][ T4776] worker_thread+0x687/0x1110
[ 58.832044][ T4776] ? __kthread_parkme+0x152/0x220
[ 58.834884][ T5043] FAULT_INJECTION: forcing a failure.
[ 58.834884][ T5043] name failslab, interval 1, probability 0, space 0, times 0
[ 58.837101][ T4776] ? process_one_work+0x16f0/0x16f0
[ 58.837140][ T4776] kthread+0x33a/0x430
[ 58.859065][ T4776] ? kthread_complete_and_exit+0x40/0x40
[ 58.864821][ T4776] ret_from_fork+0x2c/0x70
[ 58.869267][ T4776] ? kthread_complete_and_exit+0x40/0x40
[ 58.874927][ T4776] ret_from_fork_asm+0x11/0x20
[ 58.879735][ T4776]
[ 58.882761][ T4776]
[ 58.882762][ T5043] CPU: 1 PID: 5043 Comm: syz-executor387 Not tainted 6.5.0-syzkaller-04025-g2861f09c1112 #0
[ 58.885073][ T4776] Allocated by task 5039:
[ 58.885086][ T4776] kasan_save_stack+0x33/0x50
[ 58.895129][ T5043] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 58.899433][ T4776] kasan_set_track+0x25/0x30
[ 58.904094][ T5043] Call Trace:
[ 58.904105][ T5043]
[ 58.914128][ T4776] __kasan_slab_alloc+0x81/0x90
[ 58.918703][ T5043] dump_stack_lvl+0x125/0x1b0
[ 58.921962][ T4776] kmem_cache_alloc_node+0x185/0x3f0
[ 58.924888][ T5043] should_fail_ex+0x496/0x5b0
[ 58.929720][ T4776] __alloc_skb+0x287/0x330
[ 58.934393][ T5043] should_failslab+0x9/0x20
[ 58.939668][ T4776] alloc_skb_with_frags+0xe4/0x710
[ 58.944335][ T5043] kmem_cache_alloc+0x33a/0x3b0
[ 58.948727][ T4776] sock_alloc_send_pskb+0x7e4/0x970
[ 58.953240][ T5043] ? preempt_count_sub+0x150/0x150
[ 58.958360][ T4776] unix_dgram_sendmsg+0x455/0x1c30
[ 58.963195][ T5043] jbd2__journal_start+0x190/0x690
[ 58.968371][ T4776] sock_sendmsg+0xd9/0x180
[ 58.973499][ T5043] __ext4_journal_start_sb+0x40f/0x5c0
[ 58.978754][ T4776] ____sys_sendmsg+0x2ac/0x940
[ 58.983848][ T5043] ? ext4_dirty_inode+0xa1/0x130
[ 58.988246][ T4776] ___sys_sendmsg+0x135/0x1d0
[ 58.993707][ T5043] ? ext4_setattr+0x29a0/0x29a0
[ 58.998454][ T4776] __sys_sendmmsg+0x1a1/0x450
[ 59.003394][ T5043] ext4_dirty_inode+0xa1/0x130
[ 59.008045][ T4776] __x64_sys_sendmmsg+0x9c/0x100
[ 59.012881][ T5043] ? rcu_is_watching+0x12/0xb0
[ 59.017614][ T4776] do_syscall_64+0x38/0xb0
[ 59.022355][ T5043] __mark_inode_dirty+0x1e0/0xd50
[ 59.027276][ T4776] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 59.032025][ T5043] generic_update_time+0xcf/0xf0
[ 59.036415][ T4776]
[ 59.036420][ T4776] Freed by task 4776:
[ 59.041422][ T5043] touch_atime+0x4eb/0x5d0
[ 59.047299][ T4776] kasan_save_stack+0x33/0x50
[ 59.052219][ T5043] unix_find_other+0x6c4/0x820
[ 59.054523][ T4776] kasan_set_track+0x25/0x30
[ 59.058486][ T5043] ? unix_bind+0x1440/0x1440
[ 59.062883][ T4776] kasan_save_free_info+0x2b/0x40
[ 59.067546][ T5043] ? apparmor_socket_getpeersec_dgram+0x9/0x10
[ 59.072282][ T4776] ____kasan_slab_free+0x15e/0x1b0
[ 59.076865][ T5043] unix_dgram_sendmsg+0xdc8/0x1c30
[ 59.081430][ T4776] slab_free_freelist_hook+0x10b/0x1e0
[ 59.086562][ T5043] ? aa_sk_perm+0x2c1/0xae0
[ 59.092694][ T4776] kmem_cache_free+0xf0/0x490
[ 59.097837][ T5043] ? unix_dgram_connect+0xba0/0xba0
[ 59.102940][ T4776] kfree_skbmem+0xef/0x1b0
[ 59.108393][ T5043] ? aa_af_perm+0x260/0x260
[ 59.112870][ T4776] kfree_skb_reason+0x10e/0x210
[ 59.117549][ T5043] ? reacquire_held_locks+0x4b0/0x4b0
[ 59.122732][ T4776] sk_psock_destroy+0x18d/0xa50
[ 59.127937][ T5043] ? bpf_lsm_socket_sendmsg+0x9/0x10
[ 59.132421][ T4776] process_one_work+0xaa2/0x16f0
[ 59.137263][ T5043] ? unix_dgram_connect+0xba0/0xba0
