./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1712370905 <...> DUID 00:04:f8:32:f0:25:6b:f7:7b:d6:d2:5e:34:7f:1d:07:e3:4e forked to background, child pid 4657 [ 37.815698][ T4658] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.827859][ T4658] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.7' (ECDSA) to the list of known hosts. execve("./syz-executor1712370905", ["./syz-executor1712370905"], 0x7ffee7bee870 /* 10 vars */) = 0 brk(NULL) = 0x5555571fa000 brk(0x5555571fac40) = 0x5555571fac40 arch_prctl(ARCH_SET_FS, 0x5555571fa300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x5555571fa5d0) = 4994 set_robust_list(0x5555571fa5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f281a0dba10, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f281a0dc0e0}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f281a0dbab0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f281a0dc0e0}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1712370905", 4096) = 28 brk(0x55555721bc40) = 0x55555721bc40 brk(0x55555721c000) = 0x55555721c000 mprotect(0x7f281a1af000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 sendto(4, [{nlmsg_len=36, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=784, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=4994}, "\x01\x02\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00\x06\x00\x01\x00\x1d\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x2e\x00\x00\x00\x98\x02\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x05\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00"...], 4096, 0, NULL, NULL) = 784 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4994}, {error=0, msg={nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 access("/proc/net", R_OK) = 0 access("/proc/net/unix", R_OK) = 0 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0b\x00\x00\x00\x06\x00\x0a\x00\xa0\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4994}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x01\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4994}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 sendto(3, [{nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=0, ifi_flags=0, ifi_change=0}, [[{nla_len=11, nla_type=IFLA_IFNAME}, "lowpan0"...], [{nla_len=16, nla_type=IFLA_LINKINFO}, [{nla_len=10, nla_type=IFLA_INFO_KIND}, "lowpan"...]], [{nla_len=8, nla_type=IFLA_LINK}, 11]]], 68, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 68 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4994}, {error=0, msg={nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0c\x00\x00\x00\x06\x00\x0a\x00\xa1\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4994}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=if_nametoindex("wpan1"), ifi_flags=IFF_UP, ifi_change=0x1}, [{nla_len=12, nla_type=IFLA_ADDRESS}, 02:01:aa:aa:aa:aa:aa]], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=4994}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 close(3) = 0 close(4) = 0 getpid() = 4994 mkdir("./syzkaller.QXA9MQ", 0700) = 0 chmod("./syzkaller.QXA9MQ", 0777) = 0 chdir("./syzkaller.QXA9MQ") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 4996 ./strace-static-x86_64: Process 4996 attached [pid 4996] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 4996] chdir("./0") = 0 [pid 4996] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4996] setpgid(0, 0) = 0 [pid 4996] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 4996] write(3, "1000", 4) = 4 [pid 4996] close(3) = 0 [pid 4996] symlink("/dev/binderfs", "./binderfs") = 0 [pid 4996] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4996] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 4996] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4996] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4997], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 4997 [pid 4996] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4996] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 4997 attached [pid 4997] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 4997] memfd_create("syzkaller", 0) = 3 [pid 4997] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 syzkaller login: [ 66.472248][ T4997] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4997 'syz-executor171' [pid 4997] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 4997] munmap(0x7f2811caa000, 16777216) = 0 [pid 4997] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4997] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4997] close(3) = 0 [pid 4997] mkdir("./file0", 0777) = 0 [ 66.735265][ T4997] loop0: detected capacity change from 0 to 32768 [ 66.751205][ T4997] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 66.759827][ T4997] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 66.773311][ T4997] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 66.782940][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 66.790041][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 4997] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 4997] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 4997] chdir("./file0") = 0 [pid 4997] ioctl(4, LOOP_CLR_FD) = 0 [pid 4997] close(4) = 0 [pid 4997] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4996] <... futex resumed>) = 0 [pid 4996] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4996] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4997] open(".", O_RDONLY) = 4 [pid 4997] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4996] <... futex resumed>) = 0 [pid 4996] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4996] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 66.830225][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 66.839953][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 66.845556][ T4997] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 66.876762][ T4997] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 66.885552][ T4997] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 66.885552][ T4997] inode = 12 2341 [ 66.885552][ T4997] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 66.904552][ T4997] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 66.913645][ T4997] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4997 [syz-executor171] iterate_dir+0x228/0x570 [pid 4997] getdents64(4, [pid 4996] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4996] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4996] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 4996] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4996] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5001], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5001 [pid 4996] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4996] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5001 attached [pid 5001] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 66.923807][ T4997] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 66.929501][ T5001] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 66.932604][ T4997] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 66.941788][ T5001] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 66.948068][ T4997] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 66.957693][ T5001] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:4997 [syz-executor171] iterate_dir+0x228/0x570 [pid 5001] open("./file0", O_RDONLY [pid 4996] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 66.965763][ T4997] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 66.966689][ T4997] gfs2: fsid=syz:syz.0: File system withdrawn [ 66.990098][ T4997] CPU: 1 PID: 4997 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 66.990262][ T5001] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5001 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 67.000198][ T4997] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 67.000214][ T4997] Call Trace: [ 67.000222][ T4997] [ 67.000231][ T4997] dump_stack_lvl+0x1e7/0x2d0 [ 67.000271][ T4997] ? nf_tcp_handle_invalid+0x650/0x650 [ 67.000305][ T4997] ? panic+0x770/0x770 [ 67.010837][ T5001] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 67.020343][ T4997] ? kobject_uevent_env+0x54e/0x8e0 [ 67.020387][ T4997] gfs2_withdraw+0xf48/0x1550 [ 67.059240][ T4997] ? gfs2_lm+0x240/0x240 [ 67.063548][ T4997] ? gfs2_dirent_scan+0xb2/0x640 [ 67.068515][ T4997] ? panic+0x770/0x770 [ 67.072628][ T4997] ? gfs2_consist_inode_i+0xf5/0x110 [ 67.077940][ T4997] gfs2_dirent_scan+0x512/0x640 [ 67.082818][ T4997] ? gfs2_dirent_scan+0x640/0x640 [ 67.087874][ T4997] gfs2_dir_read+0x82f/0x1af0 [ 67.092596][ T4997] ? inode_dio_wait+0x2ad/0x340 [ 67.097459][ T4997] ? inode_owner_or_capable+0x1c0/0x1c0 [ 67.103069][ T4997] ? gfs2_dir_hash_inval+0x80/0x80 [ 67.108206][ T4997] ? _raw_spin_unlock+0x28/0x40 [ 67.113067][ T4997] ? gfs2_glock_nq+0xcbf/0x16c0 [ 67.117950][ T4997] ? inode_go_held+0xea/0x200 [ 67.122646][ T4997] ? gfs2_glock_wait+0x21a/0x2b0 [ 67.127613][ T4997] gfs2_readdir+0x14e/0x1b0 [ 67.132139][ T4997] ? __fdget_pos+0x254/0x2f0 [ 67.136740][ T4997] ? gfs2_fallocate+0x490/0x490 [ 67.141628][ T4997] ? iterate_dir+0x228/0x570 [ 67.146271][ T4997] ? __down_read_common+0x184/0x2c0 [ 67.151491][ T4997] ? iterate_dir+0x10e/0x570 [ 67.156099][ T4997] iterate_dir+0x228/0x570 [ 67.160550][ T4997] ? gfs2_fallocate+0x490/0x490 [ 67.165420][ T4997] __se_sys_getdents64+0x20d/0x4f0 [ 67.172208][ T4997] ? _raw_spin_unlock_irq+0x2e/0x50 [ 67.177517][ T4997] ? __x64_sys_getdents64+0x80/0x80 [ 67.182765][ T4997] ? filldir+0x740/0x740 [ 67.187047][ T4997] ? syscall_enter_from_user_mode+0x32/0x230 [ 67.193047][ T4997] ? syscall_enter_from_user_mode+0x8c/0x230 [ 67.199042][ T4997] do_syscall_64+0x41/0xc0 [ 67.203515][ T4997] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 67.209419][ T4997] RIP: 0033:0x7f281a11eab9 [ 67.213850][ T4997] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 67.233554][ T4997] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 67.241982][ T4997] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 67.250003][ T4997] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 67.257986][ T4997] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 67.265982][ T4997] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 4997] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 4997] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] <... open resumed>) = -1 EIO (Input/output error) [pid 4997] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5001] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5001] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4996] exit_group(0 [pid 5001] <... futex resumed>) = ? [pid 4997] <... futex resumed>) = ? [pid 4996] <... exit_group resumed>) = ? [pid 5001] +++ exited with 0 +++ [pid 4997] +++ exited with 0 +++ [pid 4996] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4996, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=47 /* 0.47 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./0/binderfs") = 0 [ 67.274073][ T4997] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 67.282069][ T4997] umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5002 ./strace-static-x86_64: Process 5002 attached [pid 5002] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5002] chdir("./1") = 0 [pid 5002] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5002] setpgid(0, 0) = 0 [pid 5002] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5002] write(3, "1000", 4) = 4 [pid 5002] close(3) = 0 [pid 5002] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5002] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5002] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5002] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5002] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5003], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5003 [pid 5002] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5002] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5003 attached [pid 5003] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5003] memfd_create("syzkaller", 0) = 3 [pid 5003] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5003] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5003] munmap(0x7f2811caa000, 16777216) = 0 [pid 5003] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5003] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5003] close(3) = 0 [pid 5003] mkdir("./file0", 0777) = 0 [ 67.702412][ T5003] loop0: detected capacity change from 0 to 32768 [ 67.717160][ T5003] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 67.725545][ T5003] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 67.735632][ T5003] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 67.744439][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 67.751265][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [ 67.792343][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [pid 5003] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5003] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5003] chdir("./file0") = 0 [pid 5003] ioctl(4, LOOP_CLR_FD) = 0 [pid 5003] close(4) = 0 [pid 5003] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5002] <... futex resumed>) = 0 [pid 5003] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5002] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5003] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5003] open(".", O_RDONLY [pid 5002] <... futex resumed>) = 0 [pid 5003] <... open resumed>) = 4 [pid 5003] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5002] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5003] <... futex resumed>) = 0 [pid 5002] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5003] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5002] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [ 67.801359][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 67.807184][ T5003] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5003] getdents64(4, [pid 5002] <... futex resumed>) = 0 [ 67.857916][ T5003] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 67.866926][ T5003] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 67.866926][ T5003] inode = 12 2341 [ 67.866926][ T5003] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 67.886048][ T5003] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 67.896491][ T5003] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5003 [syz-executor171] iterate_dir+0x228/0x570 [pid 