./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor881170525 <...> DUID 00:04:b0:cd:33:f9:4f:8a:55:45:4d:7b:3b:ee:3a:71:f0:8b forked to background, child pid 3209 [ 29.507352][ T3210] 8021q: adding VLAN 0 to HW filter on device bond0 [ 29.517899][ T3210] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.108' (ECDSA) to the list of known hosts. execve("./syz-executor881170525", ["./syz-executor881170525"], 0x7fff4947c1e0 /* 10 vars */) = 0 brk(NULL) = 0x55555669e000 brk(0x55555669ec40) = 0x55555669ec40 arch_prctl(ARCH_SET_FS, 0x55555669e300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor881170525", 4096) = 27 brk(0x5555566bfc40) = 0x5555566bfc40 brk(0x5555566c0000) = 0x5555566c0000 mprotect(0x7ff59603c000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 3632 mkdir("./syzkaller.8t3YFP", 0700) = 0 chmod("./syzkaller.8t3YFP", 0777) = 0 chdir("./syzkaller.8t3YFP") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555669e5d0) = 3633 ./strace-static-x86_64: Process 3633 attached [pid 3633] chdir("./0") = 0 [pid 3633] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3633] setpgid(0, 0) = 0 [pid 3633] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3633] write(3, "1000", 4) = 4 [pid 3633] close(3) = 0 [pid 3633] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3633] memfd_create("syzkaller", 0) = 3 [pid 3633] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff58da00000 [pid 3633] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 3633] munmap(0x7ff58da00000, 4194304) = 0 [pid 3633] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3633] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3633] close(3) = 0 [pid 3633] mkdir("./file0", 0777) = 0 syzkaller login: [ 54.825850][ T3633] loop0: detected capacity change from 0 to 8192 [ 54.838655][ T3633] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 54.851795][ T3633] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 54.861469][ T3633] REISERFS (device loop0): using ordered data mode [ 54.868257][ T3633] reiserfs: using flush barriers [ 54.874554][ T3633] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 54.891542][ T3633] REISERFS (device loop0): checking transaction log (loop0) [pid 3633] mount("/dev/loop0", "./file0", "reiserfs", MS_DIRSYNC, "") = 0 [pid 3633] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3633] chdir("./file0") = 0 [pid 3633] ioctl(4, LOOP_CLR_FD) = 0 [pid 3633] close(4) = 0 [pid 3633] creat("./bus", 000) = 4 [pid 3633] writev(4, [{iov_base="\x14\x00\x00\x00\x24\x68\x37\xf7\x31\x99\xae\xe6\xfd\xb9\x29\x1b\x30\x91\xec\x1a\x2d\x41\xd2\x27\x97\x5a\xd8\xec\x03\x0f\x59\x19\xf3\x97\x86\x79\x97\xf9\xc0\xef\xa9\xc9\x09\x2a\x31\xcd\xbb\x98\xea\x27\x27\x87\xaf\xda\x0a\xf5\x9a\x32\x07\x09\xc3\xa5\x9e\xf0\x5c\x6f\x40\xce\xaf\xec\x53\xf4\x8d\x61\x86\xe7\xd8\x40\x9e\x35\x30\x62\x21\xca\xf6\x7b\x37\x0d\x87\x5e\xff\x31\x91\x93\x27\x28\xe5\xab\x6c\x9a"..., iov_len=128}, {iov_base="\xd1\xff\xac\xd5\x16\xde\x50\xac\x9d\x15\xbc\x75\x31\x6d\xa4\xde\xfa\x1e\x72\xf6\x5a\x65\xcd\xd2\x6d\xcc\x38\x9a\xac\xf7\x85\x6d\xa9\xae\xcf\x37\x65\xd4\xc0\x32\xe1\x96\x0f\xaf\x25\xba\xd9\x06\xb7\xd3\x44\x0b\x6e\x71\xa8\x2f\x1d\x8f\x8b\x8d\xb3\x5b\x60\x91\xf3\xaf\x94\xc6\xb4\x6b\x9a\xb1\x0f\xe3\x92\x3f\x26\x87\x71\x07\x8d\x26\x68\xbe\x7b\xd3\xeb\x94\x1d\x4b\xb5\xba\xa8\x54\x7e\x36\x28\x3a\x06\x5c"..., iov_len=3505}], 2) = 3633 [pid 3633] openat(AT_FDCWD, "/proc/thread-self/attr/exec", O_RDWR) = 5 [pid 3633] dup2(5, 4) = 4 [pid 3633] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 3633] write(6, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 3633] exit_group(0) = ? [pid 3633] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3633, si_uid=0, si_status=0, si_utime=0, si_stime=16} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x55555669f620 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./0/binderfs") = 0 [ 54.938699][ T3633] REISERFS (device loop0): Using r5 hash to sort names [ 54.947080][ T3633] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555566a7660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555566a7660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file0") = 0 getdents64(3, 0x55555669f620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555669e5d0) = 3636 ./strace-static-x86_64: Process 3636 attached [pid 3636] chdir("./1") = 0 [pid 3636] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3636] setpgid(0, 0) = 0 [pid 3636] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3636] write(3, "1000", 4) = 4 [pid 3636] close(3) = 0 [pid 3636] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3636] memfd_create("syzkaller", 0) = 3 [pid 3636] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff58da00000 [pid 3636] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 3636] munmap(0x7ff58da00000, 4194304) = 0 [pid 3636] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3636] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3636] close(3) = 0 [pid 3636] mkdir("./file0", 0777) = 0 [ 55.101012][ T3636] loop0: detected capacity change from 0 to 8192 [ 55.111988][ T3636] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 55.125374][ T3636] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 