[ 59.143308][ T4776] worker_thread+0x687/0x1110
[ 59.148141][ T5043] sock_sendmsg+0xd9/0x180
[ 59.153398][ T4776] kthread+0x33a/0x430
[ 59.158370][ T5043] ____sys_sendmsg+0x2ac/0x940
[ 59.163539][ T4776] ret_from_fork+0x2c/0x70
[ 59.168204][ T5043] ? copy_msghdr_from_user+0x10b/0x160
[ 59.172590][ T4776] ret_from_fork_asm+0x11/0x20
[ 59.176647][ T5043] ? kernel_sendmsg+0x50/0x50
[ 59.181384][ T4776]
[ 59.181390][ T4776] The buggy address belongs to the object at ffff88807ef85140
[ 59.181390][ T4776] which belongs to the cache skbuff_head_cache of size 240
[ 59.185787][ T5043] ? find_held_lock+0x2d/0x110
[ 59.191213][ T4776] The buggy address is located 228 bytes inside of
[ 59.191213][ T4776] freed 240-byte region [ffff88807ef85140, ffff88807ef85230)
[ 59.195965][ T5043] ___sys_sendmsg+0x135/0x1d0
[ 59.200611][ T4776]
[ 59.200617][ T4776] The buggy address belongs to the physical page:
[ 59.202934][ T5043] ? do_recvmmsg+0x740/0x740
[ 59.217478][ T4776] page:ffffea0001fbe140 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7ef85
[ 59.222222][ T5043] ? __lock_acquire+0x182f/0x5de0
[ 59.235985][ T4776] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 59.240658][ T5043] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 59.242947][ T4776] page_type: 0xffffffff()
[ 59.242971][ T4776] raw: 00fff00000000200 ffff88801a241500 dead000000000122 0000000000000000
[ 59.249372][ T5043] ? __fget_light+0x1fc/0x260
[ 59.253949][ T4776] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[ 59.264172][ T5043] __sys_sendmmsg+0x1a1/0x450
[ 59.269194][ T4776] page dumped because: kasan: bad access detected
[ 59.269207][ T4776] page_owner tracks the page as allocated
[ 59.276813][ T5043] ? __ia32_sys_sendmsg+0xb0/0xb0
[ 59.283033][ T4776] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY), pid 5029, tgid 5029 (sshd), ts 58642438718, free_ts 58637770481
[ 59.287381][ T5043] ? cgroup_update_frozen+0x144/0x6b0
[ 59.295956][ T4776] post_alloc_hook+0x2d2/0x350
[ 59.300628][ T5043] ? find_held_lock+0x2d/0x110
[ 59.309289][ T4776] get_page_from_freelist+0x10a9/0x31e0
[ 59.313966][ T5043] ? _raw_spin_unlock_irq+0x23/0x50
[ 59.320420][ T4776] __alloc_pages+0x1d0/0x4a0
[ 59.326119][ T5043] ? lockdep_hardirqs_on+0x7d/0x100
[ 59.331119][ T4776] alloc_pages+0x1a9/0x270
[ 59.349158][ T5043] __x64_sys_sendmmsg+0x9c/0x100
[ 59.354500][ T4776] allocate_slab+0x24e/0x380
[ 59.359250][ T5043] do_syscall_64+0x38/0xb0
[ 59.364269][ T4776] ___slab_alloc+0x8bc/0x1570
[ 59.369799][ T5043] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 59.375058][ T4776] __slab_alloc.constprop.0+0x56/0xa0
[ 59.379629][ T5043] RIP: 0033:0x7f18f3ca55a9
[ 59.384807][ T4776] kmem_cache_alloc+0x392/0x3b0
[ 59.389215][ T5043] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 59.394125][ T4776] skb_clone+0x171/0x3c0
[ 59.398697][ T5043] RSP: 002b:00007ffc35df4b28 EFLAGS: 00000246
[ 59.403089][ T4776] dev_queue_xmit_nit+0x38b/0xb80
[ 59.407748][ T5043] ORIG_RAX: 0000000000000133
[ 59.413612][ T4776] dev_hard_start_xmit+0x59/0x6c0
[ 59.418962][ T5043] RAX: ffffffffffffffda RBX: 00007ffc35df4b50 RCX: 00007f18f3ca55a9
[ 59.423360][ T4776] sch_direct_xmit+0x1ac/0xc20
[pid 5043] sendmmsg(3, [{msg_hdr={msg_name={sa_family=AF_UNIX, sun_path="./file0"}, msg_namelen=110, msg_iov=NULL, msg_iovlen=0, msg_controllen=0, msg_flags=0}, msg_len=0}], 1, 0) = 1
[pid 5043] exit_group(0) = ?