5002] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5002] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5002] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5002] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5002] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5002] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5002] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5005], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5005 [pid 5002] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5002] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5005 attached [pid 5005] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5005] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5005] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5002] <... futex resumed>) = 0 [pid 5005] <... futex resumed>) = 1 [ 67.906594][ T5003] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 67.917216][ T5003] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 67.925011][ T5003] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 67.933936][ T5003] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 67.942008][ T5003] gfs2: fsid=syz:syz.0: File system withdrawn [ 67.948762][ T5003] CPU: 0 PID: 5003 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 67.958836][ T5003] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 67.968903][ T5003] Call Trace: [ 67.972177][ T5003] [ 67.975115][ T5003] dump_stack_lvl+0x1e7/0x2d0 [ 67.979840][ T5003] ? nf_tcp_handle_invalid+0x650/0x650 [ 67.985336][ T5003] ? panic+0x770/0x770 [ 67.989440][ T5003] ? kobject_uevent_env+0x54e/0x8e0 [ 67.994687][ T5003] gfs2_withdraw+0xf48/0x1550 [ 67.999395][ T5003] ? gfs2_lm+0x240/0x240 [ 68.003650][ T5003] ? gfs2_dirent_scan+0xb2/0x640 [ 68.008592][ T5003] ? panic+0x770/0x770 [ 68.012675][ T5003] ? gfs2_consist_inode_i+0xf5/0x110 [ 68.017979][ T5003] gfs2_dirent_scan+0x512/0x640 [ 68.022843][ T5003] ? gfs2_dirent_scan+0x640/0x640 [ 68.027881][ T5003] gfs2_dir_read+0x82f/0x1af0 [ 68.032577][ T5003] ? inode_dio_wait+0x2ad/0x340 [ 68.037476][ T5003] ? inode_owner_or_capable+0x1c0/0x1c0 [ 68.043065][ T5003] ? gfs2_dir_hash_inval+0x80/0x80 [ 68.048188][ T5003] ? _raw_spin_unlock+0x28/0x40 [ 68.053047][ T5003] ? gfs2_glock_nq+0xcbf/0x16c0 [ 68.057918][ T5003] ? inode_go_held+0xea/0x200 [ 68.062614][ T5003] ? gfs2_glock_wait+0x21a/0x2b0 [ 68.067623][ T5003] gfs2_readdir+0x14e/0x1b0 [ 68.072148][ T5003] ? __fdget_pos+0x254/0x2f0 [ 68.076748][ T5003] ? gfs2_fallocate+0x490/0x490 [ 68.081628][ T5003] ? iterate_dir+0x228/0x570 [ 68.086238][ T5003] ? __down_read_common+0x184/0x2c0 [ 68.091473][ T5003] ? iterate_dir+0x10e/0x570 [ 68.096078][ T5003] iterate_dir+0x228/0x570 [ 68.100509][ T5003] ? gfs2_fallocate+0x490/0x490 [ 68.105378][ T5003] __se_sys_getdents64+0x20d/0x4f0 [ 68.110499][ T5003] ? _raw_spin_unlock_irq+0x2e/0x50 [ 68.115737][ T5003] ? __x64_sys_getdents64+0x80/0x80 [ 68.120957][ T5003] ? filldir+0x740/0x740 [ 68.125223][ T5003] ? syscall_enter_from_user_mode+0x32/0x230 [ 68.131303][ T5003] ? syscall_enter_from_user_mode+0x8c/0x230 [ 68.137296][ T5003] do_syscall_64+0x41/0xc0 [ 68.141724][ T5003] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 68.147623][ T5003] RIP: 0033:0x7f281a11eab9 [ 68.152048][ T5003] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 68.171661][ T5003] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 68.180107][ T5003] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 68.188094][ T5003] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 68.196081][ T5003] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5005] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5003] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5003] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5003] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5002] exit_group(0 [pid 5005] <... futex resumed>) = ? [pid 5002] <... exit_group resumed>) = ? [pid 5005] +++ exited with 0 +++ [pid 5003] <... futex resumed>) = ? [pid 5003] +++ exited with 0 +++ [pid 5002] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5002, si_uid=0, si_status=0, si_utime=7 /* 0.07 s */, si_stime=31 /* 0.31 s */} --- umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./1/binderfs") = 0 [ 68.204060][ T5003] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 68.212031][ T5003] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 68.220052][ T5003] umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5006 ./strace-static-x86_64: Process 5006 attached [pid 5006] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5006] chdir("./2") = 0 [pid 5006] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5006] setpgid(0, 0) = 0 [pid 5006] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5006] write(3, "1000", 4) = 4 [pid 5006] close(3) = 0 [pid 5006] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5006] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5006] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5006] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5006] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5007 attached [pid 5007] set_robust_list(0x7f281a0ca9e0, 24 [pid 5006] <... clone resumed>, parent_tid=[5007], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5007 [pid 5006] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5006] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5007] <... set_robust_list resumed>) = 0 [pid 5007] memfd_create("syzkaller", 0) = 3 [pid 5007] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5007] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5007] munmap(0x7f2811caa000, 16777216) = 0 [pid 5007] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5007] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5007] close(3) = 0 [pid 5007] mkdir("./file0", 0777) = 0 [ 68.600913][ T5007] loop0: detected capacity change from 0 to 32768 [ 68.614230][ T5007] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 68.622439][ T5007] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 68.633186][ T5007] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 68.641895][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 68.649012][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5007] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5007] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5007] chdir("./file0") = 0 [pid 5007] ioctl(4, LOOP_CLR_FD) = 0 [pid 5007] close(4) = 0 [pid 5007] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5006] <... futex resumed>) = 0 [pid 5007] open(".", O_RDONLY [pid 5006] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5006] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5007] <... open resumed>) = 4 [pid 5007] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5006] <... futex resumed>) = 0 [pid 5006] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5007] getdents64(4, [pid 5006] <... futex resumed>) = 0 [ 68.696933][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 47ms [ 68.706128][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 68.711672][ T5007] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 68.744760][ T5007] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 68.753187][ T5007] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 68.753187][ T5007] inode = 12 2341 [ 68.753187][ T5007] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 68.771955][ T5007] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 68.781054][ T5007] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5007 [syz-executor171] iterate_dir+0x228/0x570 [pid 5006] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5006] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5006] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5006] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5006] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5009], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5009 [pid 5006] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5006] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5009 attached [pid 5009] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5009] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5009] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5006] <... futex resumed>) = 0 [pid 5009] <... futex resumed>) = 1 [ 68.791044][ T5007] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 68.799553][ T5007] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 68.806856][ T5007] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 68.815767][ T5007] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 68.822446][ T5007] gfs2: fsid=syz:syz.0: File system withdrawn [ 68.828640][ T5007] CPU: 1 PID: 5007 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 68.838734][ T5007] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 68.848795][ T5007] Call Trace: [ 68.852075][ T5007] [ 68.855013][ T5007] dump_stack_lvl+0x1e7/0x2d0 [ 68.859706][ T5007] ? nf_tcp_handle_invalid+0x650/0x650 [ 68.865181][ T5007] ? panic+0x770/0x770 [ 68.869253][ T5007] ? kobject_uevent_env+0x54e/0x8e0 [ 68.874469][ T5007] gfs2_withdraw+0xf48/0x1550 [ 68.879179][ T5007] ? gfs2_lm+0x240/0x240 [ 68.883434][ T5007] ? gfs2_dirent_scan+0xb2/0x640 [ 68.888378][ T5007] ? panic+0x770/0x770 [ 68.892458][ T5007] ? gfs2_consist_inode_i+0xf5/0x110 [ 68.897774][ T5007] gfs2_dirent_scan+0x512/0x640 [ 68.902648][ T5007] ? gfs2_dirent_scan+0x640/0x640 [ 68.907690][ T5007] gfs2_dir_read+0x82f/0x1af0 [ 68.912384][ T5007] ? inode_dio_wait+0x2ad/0x340 [ 68.917261][ T5007] ? inode_owner_or_capable+0x1c0/0x1c0 [ 68.922823][ T5007] ? gfs2_dir_hash_inval+0x80/0x80 [ 68.928036][ T5007] ? _raw_spin_unlock+0x28/0x40 [ 68.932906][ T5007] ? gfs2_glock_nq+0xcbf/0x16c0 [ 68.937788][ T5007] ? inode_go_held+0xea/0x200 [ 68.942477][ T5007] ? gfs2_glock_wait+0x21a/0x2b0 [ 68.947457][ T5007] gfs2_readdir+0x14e/0x1b0 [ 68.952014][ T5007] ? __fdget_pos+0x254/0x2f0 [ 68.956628][ T5007] ? gfs2_fallocate+0x490/0x490 [ 68.961501][ T5007] ? iterate_dir+0x228/0x570 [ 68.966108][ T5007] ? __down_read_common+0x184/0x2c0 [ 68.971319][ T5007] ? iterate_dir+0x10e/0x570 [ 68.975922][ T5007] iterate_dir+0x228/0x570 [ 68.980355][ T5007] ? gfs2_fallocate+0x490/0x490 [ 68.985229][ T5007] __se_sys_getdents64+0x20d/0x4f0 [ 68.990356][ T5007] ? _raw_spin_unlock_irq+0x2e/0x50 [ 68.995564][ T5007] ? __x64_sys_getdents64+0x80/0x80 [ 69.000768][ T5007] ? filldir+0x740/0x740 [ 69.005026][ T5007] ? syscall_enter_from_user_mode+0x32/0x230 [ 69.011054][ T5007] ? syscall_enter_from_user_mode+0x8c/0x230 [ 69.017054][ T5007] do_syscall_64+0x41/0xc0 [ 69.021487][ T5007] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 69.027409][ T5007] RIP: 0033:0x7f281a11eab9 [ 69.031853][ T5007] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 69.051499][ T5007] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 69.059935][ T5007] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 69.067919][ T5007] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 69.075894][ T5007] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 69.083885][ T5007] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5009] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5007] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5007] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5007] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5006] exit_group(0 [pid 5007] <... futex resumed>) = ? [pid 5006] <... exit_group resumed>) = ? [pid 5007] +++ exited with 0 +++ [pid 5009] <... futex resumed>) = ? [pid 5009] +++ exited with 0 +++ [pid 5006] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5006, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./2/binderfs") = 0 [ 69.091877][ T5007] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 69.099885][ T5007] umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5010 ./strace-static-x86_64: Process 5010 attached [pid 5010] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5010] chdir("./3") = 0 [pid 5010] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5010] setpgid(0, 0) = 0 [pid 5010] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5010] write(3, "1000", 4) = 4 [pid 5010] close(3) = 0 [pid 5010] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5010] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5010] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5010] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5011 attached [pid 5011] set_robust_list(0x7f281a0ca9e0, 24 [pid 5010] <... clone resumed>, parent_tid=[5011], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5011 [pid 5011] <... set_robust_list resumed>) = 0 [pid 5010] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5011] memfd_create("syzkaller", 0) = 3 [pid 5011] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5011] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5011] munmap(0x7f2811caa000, 16777216) = 0 [pid 5011] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5011] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5011] close(3) = 0 [pid 5011] mkdir("./file0", 0777) = 0 [ 69.472844][ T5011] loop0: detected capacity change from 0 to 32768 [ 69.484475][ T5011] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 69.492649][ T5011] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 69.503113][ T5011] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 69.511705][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 69.519039][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5011] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5011] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5011] chdir("./file0") = 0 [pid 5011] ioctl(4, LOOP_CLR_FD) = 0 [pid 5011] close(4) = 0 [pid 5011] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5010] <... futex resumed>) = 0 [pid 5010] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5011] open(".", O_RDONLY) = 4 [pid 5011] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5010] <... futex resumed>) = 0 [pid 5010] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 69.562126][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 69.571523][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 69.576809][ T5011] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 69.601387][ T5011] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5011] getdents64(4, [pid 5010] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5010] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5010] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5010] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5010] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5010] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5013], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5013 [pid 