55.134805][ T3636] REISERFS (device loop0): using ordered data mode [ 55.141536][ T3636] reiserfs: using flush barriers [ 55.147509][ T3636] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 55.164133][ T3636] REISERFS (device loop0): checking transaction log (loop0) [pid 3636] mount("/dev/loop0", "./file0", "reiserfs", MS_DIRSYNC, "") = 0 [pid 3636] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3636] chdir("./file0") = 0 [pid 3636] ioctl(4, LOOP_CLR_FD) = 0 [pid 3636] close(4) = 0 [pid 3636] creat("./bus", 000) = 4 [pid 3636] writev(4, [{iov_base="\x14\x00\x00\x00\x24\x68\x37\xf7\x31\x99\xae\xe6\xfd\xb9\x29\x1b\x30\x91\xec\x1a\x2d\x41\xd2\x27\x97\x5a\xd8\xec\x03\x0f\x59\x19\xf3\x97\x86\x79\x97\xf9\xc0\xef\xa9\xc9\x09\x2a\x31\xcd\xbb\x98\xea\x27\x27\x87\xaf\xda\x0a\xf5\x9a\x32\x07\x09\xc3\xa5\x9e\xf0\x5c\x6f\x40\xce\xaf\xec\x53\xf4\x8d\x61\x86\xe7\xd8\x40\x9e\x35\x30\x62\x21\xca\xf6\x7b\x37\x0d\x87\x5e\xff\x31\x91\x93\x27\x28\xe5\xab\x6c\x9a"..., iov_len=128}, {iov_base="\xd1\xff\xac\xd5\x16\xde\x50\xac\x9d\x15\xbc\x75\x31\x6d\xa4\xde\xfa\x1e\x72\xf6\x5a\x65\xcd\xd2\x6d\xcc\x38\x9a\xac\xf7\x85\x6d\xa9\xae\xcf\x37\x65\xd4\xc0\x32\xe1\x96\x0f\xaf\x25\xba\xd9\x06\xb7\xd3\x44\x0b\x6e\x71\xa8\x2f\x1d\x8f\x8b\x8d\xb3\x5b\x60\x91\xf3\xaf\x94\xc6\xb4\x6b\x9a\xb1\x0f\xe3\x92\x3f\x26\x87\x71\x07\x8d\x26\x68\xbe\x7b\xd3\xeb\x94\x1d\x4b\xb5\xba\xa8\x54\x7e\x36\x28\x3a\x06\x5c"..., iov_len=3505}], 2) = 3633 [pid 3636] openat(AT_FDCWD, "/proc/thread-self/attr/exec", O_RDWR) = 5 [pid 3636] dup2(5, 4) = 4 [pid 3636] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 3636] write(6, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 3636] exit_group(0) = ? [pid 3636] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3636, si_uid=0, si_status=0, si_utime=0, si_stime=14} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x55555669f620 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./1/binderfs") = 0 [ 55.206760][ T3636] REISERFS (device loop0): Using r5 hash to sort names [ 55.214040][ T3636] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555566a7660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555566a7660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file0") = 0 getdents64(3, 0x55555669f620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555669e5d0) = 3638 ./strace-static-x86_64: Process 3638 attached [pid 3638] chdir("./2") = 0 [pid 3638] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3638] setpgid(0, 0) = 0 [pid 3638] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3638] write(3, "1000", 4) = 4 [pid 3638] close(3) = 0 [pid 3638] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3638] memfd_create("syzkaller", 0) = 3 [pid 3638] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff58da00000 [pid 3638] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 3638] munmap(0x7ff58da00000, 4194304) = 0 [pid 3638] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3638] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3638] close(3) = 0 [pid 3638] mkdir("./file0", 0777) = 0 [ 55.360673][ T3638] loop0: detected capacity change from 0 to 8192 [ 55.371007][ T3638] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 55.384335][ T3638] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 55.393825][ T3638] REISERFS (device loop0): using ordered data mode [ 55.400782][ T3638] reiserfs: using flush barriers [ 55.406944][ T3638] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 55.423430][ T3638] REISERFS (device loop0): checking transaction log (loop0) [pid 3638] mount("/dev/loop0", "./file0", "reiserfs", MS_DIRSYNC, "") = 0 [pid 3638] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3638] chdir("./file0") = 0 [pid 3638] ioctl(4, LOOP_CLR_FD) = 0 [pid 3638] close(4) = 0 [pid 3638] creat("./bus", 000) = 4 [pid 3638] writev(4, [{iov_base="\x14\x00\x00\x00\x24\x68\x37\xf7\x31\x99\xae\xe6\xfd\xb9\x29\x1b\x30\x91\xec\x1a\x2d\x41\xd2\x27\x97\x5a\xd8\xec\x03\x0f\x59\x19\xf3\x97\x86\x79\x97\xf9\xc0\xef\xa9\xc9\x09\x2a\x31\xcd\xbb\x98\xea\x27\x27\x87\xaf\xda\x0a\xf5\x9a\x32\x07\x09\xc3\xa5\x9e\xf0\x5c\x6f\x40\xce\xaf\xec\x53\xf4\x8d\x61\x86\xe7\xd8\x40\x9e\x35\x30\x62\x21\xca\xf6\x7b\x37\x0d\x87\x5e\xff\x31\x91\x93\x27\x28\xe5\xab\x6c\x9a"..., iov_len=128}, {iov_base="\xd1\xff\xac\xd5\x16\xde\x50\xac\x9d\x15\xbc\x75\x31\x6d\xa4\xde\xfa\x1e\x72\xf6\x5a\x65\xcd\xd2\x6d\xcc\x38\x9a\xac\xf7\x85\x6d\xa9\xae\xcf\x37\x65\xd4\xc0\x32\xe1\x96\x0f\xaf\x25\xba\xd9\x06\xb7\xd3\x44\x0b\x6e\x71\xa8\x2f\x1d\x8f\x8b\x8d\xb3\x5b\x60\x91\xf3\xaf\x94\xc6\xb4\x6b\x9a\xb1\x0f\xe3\x92\x3f\x26\x87\x71\x07\x8d\x26\x68\xbe\x7b\xd3\xeb\x94\x1d\x4b\xb5\xba\xa8\x54\x7e\x36\x28\x3a\x06\x5c"..., iov_len=3505}], 2) = 3633 [pid 3638] openat(AT_FDCWD, "/proc/thread-self/attr/exec", O_RDWR) = 5 [pid 3638] dup2(5, 4) = 4 [pid 3638] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 3638] write(6, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 3638] exit_group(0) = ? [pid 3638] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3638, si_uid=0, si_status=0, si_utime=0, si_stime=15} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x55555669f620 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./2/binderfs") = 0 [ 55.471546][ T3638] REISERFS (device loop0): Using r5 hash to sort names [ 55.478751][ T3638] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555566a7660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555566a7660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file0") = 0 getdents64(3, 0x55555669f620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555669e5d0) = 3640 ./strace-static-x86_64: Process 3640 attached [pid 3640] chdir("./3") = 0 [pid 3640] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3640] setpgid(0, 0) = 0 [pid 3640] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3640] write(3, "1000", 4) = 4 [pid 3640] close(3) = 0 [pid 3640] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3640] memfd_create("syzkaller", 0) = 3 [pid 3640] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff58da00000 [pid 3640] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 3640] munmap(0x7ff58da00000, 4194304) = 0 [pid 3640] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3640] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3640] close(3) = 0 [pid 3640] mkdir("./file0", 0777) = 0 [ 55.635424][ T3640] loop0: detected capacity change from 0 to 8192 [ 55.646799][ T3640] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 55.659920][ T3640] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 55.672742][ T3640] REISERFS (device loop0): using ordered data mode [ 55.679414][ T3640] reiserfs: using flush barriers [ 55.685186][ T3640] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 55.701870][ T3640] REISERFS (device loop0): checking transaction log (loop0) [pid 3640] mount("/dev/loop0", "./file0", "reiserfs", MS_DIRSYNC, "") = 0 [pid 3640] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3640] chdir("./file0") = 0 [pid 3640] ioctl(4, LOOP_CLR_FD) = 0 [pid 3640] close(4) = 0 [pid 3640] creat("./bus", 000) = 4 [pid 3640] writev(4, [{iov_base="\x14\x00\x00\x00\x24\x68\x37\xf7\x31\x99\xae\xe6\xfd\xb9\x29\x1b\x30\x91\xec\x1a\x2d\x41\xd2\x27\x97\x5a\xd8\xec\x03\x0f\x59\x19\xf3\x97\x86\x79\x97\xf9\xc0\xef\xa9\xc9\x09\x2a\x31\xcd\xbb\x98\xea\x27\x27\x87\xaf\xda\x0a\xf5\x9a\x32\x07\x09\xc3\xa5\x9e\xf0\x5c\x6f\x40\xce\xaf\xec\x53\xf4\x8d\x61\x86\xe7\xd8\x40\x9e\x35\x30\x62\x21\xca\xf6\x7b\x37\x0d\x87\x5e\xff\x31\x91\x93\x27\x28\xe5\xab\x6c\x9a"..., iov_len=128}, {iov_base="\xd1\xff\xac\xd5\x16\xde\x50\xac\x9d\x15\xbc\x75\x31\x6d\xa4\xde\xfa\x1e\x72\xf6\x5a\x65\xcd\xd2\x6d\xcc\x38\x9a\xac\xf7\x85\x6d\xa9\xae\xcf\x37\x65\xd4\xc0\x32\xe1\x96\x0f\xaf\x25\xba\xd9\x06\xb7\xd3\x44\x0b\x6e\x71\xa8\x2f\x1d\x8f\x8b\x8d\xb3\x5b\x60\x91\xf3\xaf\x94\xc6\xb4\x6b\x9a\xb1\x0f\xe3\x92\x3f\x26\x87\x71\x07\x8d\x26\x68\xbe\x7b\xd3\xeb\x94\x1d\x4b\xb5\xba\xa8\x54\x7e\x36\x28\x3a\x06\x5c"..., iov_len=3505}], 2) = 3633 [pid 3640] openat(AT_FDCWD, "/proc/thread-self/attr/exec", O_RDWR) = 5 [pid 3640] dup2(5, 4) = 4 [pid 3640] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 3640] write(6, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 3640] exit_group(0) = ? [pid 3640] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3640, si_uid=0, si_status=0, si_utime=0, si_stime=14} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x55555669f620 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./3/binderfs") = 0 [ 55.748608][ T3640] REISERFS (device loop0): Using r5 hash to sort names [ 55.756426][ T3640] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555566a7660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555566a7660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file0") = 0 getdents64(3, 0x55555669f620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3642 attached [pid 3642] chdir("./4") = 0 [pid 3642] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3642] setpgid(0, 0) = 0 [pid 3642] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3642] write(3, "1000", 4) = 4 [pid 3642] close(3) = 0 [pid 3642] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3632] <... clone resumed>, child_tidptr=0x55555669e5d0) = 3642 [pid 3642] memfd_create("syzkaller", 0) = 3 [pid 3642] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff58da00000 [pid 3642] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 3642] munmap(0x7ff58da00000, 4194304) = 0 [pid 3642] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3642] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3642] close(3) = 0 [pid 3642] mkdir("./file0", 0777) = 0 [ 55.897444][ T3642] loop0: detected capacity change from 0 to 8192 [ 55.908842][ T3642] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 55.921918][ T3642] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 55.931418][ T3642] REISERFS (device loop0): using ordered data mode [ 55.938172][ T3642] reiserfs: using flush barriers [ 55.943882][ T3642] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 55.960608][ T3642] REISERFS (device loop0): checking transaction log (loop0) [pid 3642] mount("/dev/loop0", "./file0", "reiserfs", MS_DIRSYNC, "") = 0 [pid 3642] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3642] chdir("./file0") = 0 [pid 3642] ioctl(4, LOOP_CLR_FD) = 0 [pid 3642] close(4) = 0 [pid 3642] creat("./bus", 000) = 4 [pid 