[pid 5043] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5043, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0
getdents64(3, 0x5555569536f0 /* 4 entries */, 32768) = 112
umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./8/binderfs") = 0
umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
newfstatat(AT_FDCWD, "./8/file0", {st_mode=S_IFSOCK|0700, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
unlink("./8/file0") = 0
getdents64(3, 0x5555569536f0 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./8") = 0
mkdir("./9", 0777) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5044 attached
, child_tidptr=0x555556952650) = 5044
[ 59.428192][ T5043] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 59.447772][ T4776] __dev_queue_xmit+0x1282/0x3d80
[ 59.452014][ T5043] RBP: 0000000000000001 R08: 00007ffc35df48c7 R09: 00007ffc35dfe1a0
[ 59.458070][ T4776] ip_finish_output2+0x16a8/0x2550
[ 59.463102][ T5043] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 59.467765][ T4776] __ip_finish_output+0x38b/0x640
[ 59.472779][ T5043] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 59.480746][ T4776] ip_finish_output+0x31/0x310
[ 59.485520][ T5043]
[pid 5044] set_robust_list(0x555556952660, 24) = 0
[pid 5044] chdir("./9") = 0
[pid 5044] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5044] setpgid(0, 0) = 0
[pid 5044] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5044] write(3, "1000", 4) = 4
[pid 5044] close(3) = 0
[pid 5044] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5044] socket(AF_UNIX, SOCK_DGRAM, 0) = 3
[pid 5044] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_SK_SKB, insn_cnt=4, insns=0x20000540, license="GPL", log_level=4, log_size=64912, log_buf="", kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS}, 72) = 4
[pid 5044] bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_SOCKMAP, key_size=4, value_size=4, max_entries=18, map_flags=0, inner_map_fd=-1, map_name="", map_ifindex=0, btf_fd=-1, btf_key_type_id=0, btf_value_type_id=0, btf_vmlinux_value_type_id=0, map_extra=0}, 72) = 5
[pid 5044] bpf(BPF_PROG_ATTACH, {target_fd=5, attach_bpf_fd=4, attach_type=BPF_SK_SKB_VERDICT, attach_flags=0}, 16) = 0
[pid 5044] bpf(BPF_MAP_UPDATE_ELEM, {map_fd=5, key=0x20000180, value=0x200000c0, flags=BPF_ANY}, 32) = 0
[pid 5044] bind(3, {sa_family=AF_UNIX, sun_path="./file0"}, 110) = 0
[pid 5044] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 6
[pid 5044] write(6, "7", 1) = 1
[ 59.493450][ T4776] page last free stack trace:
[ 59.493458][ T4776] free_unref_page_prepare+0x508/0xb90
[ 59.552065][ T4776] free_unref_page+0x33/0x3b0
[ 59.556807][ T4776] skb_free_head+0xa6/0x1b0
[ 59.561529][ T4776] skb_release_data+0x5ba/0x870
[ 59.562348][ T5044] FAULT_INJECTION: forcing a failure.