5010] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5013 attached [pid 5013] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 69.610341][ T5011] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 69.610341][ T5011] inode = 12 2341 [ 69.610341][ T5011] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 69.629507][ T5011] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 69.638804][ T5011] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5011 [syz-executor171] iterate_dir+0x228/0x570 [ 69.648986][ T5011] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5013] open("./file0", O_RDONLY [pid 5010] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 69.654602][ T5013] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 69.658140][ T5011] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 69.666165][ T5013] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 69.673377][ T5011] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 69.691216][ T5013] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5011 [syz-executor171] iterate_dir+0x228/0x570 [ 69.691770][ T5011] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 69.708469][ T5013] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5013 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 69.708732][ T5011] gfs2: fsid=syz:syz.0: File system withdrawn [ 69.721163][ T5013] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 69.724935][ T5011] CPU: 0 PID: 5011 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 69.743132][ T5011] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 69.753183][ T5011] Call Trace: [ 69.756464][ T5011] [ 69.759403][ T5011] dump_stack_lvl+0x1e7/0x2d0 [ 69.764125][ T5011] ? nf_tcp_handle_invalid+0x650/0x650 [ 69.769626][ T5011] ? panic+0x770/0x770 [ 69.773721][ T5011] ? kobject_uevent_env+0x54e/0x8e0 [ 69.779150][ T5011] gfs2_withdraw+0xf48/0x1550 [ 69.783858][ T5011] ? gfs2_lm+0x240/0x240 [ 69.788126][ T5011] ? gfs2_dirent_scan+0xb2/0x640 [ 69.793076][ T5011] ? panic+0x770/0x770 [ 69.797183][ T5011] ? gfs2_consist_inode_i+0xf5/0x110 [ 69.802507][ T5011] gfs2_dirent_scan+0x512/0x640 [ 69.807377][ T5011] ? gfs2_dirent_scan+0x640/0x640 [ 69.812443][ T5011] gfs2_dir_read+0x82f/0x1af0 [ 69.817131][ T5011] ? inode_dio_wait+0x2ad/0x340 [ 69.821991][ T5011] ? inode_owner_or_capable+0x1c0/0x1c0 [ 69.827566][ T5011] ? gfs2_dir_hash_inval+0x80/0x80 [ 69.832690][ T5011] ? _raw_spin_unlock+0x28/0x40 [ 69.837563][ T5011] ? gfs2_glock_nq+0xcbf/0x16c0 [ 69.842465][ T5011] ? inode_go_held+0xea/0x200 [ 69.847146][ T5011] ? gfs2_glock_wait+0x21a/0x2b0 [ 69.852099][ T5011] gfs2_readdir+0x14e/0x1b0 [ 69.856607][ T5011] ? __fdget_pos+0x254/0x2f0 [ 69.861197][ T5011] ? gfs2_fallocate+0x490/0x490 [ 69.866054][ T5011] ? iterate_dir+0x228/0x570 [ 69.870650][ T5011] ? __down_read_common+0x184/0x2c0 [ 69.875867][ T5011] ? iterate_dir+0x10e/0x570 [ 69.880474][ T5011] iterate_dir+0x228/0x570 [ 69.884896][ T5011] ? gfs2_fallocate+0x490/0x490 [ 69.889757][ T5011] __se_sys_getdents64+0x20d/0x4f0 [ 69.894880][ T5011] ? _raw_spin_unlock_irq+0x2e/0x50 [ 69.900094][ T5011] ? __x64_sys_getdents64+0x80/0x80 [ 69.905328][ T5011] ? filldir+0x740/0x740 [ 69.909597][ T5011] ? syscall_enter_from_user_mode+0x32/0x230 [ 69.915596][ T5011] ? syscall_enter_from_user_mode+0x8c/0x230 [ 69.921611][ T5011] do_syscall_64+0x41/0xc0 [ 69.926065][ T5011] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 69.931984][ T5011] RIP: 0033:0x7f281a11eab9 [ 69.936404][ T5011] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5011] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5013] <... open resumed>) = -1 EIO (Input/output error) [pid 5011] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5013] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5010] exit_group(0) = ? [pid 5013] +++ exited with 0 +++ [pid 5011] <... futex resumed>) = ? [pid 5011] +++ exited with 0 +++ [pid 5010] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5010, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=39 /* 0.39 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./3/binderfs") = 0 [ 69.956018][ T5011] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 69.964444][ T5011] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 69.972422][ T5011] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 69.980391][ T5011] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 69.988366][ T5011] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 69.996342][ T5011] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 70.004342][ T5011] umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5014 ./strace-static-x86_64: Process 5014 attached [pid 5014] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5014] chdir("./4") = 0 [pid 5014] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5014] setpgid(0, 0) = 0 [pid 5014] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5014] write(3, "1000", 4) = 4 [pid 5014] close(3) = 0 [pid 5014] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5014] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5014] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5014] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5014] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5015 attached , parent_tid=[5015], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5015 [pid 5015] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5015] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5014] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5015] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5014] <... futex resumed>) = 0 [pid 5014] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5015] memfd_create("syzkaller", 0) = 3 [pid 5015] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5015] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5015] munmap(0x7f2811caa000, 16777216) = 0 [pid 5015] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5015] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5015] close(3) = 0 [pid 5015] mkdir("./file0", 0777) = 0 [ 70.380866][ T5015] loop0: detected capacity change from 0 to 32768 [ 70.391901][ T5015] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 70.400528][ T5015] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 70.410354][ T5015] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 70.418860][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 70.425747][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5015] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5015] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5015] chdir("./file0") = 0 [pid 5015] ioctl(4, LOOP_CLR_FD) = 0 [pid 5015] close(4) = 0 [pid 5015] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5014] <... futex resumed>) = 0 [pid 5015] <... futex resumed>) = 1 [pid 5014] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5014] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5015] open(".", O_RDONLY) = 4 [pid 5015] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5014] <... futex resumed>) = 0 [pid 5014] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5014] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 70.471383][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 70.480986][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 70.486577][ T5015] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5015] getdents64(4, [pid 5014] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 70.518379][ T5015] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 70.527075][ T5015] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 70.527075][ T5015] inode = 12 2341 [ 70.527075][ T5015] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 70.546637][ T5015] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 70.555747][ T5015] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5015 [syz-executor171] iterate_dir+0x228/0x570 [pid 5014] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5014] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5014] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5014] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5017], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5017 [pid 5014] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5014] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5017 attached [pid 5017] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5017] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5017] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5014] <... futex resumed>) = 0 [pid 5017] <... futex resumed>) = 1 [ 70.565693][ T5015] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 70.574967][ T5015] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 70.582479][ T5015] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 70.591292][ T5015] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 70.599630][ T5015] gfs2: fsid=syz:syz.0: File system withdrawn [ 70.605761][ T5015] CPU: 0 PID: 5015 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 70.615832][ T5015] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 70.625882][ T5015] Call Trace: [ 70.629181][ T5015] [ 70.632211][ T5015] dump_stack_lvl+0x1e7/0x2d0 [ 70.636937][ T5015] ? nf_tcp_handle_invalid+0x650/0x650 [ 70.642411][ T5015] ? panic+0x770/0x770 [ 70.646511][ T5015] ? kobject_uevent_env+0x54e/0x8e0 [ 70.651757][ T5015] gfs2_withdraw+0xf48/0x1550 [ 70.656472][ T5015] ? gfs2_lm+0x240/0x240 [ 70.660727][ T5015] ? gfs2_dirent_scan+0xb2/0x640 [ 70.665683][ T5015] ? panic+0x770/0x770 [ 70.669770][ T5015] ? gfs2_consist_inode_i+0xf5/0x110 [ 70.675274][ T5015] gfs2_dirent_scan+0x512/0x640 [ 70.680176][ T5015] ? gfs2_dirent_scan+0x640/0x640 [ 70.685316][ T5015] gfs2_dir_read+0x82f/0x1af0 [ 70.690009][ T5015] ? inode_dio_wait+0x2ad/0x340 [ 70.694871][ T5015] ? inode_owner_or_capable+0x1c0/0x1c0 [ 70.700425][ T5015] ? gfs2_dir_hash_inval+0x80/0x80 [ 70.705556][ T5015] ? _raw_spin_unlock+0x28/0x40 [ 70.710414][ T5015] ? gfs2_glock_nq+0xcbf/0x16c0 [ 70.715291][ T5015] ? inode_go_held+0xea/0x200 [ 70.719976][ T5015] ? gfs2_glock_wait+0x21a/0x2b0 [ 70.724932][ T5015] gfs2_readdir+0x14e/0x1b0 [ 70.729442][ T5015] ? __fdget_pos+0x254/0x2f0 [ 70.734037][ T5015] ? gfs2_fallocate+0x490/0x490 [ 70.738906][ T5015] ? iterate_dir+0x228/0x570 [ 70.743509][ T5015] ? __down_read_common+0x184/0x2c0 [ 70.748720][ T5015] ? iterate_dir+0x10e/0x570 [ 70.753356][ T5015] iterate_dir+0x228/0x570 [ 70.757804][ T5015] ? gfs2_fallocate+0x490/0x490 [ 70.762670][ T5015] __se_sys_getdents64+0x20d/0x4f0 [ 70.767795][ T5015] ? _raw_spin_unlock_irq+0x2e/0x50 [ 70.773004][ T5015] ? __x64_sys_getdents64+0x80/0x80 [ 70.778211][ T5015] ? filldir+0x740/0x740 [ 70.782473][ T5015] ? syscall_enter_from_user_mode+0x32/0x230 [ 70.788468][ T5015] ? syscall_enter_from_user_mode+0x8c/0x230 [ 70.794462][ T5015] do_syscall_64+0x41/0xc0 [ 70.798913][ T5015] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 70.804821][ T5015] RIP: 0033:0x7f281a11eab9 [ 70.809244][ T5015] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 70.828847][ T5015] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 70.837259][ T5015] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 70.845242][ T5015] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 70.853232][ T5015] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 70.861205][ T5015] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5017] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5015] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5015] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5014] exit_group(0 [pid 5015] <... futex resumed>) = ? [pid 5014] <... exit_group resumed>) = ? [pid 5015] +++ exited with 0 +++ [pid 5017] <... futex resumed>) = ? [pid 5017] +++ exited with 0 +++ [pid 5014] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5014, si_uid=0, si_status=0, si_utime=0, si_stime=35 /* 0.35 s */} --- umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./4/binderfs") = 0 [ 70.869173][ T5015] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 70.877154][ T5015] umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./4/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./4/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5018 ./strace-static-x86_64: Process 5018 attached [pid 5018] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5018] chdir("./5") = 0 [pid 5018] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5018] setpgid(0, 0) = 0 [pid 5018] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5018] write(3, "1000", 4) = 4 [pid 5018] close(3) = 0 [pid 5018] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5018] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5018] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5018] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5018] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5019 attached , parent_tid=[5019], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5019 [pid 5018] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5018] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5019] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5019] memfd_create("syzkaller", 0) = 3 [pid 5019] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5019] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5019] munmap(0x7f2811caa000, 16777216) = 0 [pid 5019] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5019] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5019] close(3) = 0 [pid 5019] mkdir("./file0", 0777) = 0 [ 71.246606][ T1215] ieee802154 phy0 wpan0: encryption failed: -22 [ 71.247458][ T5019] loop0: detected capacity change from 0 to 32768 [ 71.253093][ T1215] ieee802154 phy1 wpan1: encryption failed: -22 [ 71.269174][ T5019] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 71.277681][ T5019] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 71.287127][ T5019] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 71.295852][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 71.302884][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5019] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5019] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5019] chdir("./file0") = 0 [pid 5019] ioctl(4, LOOP_CLR_FD) = 0 [pid 5019] close(4) = 0 [pid 5019] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5018] <... futex resumed>) = 0 [pid 5018] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5018] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5019] open(".", O_RDONLY) = 4 [pid 5019] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5018] <... futex resumed>) = 0 [pid 