3642] writev(4, [{iov_base="\x14\x00\x00\x00\x24\x68\x37\xf7\x31\x99\xae\xe6\xfd\xb9\x29\x1b\x30\x91\xec\x1a\x2d\x41\xd2\x27\x97\x5a\xd8\xec\x03\x0f\x59\x19\xf3\x97\x86\x79\x97\xf9\xc0\xef\xa9\xc9\x09\x2a\x31\xcd\xbb\x98\xea\x27\x27\x87\xaf\xda\x0a\xf5\x9a\x32\x07\x09\xc3\xa5\x9e\xf0\x5c\x6f\x40\xce\xaf\xec\x53\xf4\x8d\x61\x86\xe7\xd8\x40\x9e\x35\x30\x62\x21\xca\xf6\x7b\x37\x0d\x87\x5e\xff\x31\x91\x93\x27\x28\xe5\xab\x6c\x9a"..., iov_len=128}, {iov_base="\xd1\xff\xac\xd5\x16\xde\x50\xac\x9d\x15\xbc\x75\x31\x6d\xa4\xde\xfa\x1e\x72\xf6\x5a\x65\xcd\xd2\x6d\xcc\x38\x9a\xac\xf7\x85\x6d\xa9\xae\xcf\x37\x65\xd4\xc0\x32\xe1\x96\x0f\xaf\x25\xba\xd9\x06\xb7\xd3\x44\x0b\x6e\x71\xa8\x2f\x1d\x8f\x8b\x8d\xb3\x5b\x60\x91\xf3\xaf\x94\xc6\xb4\x6b\x9a\xb1\x0f\xe3\x92\x3f\x26\x87\x71\x07\x8d\x26\x68\xbe\x7b\xd3\xeb\x94\x1d\x4b\xb5\xba\xa8\x54\x7e\x36\x28\x3a\x06\x5c"..., iov_len=3505}], 2) = 3633 [pid 3642] openat(AT_FDCWD, "/proc/thread-self/attr/exec", O_RDWR) = 5 [pid 3642] dup2(5, 4) = 4 [pid 3642] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 3642] write(6, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 3642] exit_group(0) = ? [pid 3642] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3642, si_uid=0, si_status=0, si_utime=0, si_stime=15} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x55555669f620 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 [ 56.008297][ T3642] REISERFS (device loop0): Using r5 hash to sort names [ 56.015902][ T3642] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. unlink("./4/binderfs") = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./4/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555566a7660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555566a7660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file0") = 0 getdents64(3, 0x55555669f620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555669e5d0) = 3644 ./strace-static-x86_64: Process 3644 attached [pid 3644] chdir("./5") = 0 [pid 3644] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3644] setpgid(0, 0) = 0 [pid 3644] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3644] write(3, "1000", 4) = 4 [pid 3644] close(3) = 0 [pid 3644] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3644] memfd_create("syzkaller", 0) = 3 [pid 3644] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff58da00000 [pid 3644] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 3644] munmap(0x7ff58da00000, 4194304) = 0 [pid 3644] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3644] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3644] close(3) = 0 [pid 3644] mkdir("./file0", 0777) = 0 [ 56.159520][ T3644] loop0: detected capacity change from 0 to 8192 [ 56.170386][ T3644] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 56.183462][ T3644] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 56.192964][ T3644] REISERFS (device loop0): using ordered data mode [ 56.199567][ T3644] reiserfs: using flush barriers [ 56.205889][ T3644] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 56.222681][ T3644] REISERFS (device loop0): checking transaction log (loop0) [pid 3644] mount("/dev/loop0", "./file0", "reiserfs", MS_DIRSYNC, "") = 0 [pid 3644] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3644] chdir("./file0") = 0 [pid 3644] ioctl(4, LOOP_CLR_FD) = 0 [pid 3644] close(4) = 0 [pid 3644] creat("./bus", 000) = 4 [pid 3644] writev(4, [{iov_base="\x14\x00\x00\x00\x24\x68\x37\xf7\x31\x99\xae\xe6\xfd\xb9\x29\x1b\x30\x91\xec\x1a\x2d\x41\xd2\x27\x97\x5a\xd8\xec\x03\x0f\x59\x19\xf3\x97\x86\x79\x97\xf9\xc0\xef\xa9\xc9\x09\x2a\x31\xcd\xbb\x98\xea\x27\x27\x87\xaf\xda\x0a\xf5\x9a\x32\x07\x09\xc3\xa5\x9e\xf0\x5c\x6f\x40\xce\xaf\xec\x53\xf4\x8d\x61\x86\xe7\xd8\x40\x9e\x35\x30\x62\x21\xca\xf6\x7b\x37\x0d\x87\x5e\xff\x31\x91\x93\x27\x28\xe5\xab\x6c\x9a"..., iov_len=128}, {iov_base="\xd1\xff\xac\xd5\x16\xde\x50\xac\x9d\x15\xbc\x75\x31\x6d\xa4\xde\xfa\x1e\x72\xf6\x5a\x65\xcd\xd2\x6d\xcc\x38\x9a\xac\xf7\x85\x6d\xa9\xae\xcf\x37\x65\xd4\xc0\x32\xe1\x96\x0f\xaf\x25\xba\xd9\x06\xb7\xd3\x44\x0b\x6e\x71\xa8\x2f\x1d\x8f\x8b\x8d\xb3\x5b\x60\x91\xf3\xaf\x94\xc6\xb4\x6b\x9a\xb1\x0f\xe3\x92\x3f\x26\x87\x71\x07\x8d\x26\x68\xbe\x7b\xd3\xeb\x94\x1d\x4b\xb5\xba\xa8\x54\x7e\x36\x28\x3a\x06\x5c"..., iov_len=3505}], 2) = 3633 [pid 3644] openat(AT_FDCWD, "/proc/thread-self/attr/exec", O_RDWR) = 5 [pid 3644] dup2(5, 4) = 4 [pid 3644] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [pid 3644] write(6, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 65191) = 65191 [pid 3644] exit_group(0) = ? [pid 3644] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3644, si_uid=0, si_status=0, si_utime=0, si_stime=15} --- umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x55555669f620 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./5/binderfs") = 0 [ 56.270044][ T3644] REISERFS (device loop0): Using r5 hash to sort names [ 56.277536][ T3644] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./5/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x5555566a7660 /* 2 entries */, 32768) = 48 getdents64(4, 0x5555566a7660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file0") = 0 getdents64(3, 0x55555669f620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555669e5d0) = 