[ 59.562348][ T5044] name failslab, interval 1, probability 0, space 0, times 0
[ 59.566410][ T4776] __kfree_skb+0x51/0x70
[ 59.579344][ T5044] CPU: 1 PID: 5044 Comm: syz-executor387 Not tainted 6.5.0-syzkaller-04025-g2861f09c1112 #0
[ 59.583211][ T4776] tcp_rcv_established+0x1130/0x1fa0
[ 59.593345][ T5044] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 59.598781][ T4776] tcp_v4_do_rcv+0x669/0x9e0
[ 59.608842][ T5044] Call Trace:
[ 59.608858][ T5044]
[ 59.613428][ T4776] __release_sock+0x132/0x3a0
[ 59.616725][ T5044] dump_stack_lvl+0x125/0x1b0
[ 59.619646][ T4776] release_sock+0x58/0x1b0
[ 59.624306][ T5044] should_fail_ex+0x496/0x5b0
[ 59.629126][ T4776] tcp_sendmsg+0x38/0x40
[ 59.633619][ T5044] should_failslab+0x9/0x20
[ 59.638276][ T4776] inet_sendmsg+0x9d/0xe0
[ 59.642942][ T5044] kmem_cache_alloc+0x33a/0x3b0
[ 59.647421][ T4776] sock_sendmsg+0xd9/0x180
[ 59.651755][ T5044] ? preempt_count_sub+0x150/0x150
[ 59.656589][ T4776] sock_write_iter+0x29b/0x3d0
[ 59.661000][ T5044] jbd2__journal_start+0x190/0x690
[ 59.666108][ T4776] vfs_write+0x650/0xe40
[ 59.671127][ T5044] __ext4_journal_start_sb+0x40f/0x5c0
[ 59.676309][ T4776] ksys_write+0x1f0/0x250
[ 59.680538][ T5044] ? ext4_dirty_inode+0xa1/0x130
[ 59.686058][ T4776] do_syscall_64+0x38/0xb0
[ 59.691756][ T5044] ? ext4_setattr+0x29a0/0x29a0
[ 59.696668][ T4776]
[ 59.696673][ T4776] Memory state around the buggy address:
[ 59.701061][ T5044] ext4_dirty_inode+0xa1/0x130
[ 59.705978][ T4776] ffff88807ef85100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 59.708395][ T5044] ? rcu_is_watching+0x12/0xb0
[ 59.714006][ T4776] ffff88807ef85180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.718743][ T5044] __mark_inode_dirty+0x1e0/0xd50
[ 59.726867][ T4776] >ffff88807ef85200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 59.731797][ T5044] generic_update_time+0xcf/0xf0
[ 59.739826][ T4776] ^
[ 59.739840][ T4776] ffff88807ef85280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.744833][ T5044] touch_atime+0x4eb/0x5d0
[ 59.752956][ T4776] ffff88807ef85300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 59.757884][ T5044] unix_find_other+0x6c4/0x820
[ 59.762980][ T4776] ==================================================================
[ 59.764390][ T4776] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 59.771033][ T5044] ? unix_bind+0x1440/0x1440
[ 59.775480][ T5044] ? apparmor_socket_getpeersec_dgram+0x9/0x10
[ 59.783563][ T5044] unix_dgram_sendmsg+0xdc8/0x1c30
[ 59.788369][ T5044] ? aa_sk_perm+0x2c1/0xae0
[ 59.796450][ T5044] ? unix_dgram_connect+0xba0/0xba0
[ 59.803659][ T5044] ? aa_af_perm+0x260/0x260
[ 59.808264][ T5044] ? reacquire_held_locks+0x4b0/0x4b0
[ 59.814450][ T5044] ? bpf_lsm_socket_sendmsg+0x9/0x10
[ 59.819592][ T5044] ? unix_dgram_connect+0xba0/0xba0
[ 59.824143][ T5044] sock_sendmsg+0xd9/0x180
[ 59.829388][ T5044] ____sys_sendmsg+0x2ac/0x940
[ 59.833940][ T5044] ? copy_msghdr_from_user+0x10b/0x160
[ 59.839345][ T5044] ? kernel_sendmsg+0x50/0x50
[ 59.844644][ T5044] ? find_held_lock+0x2d/0x110
[ 59.849859][ T5044] ___sys_sendmsg+0x135/0x1d0
[ 59.854311][ T5044] ? do_recvmmsg+0x740/0x740