5018] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5018] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 71.352285][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 49ms [ 71.360230][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 71.366012][ T5019] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 71.389821][ T5019] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5019] getdents64(4, [pid 5018] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5018] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5018] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5018] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5018] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5021], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5021 [pid 5018] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5018] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5021 attached [pid 5021] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 71.398893][ T5019] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 71.398893][ T5019] inode = 12 2341 [ 71.398893][ T5019] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 71.418041][ T5019] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 71.427411][ T5019] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5019 [syz-executor171] iterate_dir+0x228/0x570 [ 71.437975][ T5019] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 71.449055][ T5021] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 71.449590][ T5019] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 71.457874][ T5021] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 71.464824][ T5019] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 71.474337][ T5021] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5019 [syz-executor171] iterate_dir+0x228/0x570 [ 71.482629][ T5019] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [pid 5021] open("./file0", O_RDONLY [pid 5018] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 71.493520][ T5021] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5021 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 71.499491][ T5019] gfs2: fsid=syz:syz.0: File system withdrawn [ 71.511863][ T5021] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 71.515566][ T5019] CPU: 0 PID: 5019 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 71.533754][ T5019] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 71.543811][ T5019] Call Trace: [ 71.547106][ T5019] [ 71.550046][ T5019] dump_stack_lvl+0x1e7/0x2d0 [ 71.554749][ T5019] ? nf_tcp_handle_invalid+0x650/0x650 [ 71.560230][ T5019] ? panic+0x770/0x770 [ 71.564311][ T5019] ? kobject_uevent_env+0x54e/0x8e0 [ 71.569531][ T5019] gfs2_withdraw+0xf48/0x1550 [ 71.574238][ T5019] ? gfs2_lm+0x240/0x240 [ 71.578496][ T5019] ? gfs2_dirent_scan+0xb2/0x640 [ 71.583459][ T5019] ? panic+0x770/0x770 [ 71.587562][ T5019] ? gfs2_consist_inode_i+0xf5/0x110 [ 71.592865][ T5019] gfs2_dirent_scan+0x512/0x640 [ 71.597728][ T5019] ? gfs2_dirent_scan+0x640/0x640 [ 71.602764][ T5019] gfs2_dir_read+0x82f/0x1af0 [ 71.607461][ T5019] ? inode_dio_wait+0x2ad/0x340 [ 71.612348][ T5019] ? inode_owner_or_capable+0x1c0/0x1c0 [ 71.617911][ T5019] ? gfs2_dir_hash_inval+0x80/0x80 [ 71.623044][ T5019] ? _raw_spin_unlock+0x28/0x40 [ 71.627906][ T5019] ? gfs2_glock_nq+0xcbf/0x16c0 [ 71.632805][ T5019] ? inode_go_held+0xea/0x200 [ 71.637501][ T5019] ? gfs2_glock_wait+0x21a/0x2b0 [ 71.642462][ T5019] gfs2_readdir+0x14e/0x1b0 [ 71.646986][ T5019] ? __fdget_pos+0x254/0x2f0 [ 71.651589][ T5019] ? gfs2_fallocate+0x490/0x490 [ 71.656457][ T5019] ? iterate_dir+0x228/0x570 [ 71.661068][ T5019] ? __down_read_common+0x184/0x2c0 [ 71.666280][ T5019] ? iterate_dir+0x10e/0x570 [ 71.670889][ T5019] iterate_dir+0x228/0x570 [ 71.675315][ T5019] ? gfs2_fallocate+0x490/0x490 [ 71.680181][ T5019] __se_sys_getdents64+0x20d/0x4f0 [ 71.685304][ T5019] ? _raw_spin_unlock_irq+0x2e/0x50 [ 71.690519][ T5019] ? __x64_sys_getdents64+0x80/0x80 [ 71.695728][ T5019] ? filldir+0x740/0x740 [ 71.699986][ T5019] ? syscall_enter_from_user_mode+0x32/0x230 [ 71.705990][ T5019] ? syscall_enter_from_user_mode+0x8c/0x230 [ 71.711976][ T5019] do_syscall_64+0x41/0xc0 [ 71.716408][ T5019] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 71.722311][ T5019] RIP: 0033:0x7f281a11eab9 [ 71.726747][ T5019] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5021] <... open resumed>) = -1 EIO (Input/output error) [pid 5019] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5021] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5021] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5019] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5019] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5018] exit_group(0) = ? [pid 5021] <... futex resumed>) = ? [pid 5021] +++ exited with 0 +++ [pid 5019] <... futex resumed>) = ? [pid 5019] +++ exited with 0 +++ [pid 5018] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5018, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=45 /* 0.45 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./5", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./5/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./5/binderfs") = 0 [ 71.746355][ T5019] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 71.754774][ T5019] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 71.762748][ T5019] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 71.770715][ T5019] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 71.778693][ T5019] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 71.786695][ T5019] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 71.794686][ T5019] umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./5/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./5/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5022 ./strace-static-x86_64: Process 5022 attached [pid 5022] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5022] chdir("./6") = 0 [pid 5022] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5022] setpgid(0, 0) = 0 [pid 5022] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5022] write(3, "1000", 4) = 4 [pid 5022] close(3) = 0 [pid 5022] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5022] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5022] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5022] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5022] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5023 attached , parent_tid=[5023], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5023 [pid 5023] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5022] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5022] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5023] memfd_create("syzkaller", 0) = 3 [pid 5023] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5023] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5023] munmap(0x7f2811caa000, 16777216) = 0 [pid 5023] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5023] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5023] close(3) = 0 [pid 5023] mkdir("./file0", 0777) = 0 [ 72.219115][ T5023] loop0: detected capacity change from 0 to 32768 [ 72.231664][ T5023] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 72.240430][ T5023] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 72.250737][ T5023] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 72.259842][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 72.266917][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5023] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5023] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5023] chdir("./file0") = 0 [pid 5023] ioctl(4, LOOP_CLR_FD) = 0 [pid 5023] close(4) = 0 [pid 5023] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5023] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5022] <... futex resumed>) = 0 [pid 5022] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5022] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5023] <... futex resumed>) = 0 [pid 5023] open(".", O_RDONLY) = 4 [pid 5023] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5022] <... futex resumed>) = 0 [pid 5023] <... futex resumed>) = 1 [pid 5022] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5022] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 72.307968][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 72.315562][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 72.320794][ T5023] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 72.361590][ T5023] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 72.370686][ T5023] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 72.370686][ T5023] inode = 12 2341 [ 72.370686][ T5023] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 72.389837][ T5023] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 72.399109][ T5023] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5023 [syz-executor171] iterate_dir+0x228/0x570 [pid 5023] getdents64(4, [pid 5022] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5022] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5022] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5022] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5022] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5025], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5025 [pid 5022] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5022] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5025 attached [pid 5025] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5025] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5025] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5022] <... futex resumed>) = 0 [pid 5025] <... futex resumed>) = 1 [ 72.409126][ T5023] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 72.417768][ T5023] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 72.425220][ T5023] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 72.434448][ T5023] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 72.441631][ T5023] gfs2: fsid=syz:syz.0: File system withdrawn [ 72.448081][ T5023] CPU: 0 PID: 5023 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 72.458186][ T5023] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 72.468270][ T5023] Call Trace: [ 72.471574][ T5023] [ 72.474536][ T5023] dump_stack_lvl+0x1e7/0x2d0 [ 72.479266][ T5023] ? nf_tcp_handle_invalid+0x650/0x650 [ 72.484755][ T5023] ? panic+0x770/0x770 [ 72.488835][ T5023] ? kobject_uevent_env+0x54e/0x8e0 [ 72.494068][ T5023] gfs2_withdraw+0xf48/0x1550 [ 72.498807][ T5023] ? gfs2_lm+0x240/0x240 [ 72.503058][ T5023] ? gfs2_dirent_scan+0xb2/0x640 [ 72.508000][ T5023] ? panic+0x770/0x770 [ 72.512097][ T5023] ? gfs2_consist_inode_i+0xf5/0x110 [ 72.517416][ T5023] gfs2_dirent_scan+0x512/0x640 [ 72.522275][ T5023] ? gfs2_dirent_scan+0x640/0x640 [ 72.527321][ T5023] gfs2_dir_read+0x82f/0x1af0 [ 72.532028][ T5023] ? inode_dio_wait+0x2ad/0x340 [ 72.536885][ T5023] ? inode_owner_or_capable+0x1c0/0x1c0 [ 72.542528][ T5023] ? gfs2_dir_hash_inval+0x80/0x80 [ 72.547649][ T5023] ? _raw_spin_unlock+0x28/0x40 [ 72.552505][ T5023] ? gfs2_glock_nq+0xcbf/0x16c0 [ 72.557381][ T5023] ? inode_go_held+0xea/0x200 [pid 5025] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5022] exit_group(0 [pid 5025] <... futex resumed>) = ? [pid 5022] <... exit_group resumed>) = ? [pid 5025] +++ exited with 0 +++ [ 72.562069][ T5023] ? gfs2_glock_wait+0x21a/0x2b0 [ 72.567165][ T5023] gfs2_readdir+0x14e/0x1b0 [ 72.571693][ T5023] ? __fdget_pos+0x254/0x2f0 [ 72.576305][ T5023] ? gfs2_fallocate+0x490/0x490 [ 72.581179][ T5023] ? iterate_dir+0x228/0x570 [ 72.585810][ T5023] ? __down_read_common+0x184/0x2c0 [ 72.591032][ T5023] ? iterate_dir+0x10e/0x570 [ 72.595671][ T5023] iterate_dir+0x228/0x570 [ 72.600096][ T5023] ? gfs2_fallocate+0x490/0x490 [ 72.604968][ T5023] __se_sys_getdents64+0x20d/0x4f0 [ 72.610125][ T5023] ? _raw_spin_unlock_irq+0x2e/0x50 [ 72.615336][ T5023] ? __x64_sys_getdents64+0x80/0x80 [ 72.620547][ T5023] ? filldir+0x740/0x740 [ 72.624834][ T5023] ? syscall_enter_from_user_mode+0x32/0x230 [ 72.630834][ T5023] ? syscall_enter_from_user_mode+0x8c/0x230 [ 72.636833][ T5023] do_syscall_64+0x41/0xc0 [ 72.641261][ T5023] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 72.647256][ T5023] RIP: 0033:0x7f281a11eab9 [ 72.651672][ T5023] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 72.672233][ T5023] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 72.680673][ T5023] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 72.688665][ T5023] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 72.696658][ T5023] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 72.704626][ T5023] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5023] <... getdents64 resumed> ) = ? [pid 5023] +++ exited with 0 +++ [pid 5022] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5022, si_uid=0, si_status=0, si_utime=0, si_stime=36 /* 0.36 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./6", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./6/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./6/binderfs") = 0 [ 72.712611][ T5023] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 72.720609][ T5023] umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./6/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./6/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5026 ./strace-static-x86_64: Process 5026 attached [pid 5026] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5026] chdir("./7") = 0 [pid 5026] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5026] setpgid(0, 0) = 0 [pid 5026] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5026] write(3, "1000", 4) = 4 [pid 5026] close(3) = 0 [pid 5026] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5026] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5026] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5026] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5026] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5027 attached [pid 5027] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5027] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5026] <... clone resumed>, parent_tid=[5027], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5027 [pid 5026] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5027] <... futex resumed>) = 0 [pid 5026] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5027] memfd_create("syzkaller", 0) = 3 [pid 5027] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5027] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5027] munmap(0x7f2811caa000, 16777216) = 0 [pid 5027] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5027] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5027] close(3) = 0 [pid 5027] mkdir("./file0", 0777) = 0 [ 73.078157][ T5027] loop0: detected capacity change from 0 to 32768 [ 73.089569][ T5027] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 73.097985][ T5027] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 73.107841][ T5027] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 73.116694][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 73.124315][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5027] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5027] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5027] chdir("./file0") = 0 [pid 5027] ioctl(4, LOOP_CLR_FD) = 0 [pid 5027] close(4) = 0 [pid 5027] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5026] <... futex resumed>) = 0 [pid 5027] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5026] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5027] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5026] <... futex resumed>) = 0 [pid 5027] open(".", O_RDONLY [pid 5026] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5027] <... open resumed>) = 4 [pid 5027] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5026] <... futex resumed>) = 0 [pid 5027] getdents64(4, [ 73.165066][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 73.172740][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 73.178176][ T5027] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5026] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 73.207540][ T5027] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 73.217280][ T5027] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 73.217280][ T5027] inode = 12 2341 [ 73.217280][ T5027] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 73.236395][ T5027] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 73.245658][ T5027] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5027 [syz-executor171] iterate_dir+0x228/0x570 [pid 5026] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5026] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5026] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5026] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5026] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5026] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5029], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5029 [pid 5026] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5026] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5029 attached [pid 5029] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5029] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5029] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5026] <... futex resumed>) = 0 [pid 5029] <... futex resumed>) = 1 [ 73.255893][ T5027] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 73.264552][ T5027] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 73.271776][ T5027] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 73.280678][ T5027] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 73.288138][ T5027] gfs2: fsid=syz:syz.0: File system withdrawn [ 73.294289][ T5027] CPU: 1 PID: 5027 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 73.304359][ T5027] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 73.314416][ T5027] Call Trace: [ 73.317814][ T5027] [ 73.320770][ T5027] dump_stack_lvl+0x1e7/0x2d0 [ 73.325485][ T5027] ? nf_tcp_handle_invalid+0x650/0x650 [ 73.331069][ T5027] ? panic+0x770/0x770 [ 73.335155][ T5027] ? kobject_uevent_env+0x54e/0x8e0 [ 73.340393][ T5027] gfs2_withdraw+0xf48/0x1550 [ 73.345133][ T5027] ? gfs2_lm+0x240/0x240 [ 73.349400][ T5027] ? gfs2_dirent_scan+0xb2/0x640 [ 73.354364][ T5027] ? panic+0x770/0x770 [ 73.358443][ T5027] ? gfs2_consist_inode_i+0xf5/0x110 [ 73.363759][ T5027] gfs2_dirent_scan+0x512/0x640 [ 73.368672][ T5027] ? gfs2_dirent_scan+0x640/0x640 [ 73.373747][ T5027] gfs2_dir_read+0x82f/0x1af0 [ 73.378439][ T5027] ? inode_dio_wait+0x2ad/0x340 [ 73.383321][ T5027] ? inode_owner_or_capable+0x1c0/0x1c0 [ 73.388918][ T5027] ? gfs2_dir_hash_inval+0x80/0x80 [ 73.394043][ T5027] ? _raw_spin_unlock+0x28/0x40 [ 73.398908][ T5027] ? gfs2_glock_nq+0xcbf/0x16c0 [ 73.403796][ T5027] ? inode_go_held+0xea/0x200 [ 73.408483][ T5027] ? gfs2_glock_wait+0x21a/0x2b0 [ 73.413443][ T5027] gfs2_readdir+0x14e/0x1b0 [ 73.417978][ T5027] ? __fdget_pos+0x254/0x2f0 [ 73.422574][ T5027] ? gfs2_fallocate+0x490/0x490 [ 73.427432][ T5027] ? iterate_dir+0x228/0x570 [ 73.432028][ T5027] ? __down_read_common+0x184/0x2c0 [ 73.437227][ T5027] ? iterate_dir+0x10e/0x570 [ 73.441826][ T5027] iterate_dir+0x228/0x570 [ 73.446259][ T5027] ? gfs2_fallocate+0x490/0x490 [ 73.451117][ T5027] __se_sys_getdents64+0x20d/0x4f0 [ 73.456234][ T5027] ? _raw_spin_unlock_irq+0x2e/0x50 [ 73.461450][ T5027] ? __x64_sys_getdents64+0x80/0x80 [ 73.466657][ T5027] ? filldir+0x740/0x740 [ 73.470911][ T5027] ? syscall_enter_from_user_mode+0x32/0x230 [ 73.476913][ T5027] ? syscall_enter_from_user_mode+0x8c/0x230 [ 73.482898][ T5027] do_syscall_64+0x41/0xc0 [ 73.487335][ T5027] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 73.493253][ T5027] RIP: 0033:0x7f281a11eab9 [ 73.497673][ T5027] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 73.517282][ T5027] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 73.525698][ T5027] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 73.533668][ T5027] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 73.541645][ T5027] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 73.549616][ T5027] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5029] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5027] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5027] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5026] exit_group(0 [pid 5029] <... futex resumed>) = ? [pid 5026] <... exit_group resumed>) = ? [pid 5029] +++ exited with 0 +++ [pid 5027] +++ exited with 0 +++ [pid 5026] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5026, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=36 /* 0.36 s */} --- umount2("./7", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./7/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./7/binderfs") = 0 [ 73.557615][ T5027] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 73.565604][ T5027] umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./7/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./7/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./7/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5030 ./strace-static-x86_64: Process 5030 attached [pid 5030] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5030] chdir("./8") = 0 [pid 5030] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5030] setpgid(0, 0) = 0 [pid 5030] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5030] write(3, "1000", 4) = 4 [pid 5030] close(3) = 0 [pid 5030] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5030] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5030] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5030] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5030] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5031 attached , parent_tid=[5031], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5031 [pid 5030] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5031] set_robust_list(0x7f281a0ca9e0, 24 [pid 5030] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5031] <... set_robust_list resumed>) = 0 [pid 5031] memfd_create("syzkaller", 0) = 3 [pid 5031] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5031] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5031] munmap(0x7f2811caa000, 16777216) = 0 [pid 5031] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5031] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5031] close(3) = 0 [pid 5031] mkdir("./file0", 0777) = 0 [ 73.954702][ T5031] loop0: detected capacity change from 0 to 32768 [ 73.967386][ T5031] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 73.976004][ T5031] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 73.986048][ T5031] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 73.994768][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 74.001829][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5031] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5031] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5031] chdir("./file0") = 0 [pid 5031] ioctl(4, LOOP_CLR_FD) = 0 [pid 5031] close(4) = 0 [pid 5031] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5031] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5030] <... futex resumed>) = 0 [pid 5030] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [ 74.048273][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 74.057554][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 74.062792][ T5031] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5030] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5031] <... futex resumed>) = 0 [pid 5031] open(".", O_RDONLY) = 4 [pid 5031] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5030] <... futex resumed>) = 0 [pid 5031] getdents64(4, [pid 5030] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 74.094661][ T5031] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 74.104397][ T5031] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 74.104397][ T5031] inode = 12 2341 [ 74.104397][ T5031] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 74.124116][ T5031] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 74.133473][ T5031] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5031 [syz-executor171] iterate_dir+0x228/0x570 [pid 5030] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5030] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5030] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5030] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5030] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5033], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5033 [pid 5030] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5030] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5033 attached [pid 5033] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5033] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5033] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5030] <... futex resumed>) = 0 [pid 5033] <... futex resumed>) = 1 [ 74.143743][ T5031] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 74.152295][ T5031] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 74.160229][ T5031] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 74.169400][ T5031] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 74.178258][ T5031] gfs2: fsid=syz:syz.0: File system withdrawn [ 74.184965][ T5031] CPU: 0 PID: 5031 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 74.195056][ T5031] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 74.205122][ T5031] Call Trace: [ 74.208426][ T5031] [ 74.211409][ T5031] dump_stack_lvl+0x1e7/0x2d0 [ 74.216189][ T5031] ? nf_tcp_handle_invalid+0x650/0x650 [ 74.221722][ T5031] ? panic+0x770/0x770 [ 74.225825][ T5031] ? kobject_uevent_env+0x54e/0x8e0 [ 74.231039][ T5031] gfs2_withdraw+0xf48/0x1550 [ 74.235739][ T5031] ? gfs2_lm+0x240/0x240 [ 74.239984][ T5031] ? gfs2_dirent_scan+0xb2/0x640 [ 74.244961][ T5031] ? panic+0x770/0x770 [ 74.249082][ T5031] ? gfs2_consist_inode_i+0xf5/0x110 [ 74.254407][ T5031] gfs2_dirent_scan+0x512/0x640 [ 74.259288][ T5031] ? gfs2_dirent_scan+0x640/0x640 [ 74.264338][ T5031] gfs2_dir_read+0x82f/0x1af0 [ 74.269023][ T5031] ? inode_dio_wait+0x2ad/0x340 [ 74.273902][ T5031] ? inode_owner_or_capable+0x1c0/0x1c0 [ 74.279485][ T5031] ? gfs2_dir_hash_inval+0x80/0x80 [ 74.284621][ T5031] ? _raw_spin_unlock+0x28/0x40 [ 74.289477][ T5031] ? gfs2_glock_nq+0xcbf/0x16c0 [pid 5033] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 74.294341][ T5031] ? inode_go_held+0xea/0x200 [ 74.299048][ T5031] ? gfs2_glock_wait+0x21a/0x2b0 [ 74.304013][ T5031] gfs2_readdir+0x14e/0x1b0 [ 74.308532][ T5031] ? __fdget_pos+0x254/0x2f0 [ 74.313147][ T5031] ? gfs2_fallocate+0x490/0x490 [ 74.318131][ T5031] ? iterate_dir+0x228/0x570 [ 74.322737][ T5031] ? __down_read_common+0x184/0x2c0 [ 74.327971][ T5031] ? iterate_dir+0x10e/0x570 [ 74.332608][ T5031] iterate_dir+0x228/0x570 [ 74.337034][ T5031] ? gfs2_fallocate+0x490/0x490 [ 74.341904][ T5031] __se_sys_getdents64+0x20d/0x4f0 [ 74.347047][ T5031] ? _raw_spin_unlock_irq+0x2e/0x50 [ 74.352251][ T5031] ? __x64_sys_getdents64+0x80/0x80 [ 74.357456][ T5031] ? filldir+0x740/0x740 [ 74.361759][ T5031] ? syscall_enter_from_user_mode+0x32/0x230 [ 74.367749][ T5031] ? syscall_enter_from_user_mode+0x8c/0x230 [ 74.373756][ T5031] do_syscall_64+0x41/0xc0 [ 74.378195][ T5031] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 74.384111][ T5031] RIP: 0033:0x7f281a11eab9 [ 74.388542][ T5031] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 74.408154][ T5031] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 74.416576][ T5031] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 74.424551][ T5031] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 74.432531][ T5031] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5030] exit_group(0 [pid 5033] <... futex resumed>) = ? [pid 5030] <... exit_group resumed>) = ? [pid 5033] +++ exited with 0 +++ [pid 5031] <... getdents64 resumed> ) = ? [pid 5031] +++ exited with 0 +++ [pid 5030] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5030, si_uid=0, si_status=0, si_utime=0, si_stime=38 /* 0.38 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./8", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./8/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./8/binderfs") = 0 [ 74.440510][ T5031] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 74.448483][ T5031] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 74.456467][ T5031] umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./8/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./8/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./8/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./8") = 0 mkdir("./9", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5034 ./strace-static-x86_64: Process 5034 attached [pid 5034] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5034] chdir("./9") = 0 [pid 5034] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5034] setpgid(0, 0) = 0 [pid 5034] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5034] write(3, "1000", 4) = 4 [pid 5034] close(3) = 0 [pid 