3646 ./strace-static-x86_64: Process 3646 attached [pid 3646] chdir("./6") = 0 [pid 3646] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3646] setpgid(0, 0) = 0 [pid 3646] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3646] write(3, "1000", 4) = 4 [pid 3646] close(3) = 0 [pid 3646] symlink("/dev/binderfs", "./binderfs") = 0 [pid 3646] memfd_create("syzkaller", 0) = 3 [pid 3646] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff58da00000 [pid 3646] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 4194304) = 4194304 [pid 3646] munmap(0x7ff58da00000, 4194304) = 0 [pid 3646] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 3646] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 3646] close(3) = 0 [pid 3646] mkdir("./file0", 0777) = 0 [ 56.416410][ T3646] loop0: detected capacity change from 0 to 8192 [ 56.427560][ T3646] REISERFS warning: read_super_block: reiserfs filesystem is deprecated and scheduled to be removed from the kernel in 2025 [ 56.440622][ T3646] REISERFS (device loop0): found reiserfs format "3.6" with non-standard journal [ 56.449920][ T3646] REISERFS (device loop0): using ordered data mode [ 56.456487][ T3646] reiserfs: using flush barriers [ 56.462232][ T3646] REISERFS (device loop0): journal params: device loop0, size 512, journal first block 18, max trans len 256, max batch 225, max commit age 30, max trans age 30 [ 56.478716][ T3646] REISERFS (device loop0): checking transaction log (loop0) [pid 3646] mount("/dev/loop0", "./file0", "reiserfs", MS_DIRSYNC, "") = 0 [pid 3646] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 3646] chdir("./file0") = 0 [pid 3646] ioctl(4, LOOP_CLR_FD) = 0 [pid 3646] close(4) = 0 [pid 3646] creat("./bus", 000) = 4 [pid 3646] writev(4, [{iov_base="\x14\x00\x00\x00\x24\x68\x37\xf7\x31\x99\xae\xe6\xfd\xb9\x29\x1b\x30\x91\xec\x1a\x2d\x41\xd2\x27\x97\x5a\xd8\xec\x03\x0f\x59\x19\xf3\x97\x86\x79\x97\xf9\xc0\xef\xa9\xc9\x09\x2a\x31\xcd\xbb\x98\xea\x27\x27\x87\xaf\xda\x0a\xf5\x9a\x32\x07\x09\xc3\xa5\x9e\xf0\x5c\x6f\x40\xce\xaf\xec\x53\xf4\x8d\x61\x86\xe7\xd8\x40\x9e\x35\x30\x62\x21\xca\xf6\x7b\x37\x0d\x87\x5e\xff\x31\x91\x93\x27\x28\xe5\xab\x6c\x9a"..., iov_len=128}, {iov_base="\xd1\xff\xac\xd5\x16\xde\x50\xac\x9d\x15\xbc\x75\x31\x6d\xa4\xde\xfa\x1e\x72\xf6\x5a\x65\xcd\xd2\x6d\xcc\x38\x9a\xac\xf7\x85\x6d\xa9\xae\xcf\x37\x65\xd4\xc0\x32\xe1\x96\x0f\xaf\x25\xba\xd9\x06\xb7\xd3\x44\x0b\x6e\x71\xa8\x2f\x1d\x8f\x8b\x8d\xb3\x5b\x60\x91\xf3\xaf\x94\xc6\xb4\x6b\x9a\xb1\x0f\xe3\x92\x3f\x26\x87\x71\x07\x8d\x26\x68\xbe\x7b\xd3\xeb\x94\x1d\x4b\xb5\xba\xa8\x54\x7e\x36\x28\x3a\x06\x5c"..., iov_len=3505}], 2) = 3633 [pid 3646] openat(AT_FDCWD, "/proc/thread-self/attr/exec", O_RDWR) = 5 [pid 3646] dup2(5, 4) = 4 [pid 3646] openat(AT_FDCWD, "cgroup.controllers", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 6 [ 56.526698][ T3646] REISERFS (device loop0): Using r5 hash to sort names [ 56.533863][ T3646] REISERFS (device loop0): Created .reiserfs_priv - reserved for xattr storage. [ 56.561122][ T3646] ================================================================== [ 56.569228][ T3646] BUG: KASAN: use-after-free in leaf_paste_in_buffer+0x739/0xca0 [ 56.577072][ T3646] Read of size 80 at addr ffff88806fa50fe0 by task syz-executor881/3646 [ 56.585425][ T3646] [ 56.587744][ T3646] CPU: 1 PID: 3646 Comm: syz-executor881 Not tainted 6.1.0-rc7-syzkaller-00102-g04aa64375f48 #0 [ 56.598144][ T3646] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 56.608199][ T3646] Call Trace: [ 56.611464][ T3646] [ 56.614378][ T3646] dump_stack_lvl+0x1b1/0x28e [ 56.619062][ T3646] ? nf_tcp_handle_invalid+0x62e/0x62e [ 56.624517][ T3646] ? __wake_up_klogd+0xcd/0x100 [ 56.629452][ T3646] ? panic+0x710/0x710 [ 56.633519][ T3646] ? _printk+0xc0/0x100 [ 56.637670][ T3646] print_address_description+0x74/0x340 [ 56.643219][ T3646] print_report+0x107/0x1f0 [ 56.647713][ T3646] ? _raw_spin_lock+0x40/0x40 [ 56.652388][ T3646] ? validate_chain+0x177/0x6ae0 [ 56.657328][ T3646] ? __virt_addr_valid+0x21b/0x2d0 [ 56.662438][ T3646] ? __phys_addr+0xb5/0x160 [ 56.666935][ T3646] ? leaf_paste_in_buffer+0x739/0xca0 [ 56.672302][ T3646] kasan_report+0xcd/0x100 [ 56.676714][ T3646] ? leaf_paste_in_buffer+0x739/0xca0 [ 56.682094][ T3646] kasan_check_range+0x2a7/0x2e0 [ 56.687021][ T3646] ? leaf_paste_in_buffer+0x739/0xca0 [ 56.692389][ T3646] memcpy+0x25/0x60 [ 56.696195][ T3646] leaf_paste_in_buffer+0x739/0xca0 [ 56.701392][ T3646] leaf_copy_dir_entries+0x6e2/0xbf0 [ 56.706674][ T3646] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 56.712653][ T3646] ? leaf_item_bottle+0x19a0/0x19a0 [ 56.717849][ T3646] ? bad_range+0x88/0x2e0 [ 56.722173][ T3646] ? deref_stack_reg+0x17a/0x210 [ 56.727128][ T3646] leaf_copy_boundary_item+0xb7c/0x20f0 [ 56.732668][ T3646] ? unwind_next_frame+0x1b06/0x24c0 [ 56.737950][ T3646] leaf_move_items+0xc74/0x1330 [ 56.742816][ T3646] ? reiserfs_convert_objectid_map_v1+0x6d0/0x6d0 [ 56.749228][ T3646] ? read_lock_is_recursive+0x10/0x10 [ 56.754593][ T3646] leaf_shift_left+0xb7/0x420 [ 56.759265][ T3646] balance_leaf+0x1579/0x123a0 [ 56.764031][ T3646] ? __lock_acquire+0x1292/0x1f60 [ 56.769054][ T3646] ? do_balance+0x8d0/0x8d0 [ 56.773556][ T3646] ? rcu_read_lock_sched_held+0x87/0x110 [ 56.779184][ T3646] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 56.785246][ T3646] ? trace_raw_output_contention_end+0xd0/0xd0 [ 56.791395][ T3646] ? trace_contention_end+0x72/0x1d0 [ 56.796672][ T3646] ? __mutex_lock_common+0x45f/0x26e0 [ 56.802038][ T3646] ? write_boundary_block+0xb0/0xb0 [ 56.807238][ T3646] ? __mutex_unlock_slowpath+0x222/0x770 [ 56.812881][ T3646] ? __might_sleep+0xc0/0xc0 [ 56.817463][ T3646] ? reiserfs_write_lock_nested+0x5b/0xd0 [ 56.823175][ T3646] ? mutex_lock_io_nested+0x60/0x60 [ 56.828366][ T3646] ? get_empty_nodes+0x5a3/0xd00 [ 56.833295][ T3646] ? indirect_part_size+0x8/0x10 [ 56.838310][ T3646] ? __wake_up+0x210/0x210 [ 56.842717][ T3646] ? get_neighbors+0x1020/0x1020 [ 56.847648][ T3646] ? mutex_lock_nested+0x17/0x20 [ 56.852576][ T3646] ? reiserfs_write_lock_nested+0x5b/0xd0 [ 56.858296][ T3646] ? reiserfs_prepare_for_journal+0x239/0x250 [ 56.864361][ T3646] ? fix_nodes+0x775a/0x8920 [ 56.868953][ T3646] do_balance+0x2d6/0x8d0 [ 56.873275][ T3646] ? get_right_neighbor_position+0x200/0x200 [ 56.879247][ T3646] ? do_journal_begin_r+0xe10/0x1070 [ 56.884523][ T3646] ? reiserfs_paste_into_item+0x3f5/0x880 [ 56.890231][ T3646] reiserfs_paste_into_item+0x740/0x880 [ 56.895766][ T3646] ? __getblk_gfp+0x50/0x290 [ 56.900353][ T3646] ? reiserfs_cut_from_item+0x25d0/0x25d0 [ 56.906086][ T3646] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 56.914487][ T3646] ? __kmem_cache_alloc_node+0x211/0x310 [ 56.920116][ T3646] ? show_alloc_options+0xbd0/0xbd0 [ 56.925306][ T3646] ? journal_begin+0x1f1/0x350 [ 56.930056][ T3646] ? copy_item_head+0x1e/0x30 [ 56.934727][ T3646] reiserfs_get_block+0x223f/0x5180 [ 56.939936][ T3646] ? make_le_item_head+0x5b0/0x5b0 [ 56.945123][ T3646] ? kasan_set_track+0x52/0x60 [ 56.949883][ T3646] ? kasan_set_track+0x3d/0x60 [ 56.954634][ T3646] ? __kasan_slab_alloc+0x65/0x70 [ 56.959647][ T3646] ? kmem_cache_alloc+0x1cc/0x300 [ 56.964668][ T3646] ? alloc_buffer_head+0x20/0xf0 [ 56.969597][ T3646] ? alloc_page_buffers+0x179/0x460 [ 56.974787][ T3646] ? create_empty_buffers+0x36/0xe30 [ 56.980065][ T3646] ? create_page_buffers+0x1c8/0x4b0 [ 56.985345][ T3646] ? __block_write_begin_int+0x1e0/0x1a80 [ 56.991067][ T3646] ? reiserfs_write_begin+0x247/0x510 [ 56.996431][ T3646] ? generic_perform_write+0x2e4/0x5e0 [ 57.001882][ T3646] ? __generic_file_write_iter+0x176/0x400 [ 57.007679][ T3646] ? generic_file_write_iter+0xab/0x310 [ 57.013213][ T3646] ? vfs_write+0x7dc/0xc50 [ 57.017621][ T3646] ? ksys_write+0x177/0x2a0 [ 57.022114][ T3646] ? do_syscall_64+0x3d/0xb0 [ 57.026690][ T3646] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.032747][ T3646] ? mark_lock+0x9a/0x350 [ 57.037069][ T3646] ? __lock_acquire+0x1292/0x1f60 [ 57.042088][ T3646] ? perf_trace_rcu_stall_warning+0x2c2/0x2f0 [ 57.048144][ T3646] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 57.054126][ T3646] ? __lock_acquire+0x1f60/0x1f60 [ 57.059138][ T3646] ? alloc_page_buffers+0x326/0x460 [ 57.064331][ T3646] ? folio_attach_private+0xd9/0x200 [ 57.069607][ T3646] ? create_page_buffers+0x244/0x4b0 [ 57.074889][ T3646] __block_write_begin_int+0x54c/0x1a80 [ 57.080432][ T3646] ? filemap_alloc_folio+0x1ac/0x1c0 [ 57.085713][ T3646] ? make_le_item_head+0x5b0/0x5b0 [ 57.090815][ T3646] ? page_zero_new_buffers+0x940/0x940 [ 57.096267][ T3646] ? fault_in_readable+0x219/0x310 [ 57.101373][ T3646] ? __block_write_begin+0x51/0x150 [ 57.106567][ T3646] ? reiserfs_write_begin+0x180/0x510 [ 57.111929][ T3646] reiserfs_write_begin+0x247/0x510 [ 57.117124][ T3646] generic_perform_write+0x2e4/0x5e0 [ 57.122403][ T3646] ? reiserfs_write_begin+0x510/0x510 [ 57.127765][ T3646] ? generic_file_direct_write+0x610/0x610 [ 57.133562][ T3646] ? __file_remove_privs+0x6c0/0x6c0 [ 57.138838][ T3646] ? generic_write_checks+0x15c/0x1c0 [ 57.144206][ T3646] __generic_file_write_iter+0x176/0x400 [ 57.149832][ T3646] generic_file_write_iter+0xab/0x310 [ 57.155205][ T3646] vfs_write+0x7dc/0xc50 [ 57.159452][ T3646] ? file_end_write+0x230/0x230 [ 57.164299][ T3646] ? ptrace_stop+0x74d/0x970 [ 57.168883][ T3646] ? _raw_spin_unlock_irq+0x2a/0x40 [ 57.174081][ T3646] ? __fdget_pos+0x252/0x2e0 [ 57.178665][ T3646] ksys_write+0x177/0x2a0 [ 57.182989][ T3646] ? __ia32_sys_read+0x80/0x80 [ 57.187746][ T3646] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 57.193718][ T3646] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 57.199692][ T3646] do_syscall_64+0x3d/0xb0 [ 57.204097][ T3646] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.210005][ T3646] RIP: 0033:0x7ff595fcba39 [ 57.214414][ T3646] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 57.234041][ T3646] RSP: 002b:00007ffefc311618 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 57.243404][ T3646] RAX: ffffffffffffffda RBX: 000000000000db17 RCX: 00007ff595fcba39 [ 57.251364][ T3646] RDX: 000000000000fea7 RSI: 00000000200001c0 RDI: 0000000000000006 [ 57.259323][ T3646] RBP: 0000000000000000 R08: 00007ffefc311640 R09: 00007ffefc311640 [ 57.267282][ T3646] R10: 00007ffefc311640 R11: 0000000000000246 R12: 00007ffefc31163c [ 57.275242][ T3646] R13: 00007ffefc311670 R14: 00007ffefc311650 R15: 0000000000000006 [ 57.283218][ T3646] [ 57.286229][ T3646] [ 57.288541][ T3646] The buggy address belongs to the physical page: [ 57.294954][ T3646] page:ffffea0001be9400 refcount:6 mapcount:0 mapping:ffff88801f8128f8 index:0x214 pfn:0x6fa50 [ 57.305268][ T3646] memcg:ffff888140150000 [ 57.309492][ T3646] aops:def_blk_aops ino:700000 [ 57.314249][ T3646] flags: 0xfff00000002010(lru|private|node=0|zone=1|lastcpupid=0x7ff) [ 57.322396][ T3646] raw: 00fff00000002010 ffffea0001be9388 ffffea00007a5508 ffff88801f8128f8 [ 57.330971][ T3646] raw: 0000000000000214 ffff88807007fae0 00000006ffffffff ffff888140150000 [ 57.339536][ T3646] page dumped because: kasan: bad access detected [ 57.345929][ T3646] page_owner tracks the page as allocated [ 57.351626][ T3646] page last allocated via order 0, migratetype Movable, gfp_mask 0x148c48(GFP_NOFS|__GFP_NOFAIL|__GFP_COMP|__GFP_HARDWALL|__GFP_MOVABLE), pid 3646, tgid 3646 (syz-executor881), ts 56559691091, free_ts 56351514064 [ 57.372216][ T3646] get_page_from_freelist+0x742/0x7c0 [ 57.377671][ T3646] __alloc_pages+0x259/0x560 [ 57.382256][ T3646] folio_alloc+0x1a/0x50 [ 57.386485][ T3646] filemap_alloc_folio+0x7e/0x1c0 [ 57.391499][ T3646] __filemap_get_folio+0x898/0x1260 [ 57.396685][ T3646] pagecache_get_page+0x28/0x260 [ 57.401610][ T3646] grow_dev_page+0xba/0x920 [ 57.406100][ T3646] __getblk_gfp+0x16c/0x290 [ 57.410595][ T3646] get_empty_nodes+0x68a/0xd00 [ 57.415351][ T3646] fix_nodes+0x25e8/0x8920 [ 57.419757][ T3646] reiserfs_insert_item+0xa78/0xcb0 [ 57.424949][ T3646] reiserfs_new_inode+0x11c7/0x1cd0 [ 57.430137][ T3646] reiserfs_create+0x39a/0x660 [ 57.434901][ T3646] path_openat+0x12d0/0x2df0 [ 57.439479][ T3646] do_filp_open+0x264/0x4f0 [ 57.443969][ T3646] do_sys_openat2+0x124/0x4e0 [ 57.448636][ T3646] page last free stack trace: [ 57.453294][ T3646] free_pcp_prepare+0x80c/0x8f0 [ 57.458131][ T3646] free_unref_page_list+0xb4/0x7b0 [ 57.463235][ T3646] release_pages+0x232a/0x25c0 [ 57.467986][ T3646] __pagevec_release+0x7d/0xf0 [ 57.472738][ T3646] shmem_undo_range+0x89a/0x2260 [ 57.477664][ T3646] shmem_evict_inode+0x27f/0xab0 [ 57.482794][ T3646] evict+0x2a4/0x620 [ 57.486678][ T3646] __dentry_kill+0x3b1/0x5b0 [ 57.491270][ T3646] dentry_kill+0xbb/0x290 [ 57.495608][ T3646] dput+0x1f3/0x410 [ 57.499409][ T3646] __fput+0x5e4/0x880 [ 57.503379][ T3646] task_work_run+0x243/0x300 [ 57.507960][ T3646] ptrace_notify+0x29a/0x340 [ 57.512536][ T3646] syscall_exit_work+0x8c/0xe0 [ 57.517289][ T3646] syscall_exit_to_user_mode_prepare+0x63/0xc0 [ 57.523432][ T3646] syscall_exit_to_user_mode+0xa/0x60 [ 57.528813][ T3646] [ 57.531122][ T3646] Memory state around the buggy address: [ 57.536746][ T3646] ffff88806fa50f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.544812][ T3646] ffff88806fa50f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.552858][ T3646] >ffff88806fa51000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.560901][ T3646] ^ [ 57.564954][ T3646] ffff88806fa51080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.573000][ T3646] ffff88806fa51100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 57.581043][ T3646] ================================================================== [ 57.589640][ T3646] Kernel panic - not syncing: panic_on_warn set ... [ 57.596232][ T3646] CPU: 1 PID: 3646 Comm: syz-executor881 Not tainted 6.1.0-rc7-syzkaller-00102-g04aa64375f48 #0 [ 57.606647][ T3646] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 57.616703][ T3646] Call Trace: [ 57.619978][ T3646] [ 57.622914][ T3646] dump_stack_lvl+0x1b1/0x28e [ 57.627600][ T3646] ? nf_tcp_handle_invalid+0x62e/0x62e [ 57.633133][ T3646] ? panic+0x710/0x710 [ 57.637196][ T3646] ? preempt_schedule_common+0xb7/0xe0 [ 57.642665][ T3646] ? vscnprintf+0x59/0x80 [ 57.647005][ T3646] panic+0x2d6/0x710 [ 57.650904][ T3646] ? memcpy_page_flushcache+0xfc/0xfc [ 57.656258][ T3646] ? _raw_spin_unlock_irqrestore+0x110/0x120 [ 57.662225][ T3646] ? print_report+0x1b4/0x1f0 [ 57.666898][ T3646] ? leaf_paste_in_buffer+0x739/0xca0 [ 57.672278][ T3646] end_report+0x91/0xa0 [ 57.676417][ T3646] kasan_report+0xda/0x100 [ 57.680826][ T3646] ? leaf_paste_in_buffer+0x739/0xca0 [ 57.686202][ T3646] kasan_check_range+0x2a7/0x2e0 [ 57.691125][ T3646] ? leaf_paste_in_buffer+0x739/0xca0 [ 57.696490][ T3646] memcpy+0x25/0x60 [ 57.700295][ T3646] leaf_paste_in_buffer+0x739/0xca0 [ 57.705498][ T3646] leaf_copy_dir_entries+0x6e2/0xbf0 [ 57.710787][ T3646] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 57.716782][ T3646] ? leaf_item_bottle+0x19a0/0x19a0 [ 57.721977][ T3646] ? bad_range+0x88/0x2e0 [ 57.726297][ T3646] ? deref_stack_reg+0x17a/0x210 [ 57.731226][ T3646] leaf_copy_boundary_item+0xb7c/0x20f0 [ 57.736765][ T3646] ? unwind_next_frame+0x1b06/0x24c0 [ 57.742047][ T3646] leaf_move_items+0xc74/0x1330 [ 57.746894][ T3646] ? reiserfs_convert_objectid_map_v1+0x6d0/0x6d0 [ 57.753308][ T3646] ? read_lock_is_recursive+0x10/0x10 [ 57.758674][ T3646] leaf_shift_left+0xb7/0x420 [ 57.763345][ T3646] balance_leaf+0x1579/0x123a0 [ 57.768106][ T3646] ? __lock_acquire+0x1292/0x1f60 [ 57.773159][ T3646] ? do_balance+0x8d0/0x8d0 [ 57.777727][ T3646] ? rcu_read_lock_sched_held+0x87/0x110 [ 57.783416][ T3646] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 