[ 59.859232][ T5044] ? __lock_acquire+0x182f/0x5de0
[ 59.864751][ T5044] ? lockdep_hardirqs_on_prepare+0x410/0x410
[ 59.869493][ T5044] ? __fget_light+0x1fc/0x260
[ 59.874268][ T5044] __sys_sendmmsg+0x1a1/0x450
[ 59.878962][ T5044] ? __ia32_sys_sendmsg+0xb0/0xb0
[ 59.883566][ T5044] ? cgroup_update_frozen+0x144/0x6b0
[ 59.889135][ T5044] ? find_held_lock+0x2d/0x110
[ 59.895198][ T5044] ? _raw_spin_unlock_irq+0x23/0x50
[ 59.899906][ T5044] ? lockdep_hardirqs_on+0x7d/0x100
[ 59.904629][ T5044] __x64_sys_sendmmsg+0x9c/0x100
[ 59.909694][ T5044] do_syscall_64+0x38/0xb0
[ 59.915102][ T5044] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 59.919896][ T5044] RIP: 0033:0x7f18f3ca55a9
[ 59.925097][ T5044] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 59.930306][ T5044] RSP: 002b:00007ffc35df4b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
[ 59.939648][ T5044] RAX: ffffffffffffffda RBX: 00007ffc35df4b50 RCX: 00007f18f3ca55a9
[ 59.945538][ T5044] RDX: 0000000000000001 RSI: 00000000200063c0 RDI: 0000000000000003
[ 59.950037][ T5044] RBP: 0000000000000001 R08: 00007ffc35df48c7 R09: 00007ffc35dfe1a0
[ 59.969640][ T5044] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 59.978131][ T5044] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 59.986129][ T5044]
[ 59.994185][ T4776] CPU: 0 PID: 4776 Comm: kworker/0:3 Not tainted 6.5.0-syzkaller-04025-g2861f09c1112 #0
[ 60.031826][ T4776] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
[ 60.041893][ T4776] Workqueue: events sk_psock_destroy
[ 60.047210][ T4776] Call Trace:
[ 60.050486][ T4776]
[ 60.053420][ T4776] dump_stack_lvl+0xd9/0x1b0
[ 60.058039][ T4776] panic+0x6a4/0x750
[ 60.061948][ T4776] ? panic_smp_self_stop+0xa0/0xa0
[ 60.067079][ T4776] ? preempt_schedule_thunk+0x1a/0x30
[ 60.072469][ T4776] ? preempt_schedule_common+0x45/0xc0
[ 60.077959][ T4776] check_panic_on_warn+0xab/0xb0
[ 60.082913][ T4776] end_report+0x108/0x150
[ 60.087261][ T4776] kasan_report+0xea/0x110
[ 60.091694][ T4776] ? consume_skb+0x32/0x170
[ 60.096213][ T4776] ? consume_skb+0x32/0x170
[ 60.100746][ T4776] kasan_check_range+0xef/0x190
[ 60.105610][ T4776] consume_skb+0x32/0x170
[ 60.110040][ T4776] __sk_msg_free+0x230/0x380
[ 60.114650][ T4776] ? lockdep_hardirqs_on+0x7d/0x100
[ 60.120127][ T4776] ? _raw_spin_unlock_irqrestore+0x3b/0x70
[ 60.125945][ T4776] sk_psock_destroy+0x335/0xa50
[ 60.130812][ T4776] process_one_work+0xaa2/0x16f0
[ 60.135774][ T4776] ? lock_sync+0x190/0x190
[ 60.140204][ T4776] ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[ 60.145613][ T4776] ? spin_bug+0x1d0/0x1d0
[ 60.150264][ T4776] worker_thread+0x687/0x1110
[ 60.154983][ T4776] ? __kthread_parkme+0x152/0x220
[ 60.160039][ T4776] ? process_one_work+0x16f0/0x16f0
[ 60.165265][ T4776] kthread+0x33a/0x430
[ 60.169344][ T4776] ? kthread_complete_and_exit+0x40/0x40
[ 60.174985][ T4776] ret_from_fork+0x2c/0x70
[ 60.179409][ T4776] ? kthread_complete_and_exit+0x40/0x40
[ 60.185048][ T4776] ret_from_fork_asm+0x11/0x20
[ 60.189853][ T4776]
[ 60.193151][ T4776] Kernel Offset: disabled
[ 60.197487][ T4776] Rebooting in 86400 seconds..