5034] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5034] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5034] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5034] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5034] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5035 attached [pid 5035] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5035] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5034] <... clone resumed>, parent_tid=[5035], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5035 [pid 5034] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5035] <... futex resumed>) = 0 [pid 5034] <... futex resumed>) = 1 [pid 5034] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5035] memfd_create("syzkaller", 0) = 3 [pid 5035] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5035] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5035] munmap(0x7f2811caa000, 16777216) = 0 [pid 5035] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5035] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5035] close(3) = 0 [pid 5035] mkdir("./file0", 0777) = 0 [ 74.824523][ T5035] loop0: detected capacity change from 0 to 32768 [ 74.835119][ T5035] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 74.844220][ T5035] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 74.853063][ T5035] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 74.861848][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 74.868731][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5035] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5035] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5035] chdir("./file0") = 0 [pid 5035] ioctl(4, LOOP_CLR_FD) = 0 [pid 5035] close(4) = 0 [pid 5035] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5034] <... futex resumed>) = 0 [pid 5034] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5034] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5035] open(".", O_RDONLY) = 4 [pid 5035] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5034] <... futex resumed>) = 0 [pid 5035] getdents64(4, [ 74.911401][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 74.920485][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 74.926003][ T5035] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5034] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 74.959502][ T5035] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 74.968529][ T5035] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 74.968529][ T5035] inode = 12 2341 [ 74.968529][ T5035] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 74.988233][ T5035] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 74.997317][ T5035] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5035 [syz-executor171] iterate_dir+0x228/0x570 [pid 5034] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5034] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5034] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5034] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5034] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5037], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5037 [pid 5034] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5034] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5037 attached [pid 5037] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5037] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5037] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5034] <... futex resumed>) = 0 [pid 5037] <... futex resumed>) = 1 [ 75.007337][ T5035] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 75.015881][ T5035] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 75.023137][ T5035] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 75.032126][ T5035] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 75.042139][ T5035] gfs2: fsid=syz:syz.0: File system withdrawn [ 75.048616][ T5035] CPU: 0 PID: 5035 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 75.058731][ T5035] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 75.068806][ T5035] Call Trace: [ 75.072105][ T5035] [ 75.075053][ T5035] dump_stack_lvl+0x1e7/0x2d0 [ 75.079759][ T5035] ? nf_tcp_handle_invalid+0x650/0x650 [ 75.085249][ T5035] ? panic+0x770/0x770 [ 75.089362][ T5035] ? kobject_uevent_env+0x54e/0x8e0 [ 75.094603][ T5035] gfs2_withdraw+0xf48/0x1550 [ 75.099326][ T5035] ? gfs2_lm+0x240/0x240 [ 75.103629][ T5035] ? gfs2_dirent_scan+0xb2/0x640 [ 75.108681][ T5035] ? panic+0x770/0x770 [ 75.112788][ T5035] ? gfs2_consist_inode_i+0xf5/0x110 [ 75.118107][ T5035] gfs2_dirent_scan+0x512/0x640 [ 75.122982][ T5035] ? gfs2_dirent_scan+0x640/0x640 [ 75.128052][ T5035] gfs2_dir_read+0x82f/0x1af0 [ 75.132773][ T5035] ? inode_dio_wait+0x2ad/0x340 [ 75.137643][ T5035] ? inode_owner_or_capable+0x1c0/0x1c0 [ 75.143207][ T5035] ? gfs2_dir_hash_inval+0x80/0x80 [ 75.148348][ T5035] ? _raw_spin_unlock+0x28/0x40 [ 75.153210][ T5035] ? gfs2_glock_nq+0xcbf/0x16c0 [ 75.158094][ T5035] ? inode_go_held+0xea/0x200 [ 75.162783][ T5035] ? gfs2_glock_wait+0x21a/0x2b0 [ 75.167757][ T5035] gfs2_readdir+0x14e/0x1b0 [ 75.172297][ T5035] ? __fdget_pos+0x254/0x2f0 [ 75.176907][ T5035] ? gfs2_fallocate+0x490/0x490 [ 75.181821][ T5035] ? iterate_dir+0x228/0x570 [ 75.186542][ T5035] ? __down_read_common+0x184/0x2c0 [ 75.191758][ T5035] ? iterate_dir+0x10e/0x570 [ 75.196360][ T5035] iterate_dir+0x228/0x570 [ 75.200789][ T5035] ? gfs2_fallocate+0x490/0x490 [ 75.205661][ T5035] __se_sys_getdents64+0x20d/0x4f0 [ 75.210783][ T5035] ? _raw_spin_unlock_irq+0x2e/0x50 [ 75.215995][ T5035] ? __x64_sys_getdents64+0x80/0x80 [ 75.221217][ T5035] ? filldir+0x740/0x740 [ 75.225473][ T5035] ? syscall_enter_from_user_mode+0x32/0x230 [ 75.231462][ T5035] ? syscall_enter_from_user_mode+0x8c/0x230 [ 75.237464][ T5035] do_syscall_64+0x41/0xc0 [ 75.241924][ T5035] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 75.247827][ T5035] RIP: 0033:0x7f281a11eab9 [ 75.252262][ T5035] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 75.271875][ T5035] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 75.280293][ T5035] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 75.288275][ T5035] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 75.296250][ T5035] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5037] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5035] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5035] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5034] exit_group(0 [pid 5035] <... futex resumed>) = ? [pid 5034] <... exit_group resumed>) = ? [pid 5037] <... futex resumed>) = ? [pid 5035] +++ exited with 0 +++ [pid 5037] +++ exited with 0 +++ [pid 5034] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5034, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./9", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./9/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./9/binderfs") = 0 [ 75.304236][ T5035] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 75.312205][ T5035] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 75.320206][ T5035] umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./9/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./9/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./9/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./9") = 0 mkdir("./10", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5038 ./strace-static-x86_64: Process 5038 attached [pid 5038] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5038] chdir("./10") = 0 [pid 5038] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5038] setpgid(0, 0) = 0 [pid 5038] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5038] write(3, "1000", 4) = 4 [pid 5038] close(3) = 0 [pid 5038] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5038] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5038] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5038] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5038] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5039], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5039 [pid 5038] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5038] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5039 attached [pid 5039] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5039] memfd_create("syzkaller", 0) = 3 [pid 5039] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5039] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5039] munmap(0x7f2811caa000, 16777216) = 0 [pid 5039] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5039] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5039] close(3) = 0 [pid 5039] mkdir("./file0", 0777) = 0 [ 75.679706][ T5039] loop0: detected capacity change from 0 to 32768 [ 75.693475][ T5039] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 75.701720][ T5039] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 75.711298][ T5039] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 75.719989][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 75.726928][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5039] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5039] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5039] chdir("./file0") = 0 [pid 5039] ioctl(4, LOOP_CLR_FD) = 0 [pid 5039] close(4) = 0 [pid 5039] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5039] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5038] <... futex resumed>) = 0 [pid 5038] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5039] <... futex resumed>) = 0 [pid 5038] <... futex resumed>) = 1 [pid 5039] open(".", O_RDONLY [pid 5038] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5039] <... open resumed>) = 4 [pid 5039] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5038] <... futex resumed>) = 0 [pid 5039] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5038] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5038] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5039] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 75.768909][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 75.778398][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 75.784015][ T5039] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5039] getdents64(4, [pid 5038] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 75.826889][ T5039] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 75.835518][ T5039] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 75.835518][ T5039] inode = 12 2341 [ 75.835518][ T5039] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 75.854812][ T5039] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 75.864146][ T5039] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5039 [syz-executor171] iterate_dir+0x228/0x570 [pid 5038] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5038] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5038] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5038] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5041], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5041 [pid 5038] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5038] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5041 attached [ 75.874474][ T5039] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 75.883526][ T5039] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 75.891050][ T5039] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 75.900504][ T5039] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 75.907893][ T5039] gfs2: fsid=syz:syz.0: File system withdrawn [ 75.914213][ T5039] CPU: 0 PID: 5039 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [pid 5041] set_robust_list(0x7f2812ca99e0, 24 [pid 5038] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5041] <... set_robust_list resumed>) = 0 [pid 5041] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5041] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 75.924310][ T5039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 75.934367][ T5039] Call Trace: [ 75.937668][ T5039] [ 75.940630][ T5039] dump_stack_lvl+0x1e7/0x2d0 [ 75.945346][ T5039] ? nf_tcp_handle_invalid+0x650/0x650 [ 75.950836][ T5039] ? panic+0x770/0x770 [ 75.954926][ T5039] ? kobject_uevent_env+0x54e/0x8e0 [ 75.960154][ T5039] gfs2_withdraw+0xf48/0x1550 [ 75.964885][ T5039] ? gfs2_lm+0x240/0x240 [ 75.969167][ T5039] ? gfs2_dirent_scan+0xb2/0x640 [ 75.974144][ T5039] ? panic+0x770/0x770 [ 75.978266][ T5039] ? gfs2_consist_inode_i+0xf5/0x110 [ 75.983592][ T5039] gfs2_dirent_scan+0x512/0x640 [ 75.988457][ T5039] ? gfs2_dirent_scan+0x640/0x640 [ 75.993506][ T5039] gfs2_dir_read+0x82f/0x1af0 [ 75.998203][ T5039] ? inode_dio_wait+0x2ad/0x340 [ 76.003076][ T5039] ? inode_owner_or_capable+0x1c0/0x1c0 [ 76.008654][ T5039] ? gfs2_dir_hash_inval+0x80/0x80 [ 76.013793][ T5039] ? _raw_spin_unlock+0x28/0x40 [ 76.018688][ T5039] ? gfs2_glock_nq+0xcbf/0x16c0 [ 76.023586][ T5039] ? inode_go_held+0xea/0x200 [ 76.028285][ T5039] ? gfs2_glock_wait+0x21a/0x2b0 [ 76.033257][ T5039] gfs2_readdir+0x14e/0x1b0 [ 76.037821][ T5039] ? __fdget_pos+0x254/0x2f0 [ 76.042484][ T5039] ? gfs2_fallocate+0x490/0x490 [ 76.047449][ T5039] ? iterate_dir+0x228/0x570 [ 76.052065][ T5039] ? __down_read_common+0x184/0x2c0 [ 76.057307][ T5039] ? iterate_dir+0x10e/0x570 [ 76.061941][ T5039] iterate_dir+0x228/0x570 [ 76.066374][ T5039] ? gfs2_fallocate+0x490/0x490 [ 76.071255][ T5039] __se_sys_getdents64+0x20d/0x4f0 [pid 5041] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 76.076424][ T5039] ? _raw_spin_unlock_irq+0x2e/0x50 [ 76.081637][ T5039] ? __x64_sys_getdents64+0x80/0x80 [ 76.086864][ T5039] ? filldir+0x740/0x740 [ 76.091143][ T5039] ? syscall_enter_from_user_mode+0x32/0x230 [ 76.097130][ T5039] ? syscall_enter_from_user_mode+0x8c/0x230 [ 76.103142][ T5039] do_syscall_64+0x41/0xc0 [ 76.107601][ T5039] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 76.113533][ T5039] RIP: 0033:0x7f281a11eab9 [ 76.117974][ T5039] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 76.137765][ T5039] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 76.146204][ T5039] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 76.154200][ T5039] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 76.162173][ T5039] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 76.170146][ T5039] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5038] exit_group(0 [pid 5041] <... futex resumed>) = ? [pid 5038] <... exit_group resumed>) = ? [pid 5041] +++ exited with 0 +++ [pid 5039] <... getdents64 resumed> ) = ? [pid 5039] +++ exited with 0 +++ [pid 