57.789488][ T3646] ? trace_raw_output_contention_end+0xd0/0xd0 [ 57.795730][ T3646] ? trace_contention_end+0x72/0x1d0 [ 57.801006][ T3646] ? __mutex_lock_common+0x45f/0x26e0 [ 57.806375][ T3646] ? write_boundary_block+0xb0/0xb0 [ 57.811567][ T3646] ? __mutex_unlock_slowpath+0x222/0x770 [ 57.817194][ T3646] ? __might_sleep+0xc0/0xc0 [ 57.821774][ T3646] ? reiserfs_write_lock_nested+0x5b/0xd0 [ 57.827488][ T3646] ? mutex_lock_io_nested+0x60/0x60 [ 57.832676][ T3646] ? get_empty_nodes+0x5a3/0xd00 [ 57.837606][ T3646] ? indirect_part_size+0x8/0x10 [ 57.842539][ T3646] ? __wake_up+0x210/0x210 [ 57.846947][ T3646] ? get_neighbors+0x1020/0x1020 [ 57.851876][ T3646] ? mutex_lock_nested+0x17/0x20 [ 57.856805][ T3646] ? reiserfs_write_lock_nested+0x5b/0xd0 [ 57.862520][ T3646] ? reiserfs_prepare_for_journal+0x239/0x250 [ 57.868577][ T3646] ? fix_nodes+0x775a/0x8920 [ 57.873166][ T3646] do_balance+0x2d6/0x8d0 [ 57.877488][ T3646] ? get_right_neighbor_position+0x200/0x200 [ 57.883461][ T3646] ? do_journal_begin_r+0xe10/0x1070 [ 57.888737][ T3646] ? reiserfs_paste_into_item+0x3f5/0x880 [ 57.894448][ T3646] reiserfs_paste_into_item+0x740/0x880 [ 57.899987][ T3646] ? __getblk_gfp+0x50/0x290 [ 57.904578][ T3646] ? reiserfs_cut_from_item+0x25d0/0x25d0 [ 57.910312][ T3646] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 57.916285][ T3646] ? __kmem_cache_alloc_node+0x211/0x310 [ 57.921919][ T3646] ? show_alloc_options+0xbd0/0xbd0 [ 57.927110][ T3646] ? journal_begin+0x1f1/0x350 [ 57.931863][ T3646] ? copy_item_head+0x1e/0x30 [ 57.936535][ T3646] reiserfs_get_block+0x223f/0x5180 [ 57.941751][ T3646] ? make_le_item_head+0x5b0/0x5b0 [ 57.946853][ T3646] ? kasan_set_track+0x52/0x60 [ 57.951604][ T3646] ? kasan_set_track+0x3d/0x60 [ 57.956353][ T3646] ? __kasan_slab_alloc+0x65/0x70 [ 57.961368][ T3646] ? kmem_cache_alloc+0x1cc/0x300 [ 57.966384][ T3646] ? alloc_buffer_head+0x20/0xf0 [ 57.971318][ T3646] ? alloc_page_buffers+0x179/0x460 [ 57.976511][ T3646] ? create_empty_buffers+0x36/0xe30 [ 57.981787][ T3646] ? create_page_buffers+0x1c8/0x4b0 [ 57.987063][ T3646] ? __block_write_begin_int+0x1e0/0x1a80 [ 57.992801][ T3646] ? reiserfs_write_begin+0x247/0x510 [ 57.998164][ T3646] ? generic_perform_write+0x2e4/0x5e0 [ 58.003622][ T3646] ? __generic_file_write_iter+0x176/0x400 [ 58.009418][ T3646] ? generic_file_write_iter+0xab/0x310 [ 58.014954][ T3646] ? vfs_write+0x7dc/0xc50 [ 58.019366][ T3646] ? ksys_write+0x177/0x2a0 [ 58.023860][ T3646] ? do_syscall_64+0x3d/0xb0 [ 58.028437][ T3646] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.034496][ T3646] ? mark_lock+0x9a/0x350 [ 58.038822][ T3646] ? __lock_acquire+0x1292/0x1f60 [ 58.043847][ T3646] ? perf_trace_rcu_stall_warning+0x2c2/0x2f0 [ 58.049904][ T3646] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 58.055885][ T3646] ? __lock_acquire+0x1f60/0x1f60 [ 58.060898][ T3646] ? alloc_page_buffers+0x326/0x460 [ 58.066176][ T3646] ? folio_attach_private+0xd9/0x200 [ 58.071452][ T3646] ? create_page_buffers+0x244/0x4b0 [ 58.076738][ T3646] __block_write_begin_int+0x54c/0x1a80 [ 58.082286][ T3646] ? filemap_alloc_folio+0x1ac/0x1c0 [ 58.087656][ T3646] ? make_le_item_head+0x5b0/0x5b0 [ 58.092758][ T3646] ? page_zero_new_buffers+0x940/0x940 [ 58.098210][ T3646] ? fault_in_readable+0x219/0x310 [ 58.103316][ T3646] ? __block_write_begin+0x51/0x150 [ 58.108507][ T3646] ? reiserfs_write_begin+0x180/0x510 [ 58.113871][ T3646] reiserfs_write_begin+0x247/0x510 [ 58.119065][ T3646] generic_perform_write+0x2e4/0x5e0 [ 58.124382][ T3646] ? reiserfs_write_begin+0x510/0x510 [ 58.129746][ T3646] ? generic_file_direct_write+0x610/0x610 [ 58.135545][ T3646] ? __file_remove_privs+0x6c0/0x6c0 [ 58.140819][ T3646] ? generic_write_checks+0x15c/0x1c0 [ 58.146189][ T3646] __generic_file_write_iter+0x176/0x400 [ 58.151817][ T3646] generic_file_write_iter+0xab/0x310 [ 58.157183][ T3646] vfs_write+0x7dc/0xc50 [ 58.161421][ T3646] ? file_end_write+0x230/0x230 [ 58.166263][ T3646] ? ptrace_stop+0x74d/0x970 [ 58.170847][ T3646] ? _raw_spin_unlock_irq+0x2a/0x40 [ 58.176043][ T3646] ? __fdget_pos+0x252/0x2e0 [ 58.180629][ T3646] ksys_write+0x177/0x2a0 [ 58.184955][ T3646] ? __ia32_sys_read+0x80/0x80 [ 58.189713][ T3646] ? syscall_enter_from_user_mode+0x2e/0x1d0 [ 58.195691][ T3646] ? syscall_enter_from_user_mode+0x86/0x1d0 [ 58.201662][ T3646] do_syscall_64+0x3d/0xb0 [ 58.206069][ T3646] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 58.211958][ T3646] RIP: 0033:0x7ff595fcba39 [ 58.216363][ T3646] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 58.235959][ T3646] RSP: 002b:00007ffefc311618 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 58.244363][ T3646] RAX: ffffffffffffffda RBX: 000000000000db17 RCX: 00007ff595fcba39 [ 58.252344][ T3646] RDX: 000000000000fea7 RSI: 00000000200001c0 RDI: 0000000000000006 [ 58.260317][ T3646] RBP: 0000000000000000 R08: 00007ffefc311640 R09: 00007ffefc311640 [ 58.268284][ T3646] R10: 00007ffefc311640 R11: 0000000000000246 R12: 00007ffefc31163c [ 58.276247][ T3646] R13: 00007ffefc311670 R14: 00007ffefc311650 R15: 0000000000000006 [ 58.284216][ T3646] [ 58.287433][ T3646] Kernel Offset: disabled [ 58.291747][ T3646] Rebooting in 86400 seconds..