5038] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5038, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./10", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./10/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./10/binderfs") = 0 [ 76.178118][ T5039] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 76.186130][ T5039] umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./10/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./10/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./10/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./10") = 0 mkdir("./11", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5042 ./strace-static-x86_64: Process 5042 attached [pid 5042] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5042] chdir("./11") = 0 [pid 5042] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5042] setpgid(0, 0) = 0 [pid 5042] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5042] write(3, "1000", 4) = 4 [pid 5042] close(3) = 0 [pid 5042] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5042] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5042] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5042] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5042] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5043 attached , parent_tid=[5043], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5043 [pid 5043] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5042] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5042] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5043] memfd_create("syzkaller", 0) = 3 [pid 5043] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5043] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5043] munmap(0x7f2811caa000, 16777216) = 0 [pid 5043] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5043] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5043] close(3) = 0 [pid 5043] mkdir("./file0", 0777) = 0 [ 76.651958][ T5043] loop0: detected capacity change from 0 to 32768 [ 76.664198][ T5043] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 76.672783][ T5043] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 76.684293][ T5043] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 76.694053][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 76.701222][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5043] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5043] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5043] chdir("./file0") = 0 [pid 5043] ioctl(4, LOOP_CLR_FD) = 0 [pid 5043] close(4) = 0 [pid 5043] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5042] <... futex resumed>) = 0 [pid 5042] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5042] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5043] <... futex resumed>) = 1 [pid 5043] open(".", O_RDONLY) = 4 [pid 5043] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5042] <... futex resumed>) = 0 [pid 5042] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5042] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5043] <... futex resumed>) = 1 [ 76.779923][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 78ms [ 76.787918][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 76.793854][ T5043] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 76.809802][ T5043] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 76.818811][ T5043] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 76.818811][ T5043] inode = 12 2341 [pid 5043] getdents64(4, [pid 5042] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5042] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5042] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5042] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5042] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5045], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5045 [pid 5042] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 76.818811][ T5043] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 76.838752][ T5043] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 76.848618][ T5043] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5043 [syz-executor171] iterate_dir+0x228/0x570 [ 76.859423][ T5043] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 76.872314][ T5043] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5042] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5045 attached [pid 5045] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5045] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5045] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5042] <... futex resumed>) = 0 [ 76.880322][ T5043] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 76.890111][ T5043] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 76.898508][ T5043] gfs2: fsid=syz:syz.0: File system withdrawn [ 76.905554][ T5043] CPU: 0 PID: 5043 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 76.915637][ T5043] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 76.925705][ T5043] Call Trace: [ 76.928983][ T5043] [ 76.931912][ T5043] dump_stack_lvl+0x1e7/0x2d0 [ 76.936600][ T5043] ? nf_tcp_handle_invalid+0x650/0x650 [ 76.942063][ T5043] ? panic+0x770/0x770 [ 76.946157][ T5043] ? kobject_uevent_env+0x54e/0x8e0 [ 76.951406][ T5043] gfs2_withdraw+0xf48/0x1550 [ 76.956112][ T5043] ? gfs2_lm+0x240/0x240 [ 76.960369][ T5043] ? gfs2_dirent_scan+0xb2/0x640 [ 76.965330][ T5043] ? panic+0x770/0x770 [ 76.969424][ T5043] ? gfs2_consist_inode_i+0xf5/0x110 [ 76.974737][ T5043] gfs2_dirent_scan+0x512/0x640 [ 76.979610][ T5043] ? gfs2_dirent_scan+0x640/0x640 [ 76.984646][ T5043] gfs2_dir_read+0x82f/0x1af0 [ 76.989335][ T5043] ? inode_dio_wait+0x2ad/0x340 [ 76.994201][ T5043] ? inode_owner_or_capable+0x1c0/0x1c0 [ 76.999761][ T5043] ? gfs2_dir_hash_inval+0x80/0x80 [ 77.004887][ T5043] ? _raw_spin_unlock+0x28/0x40 [ 77.010089][ T5043] ? gfs2_glock_nq+0xcbf/0x16c0 [ 77.014973][ T5043] ? inode_go_held+0xea/0x200 [ 77.019658][ T5043] ? gfs2_glock_wait+0x21a/0x2b0 [ 77.024616][ T5043] gfs2_readdir+0x14e/0x1b0 [ 77.029131][ T5043] ? __fdget_pos+0x254/0x2f0 [ 77.033751][ T5043] ? gfs2_fallocate+0x490/0x490 [ 77.038629][ T5043] ? iterate_dir+0x228/0x570 [ 77.043238][ T5043] ? __down_read_common+0x184/0x2c0 [ 77.048452][ T5043] ? iterate_dir+0x10e/0x570 [ 77.053057][ T5043] iterate_dir+0x228/0x570 [ 77.057488][ T5043] ? gfs2_fallocate+0x490/0x490 [ 77.062373][ T5043] __se_sys_getdents64+0x20d/0x4f0 [ 77.067498][ T5043] ? _raw_spin_unlock_irq+0x2e/0x50 [ 77.072726][ T5043] ? __x64_sys_getdents64+0x80/0x80 [ 77.077939][ T5043] ? filldir+0x740/0x740 [ 77.082205][ T5043] ? syscall_enter_from_user_mode+0x32/0x230 [ 77.088215][ T5043] ? syscall_enter_from_user_mode+0x8c/0x230 [ 77.094231][ T5043] do_syscall_64+0x41/0xc0 [ 77.098679][ T5043] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 77.104594][ T5043] RIP: 0033:0x7f281a11eab9 [ 77.109020][ T5043] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5045] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5043] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5043] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5043] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5042] exit_group(0 [pid 5045] <... futex resumed>) = ? [pid 5043] <... futex resumed>) = ? [pid 5042] <... exit_group resumed>) = ? [pid 5045] +++ exited with 0 +++ [pid 5043] +++ exited with 0 +++ [pid 5042] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5042, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=40 /* 0.40 s */} --- umount2("./11", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./11/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./11/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./11/binderfs") = 0 [ 77.128639][ T5043] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 77.137078][ T5043] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 77.145056][ T5043] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 77.153120][ T5043] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 77.161094][ T5043] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 77.169085][ T5043] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 77.177073][ T5043] umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./11/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./11/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./11/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./11") = 0 mkdir("./12", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5046 ./strace-static-x86_64: Process 5046 attached [pid 5046] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5046] chdir("./12") = 0 [pid 5046] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5046] setpgid(0, 0) = 0 [pid 5046] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5046] write(3, "1000", 4) = 4 [pid 5046] close(3) = 0 [pid 5046] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5046] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5046] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5046] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5047 attached , parent_tid=[5047], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5047 [pid 5046] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5047] set_robust_list(0x7f281a0ca9e0, 24 [pid 5046] <... futex resumed>) = 0 [pid 5046] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5047] <... set_robust_list resumed>) = 0 [pid 5047] memfd_create("syzkaller", 0) = 3 [pid 5047] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5047] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5047] munmap(0x7f2811caa000, 16777216) = 0 [pid 5047] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5047] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5047] close(3) = 0 [pid 5047] mkdir("./file0", 0777) = 0 [ 77.559549][ T5047] loop0: detected capacity change from 0 to 32768 [ 77.571888][ T5047] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 77.580462][ T5047] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 77.590693][ T5047] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 77.599626][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 77.606671][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5047] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5047] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5047] chdir("./file0") = 0 [pid 5047] ioctl(4, LOOP_CLR_FD) = 0 [pid 5047] close(4) = 0 [pid 5047] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5046] <... futex resumed>) = 0 [pid 5046] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5047] <... futex resumed>) = 1 [pid 5047] open(".", O_RDONLY) = 4 [pid 5047] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5046] <... futex resumed>) = 0 [pid 5046] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5047] <... futex resumed>) = 1 [ 77.648615][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 77.656244][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 77.661507][ T5047] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 77.684912][ T5047] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5047] getdents64(4, [pid 5046] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5046] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5046] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5046] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5046] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5049], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5049 [pid 5046] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 77.711071][ T5047] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 77.711071][ T5047] inode = 12 2341 [ 77.711071][ T5047] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 77.730096][ T5047] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 77.739260][ T5047] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5047 [syz-executor171] iterate_dir+0x228/0x570 [ 77.750975][ T5047] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5046] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5049 attached [pid 5049] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5049] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5049] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5046] <... futex resumed>) = 0 [ 77.760155][ T5047] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 77.768122][ T5047] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 77.776945][ T5047] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 77.783649][ T5047] gfs2: fsid=syz:syz.0: File system withdrawn [ 77.790415][ T5047] CPU: 0 PID: 5047 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 77.800517][ T5047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 77.810676][ T5047] Call Trace: [ 77.813992][ T5047] [ 77.816932][ T5047] dump_stack_lvl+0x1e7/0x2d0 [ 77.821627][ T5047] ? nf_tcp_handle_invalid+0x650/0x650 [ 77.827092][ T5047] ? panic+0x770/0x770 [ 77.831173][ T5047] ? kobject_uevent_env+0x54e/0x8e0 [ 77.836422][ T5047] gfs2_withdraw+0xf48/0x1550 [ 77.841134][ T5047] ? gfs2_lm+0x240/0x240 [ 77.845428][ T5047] ? gfs2_dirent_scan+0xb2/0x640 [ 77.850386][ T5047] ? panic+0x770/0x770 [ 77.854466][ T5047] ? gfs2_consist_inode_i+0xf5/0x110 [ 77.859767][ T5047] gfs2_dirent_scan+0x512/0x640 [ 77.864636][ T5047] ? gfs2_dirent_scan+0x640/0x640 [ 77.869668][ T5047] gfs2_dir_read+0x82f/0x1af0 [ 77.874358][ T5047] ? inode_dio_wait+0x2ad/0x340 [ 77.879219][ T5047] ? inode_owner_or_capable+0x1c0/0x1c0 [ 77.884873][ T5047] ? gfs2_dir_hash_inval+0x80/0x80 [ 77.889993][ T5047] ? _raw_spin_unlock+0x28/0x40 [ 77.894846][ T5047] ? gfs2_glock_nq+0xcbf/0x16c0 [ 77.899713][ T5047] ? inode_go_held+0xea/0x200 [ 77.904405][ T5047] ? gfs2_glock_wait+0x21a/0x2b0 [ 77.909370][ T5047] gfs2_readdir+0x14e/0x1b0 [ 77.913880][ T5047] ? __fdget_pos+0x254/0x2f0 [ 77.918509][ T5047] ? gfs2_fallocate+0x490/0x490 [ 77.923392][ T5047] ? iterate_dir+0x228/0x570 [ 77.928000][ T5047] ? __down_read_common+0x184/0x2c0 [ 77.933219][ T5047] ? iterate_dir+0x10e/0x570 [ 77.937829][ T5047] iterate_dir+0x228/0x570 [ 77.942272][ T5047] ? gfs2_fallocate+0x490/0x490 [ 77.947138][ T5047] __se_sys_getdents64+0x20d/0x4f0 [ 77.952273][ T5047] ? _raw_spin_unlock_irq+0x2e/0x50 [ 77.957491][ T5047] ? __x64_sys_getdents64+0x80/0x80 [ 77.962730][ T5047] ? filldir+0x740/0x740 [ 77.966995][ T5047] ? syscall_enter_from_user_mode+0x32/0x230 [ 77.973004][ T5047] ? syscall_enter_from_user_mode+0x8c/0x230 [ 77.978999][ T5047] do_syscall_64+0x41/0xc0 [ 77.983435][ T5047] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 77.989331][ T5047] RIP: 0033:0x7f281a11eab9 [ 77.993746][ T5047] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 78.013355][ T5047] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 78.021783][ T5047] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 78.029759][ T5047] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 78.037732][ T5047] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 78.045714][ T5047] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 78.053689][ T5047] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [pid 5049] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5047] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5047] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5047] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5046] exit_group(0 [pid 5049] <... futex resumed>) = ? [pid 5047] <... futex resumed>) = ? [pid 5046] <... exit_group resumed>) = ? [pid 5047] +++ exited with 0 +++ [pid 5049] +++ exited with 0 +++ [pid 5046] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5046, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./12", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./12/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./12/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./12/binderfs") = 0 [ 78.061681][ T5047] umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./12/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./12/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./12/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./12/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./12") = 0 mkdir("./13", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5050 ./strace-static-x86_64: Process 5050 attached [pid 5050] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5050] chdir("./13") = 0 [pid 5050] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5050] setpgid(0, 0) = 0 [pid 5050] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5050] write(3, "1000", 4) = 4 [pid 5050] close(3) = 0 [pid 5050] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5050] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5050] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5050] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5050] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5051], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5051 ./strace-static-x86_64: Process 5051 attached [pid 5051] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5051] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5050] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5051] <... futex resumed>) = 0 [pid 5050] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5051] memfd_create("syzkaller", 0) = 3 [pid 5051] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5051] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5051] munmap(0x7f2811caa000, 16777216) = 0 [pid 5051] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5051] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5051] close(3) = 0 [pid 5051] mkdir("./file0", 0777) = 0 [ 78.453959][ T5051] loop0: detected capacity change from 0 to 32768 [ 78.466725][ T5051] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 78.474978][ T5051] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 78.484754][ T5051] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 78.493336][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 78.500193][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5051] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5051] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5051] chdir("./file0") = 0 [pid 5051] ioctl(4, LOOP_CLR_FD) = 0 [pid 5051] close(4) = 0 [pid 5051] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5051] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5050] <... futex resumed>) = 0 [pid 5050] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5050] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5051] <... futex resumed>) = 0 [pid 5051] open(".", O_RDONLY) = 4 [pid 5051] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5050] <... futex resumed>) = 0 [pid 5050] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5050] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5051] <... futex resumed>) = 1 [ 78.542106][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 78.551260][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 78.556597][ T5051] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 78.592236][ T5051] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 78.601014][ T5051] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 78.601014][ T5051] inode = 12 2341 [ 78.601014][ T5051] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 78.619977][ T5051] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 78.629775][ T5051] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5051 [syz-executor171] iterate_dir+0x228/0x570 [pid 5051] getdents64(4, [pid 5050] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5050] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5050] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [ 78.639830][ T5051] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 78.648422][ T5051] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 78.656063][ T5051] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 78.665273][ T5051] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 78.672762][ T5051] gfs2: fsid=syz:syz.0: File system withdrawn [ 78.679235][ T5051] CPU: 0 PID: 5051 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 78.689339][ T5051] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 78.699412][ T5051] Call Trace: [ 78.702715][ T5051] [ 78.705670][ T5051] dump_stack_lvl+0x1e7/0x2d0 [ 78.710387][ T5051] ? nf_tcp_handle_invalid+0x650/0x650 [ 78.715882][ T5051] ? panic+0x770/0x770 [ 78.719970][ T5051] ? kobject_uevent_env+0x54e/0x8e0 [ 78.725184][ T5051] gfs2_withdraw+0xf48/0x1550 [ 78.729884][ T5051] ? gfs2_lm+0x240/0x240 [ 78.734157][ T5051] ? gfs2_dirent_scan+0xb2/0x640 [pid 5050] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5050] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5053], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5053 [pid 5050] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 78.739112][ T5051] ? panic+0x770/0x770 [ 78.743224][ T5051] ? gfs2_consist_inode_i+0xf5/0x110 [ 78.748544][ T5051] gfs2_dirent_scan+0x512/0x640 [ 78.753451][ T5051] ? gfs2_dirent_scan+0x640/0x640 [ 78.758486][ T5051] gfs2_dir_read+0x82f/0x1af0 [ 78.763198][ T5051] ? inode_dio_wait+0x2ad/0x340 [ 78.768083][ T5051] ? inode_owner_or_capable+0x1c0/0x1c0 [ 78.773659][ T5051] ? gfs2_dir_hash_inval+0x80/0x80 [ 78.778809][ T5051] ? _raw_spin_unlock+0x28/0x40 [ 78.783674][ T5051] ? gfs2_glock_nq+0xcbf/0x16c0 [pid 5050] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5053 attached [pid 5053] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 78.788768][ T5051] ? inode_go_held+0xea/0x200 [ 78.793455][ T5051] ? gfs2_glock_wait+0x21a/0x2b0 [ 78.798419][ T5051] gfs2_readdir+0x14e/0x1b0 [ 78.802931][ T5051] ? __fdget_pos+0x254/0x2f0 [ 78.807556][ T5051] ? gfs2_fallocate+0x490/0x490 [ 78.812425][ T5051] ? iterate_dir+0x228/0x570 [ 78.817030][ T5051] ? __down_read_common+0x184/0x2c0 [ 78.822250][ T5051] ? iterate_dir+0x10e/0x570 [ 78.826857][ T5051] iterate_dir+0x228/0x570 [ 78.831309][ T5051] ? gfs2_fallocate+0x490/0x490 [ 78.836167][ T5051] __se_sys_getdents64+0x20d/0x4f0 [pid 5053] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5053] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5050] <... futex resumed>) = 0 [ 78.841282][ T5051] ? _raw_spin_unlock_irq+0x2e/0x50 [ 78.846509][ T5051] ? __x64_sys_getdents64+0x80/0x80 [ 78.851753][ T5051] ? filldir+0x740/0x740 [ 78.856007][ T5051] ? syscall_enter_from_user_mode+0x32/0x230 [ 78.862018][ T5051] ? syscall_enter_from_user_mode+0x8c/0x230 [ 78.868046][ T5051] do_syscall_64+0x41/0xc0 [ 78.872509][ T5051] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 78.878422][ T5051] RIP: 0033:0x7f281a11eab9 [ 78.882841][ T5051] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 78.902447][ T5051] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 78.910868][ T5051] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 78.918851][ T5051] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 78.926828][ T5051] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 78.934810][ T5051] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5053] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5051] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5050] exit_group(0 [pid 5051] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5051] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL) = ? [pid 5050] <... exit_group resumed>) = ? [pid 5053] <... futex resumed>) = ? [pid 5051] +++ exited with 0 +++ [pid 5053] +++ exited with 0 +++ [pid 5050] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5050, si_uid=0, si_status=0, si_utime=0, si_stime=34 /* 0.34 s */} --- umount2("./13", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./13/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./13/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./13/binderfs") = 0 [ 78.942814][ T5051] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 78.950923][ T5051] umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./13/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./13/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./13/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./13/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./13") = 0 mkdir("./14", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5054 ./strace-static-x86_64: Process 5054 attached [pid 5054] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5054] chdir("./14") = 0 [pid 5054] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5054] setpgid(0, 0) = 0 [pid 5054] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5054] write(3, "1000", 4) = 4 [pid 5054] close(3) = 0 [pid 5054] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5054] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5054] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5054] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5055], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5055 ./strace-static-x86_64: Process 5055 attached [pid 5054] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5055] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5055] memfd_create("syzkaller", 0) = 3 [pid 5055] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5055] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5055] munmap(0x7f2811caa000, 16777216) = 0 [pid 5055] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5055] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5055] close(3) = 0 [pid 5055] mkdir("./file0", 0777) = 0 [ 79.375802][ T5055] loop0: detected capacity change from 0 to 32768 [ 79.389680][ T5055] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 79.404644][ T5055] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 79.414321][ T5055] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 79.426986][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 79.433885][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5055] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5055] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5055] chdir("./file0") = 0 [pid 5055] ioctl(4, LOOP_CLR_FD) = 0 [pid 5055] close(4) = 0 [pid 5055] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5054] <... futex resumed>) = 0 [pid 5054] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5055] <... futex resumed>) = 1 [pid 5055] open(".", O_RDONLY) = 4 [pid 5055] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5054] <... futex resumed>) = 0 [pid 5054] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5055] <... futex resumed>) = 1 [pid 5054] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 79.482927][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 49ms [ 79.492118][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 79.497483][ T5055] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 79.514318][ T5055] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 79.522800][ T5055] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5055] getdents64(4, [pid 5054] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 79.522800][ T5055] inode = 12 2341 [ 79.522800][ T5055] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 79.541723][ T5055] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 79.551063][ T5055] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5055 [syz-executor171] iterate_dir+0x228/0x570 [ 79.561064][ T5055] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 79.569659][ T5055] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5054] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5054] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5054] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5057], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5057 [pid 5054] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5054] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5057 attached [pid 5057] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5057] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5057] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5054] <... futex resumed>) = 0 [ 79.577215][ T5055] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 79.586239][ T5055] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 79.592943][ T5055] gfs2: fsid=syz:syz.0: File system withdrawn [ 79.599681][ T5055] CPU: 0 PID: 5055 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 79.609855][ T5055] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 79.619908][ T5055] Call Trace: [ 79.623186][ T5055] [ 79.626135][ T5055] dump_stack_lvl+0x1e7/0x2d0 [ 79.630870][ T5055] ? nf_tcp_handle_invalid+0x650/0x650 [ 79.636361][ T5055] ? panic+0x770/0x770 [ 79.640456][ T5055] ? kobject_uevent_env+0x54e/0x8e0 [ 79.645693][ T5055] gfs2_withdraw+0xf48/0x1550 [ 79.650408][ T5055] ? gfs2_lm+0x240/0x240 [ 79.654663][ T5055] ? gfs2_dirent_scan+0xb2/0x640 [ 79.659630][ T5055] ? panic+0x770/0x770 [ 79.663745][ T5055] ? gfs2_consist_inode_i+0xf5/0x110 [ 79.669075][ T5055] gfs2_dirent_scan+0x512/0x640 [ 79.673958][ T5055] ? gfs2_dirent_scan+0x640/0x640 [ 79.679036][ T5055] gfs2_dir_read+0x82f/0x1af0 [ 79.683733][ T5055] ? inode_dio_wait+0x2ad/0x340 [ 79.688608][ T5055] ? inode_owner_or_capable+0x1c0/0x1c0 [ 79.694211][ T5055] ? gfs2_dir_hash_inval+0x80/0x80 [ 79.699350][ T5055] ? _raw_spin_unlock+0x28/0x40 [ 79.704212][ T5055] ? gfs2_glock_nq+0xcbf/0x16c0 [ 79.709096][ T5055] ? inode_go_held+0xea/0x200 [ 79.713793][ T5055] ? gfs2_glock_wait+0x21a/0x2b0 [ 79.718784][ T5055] gfs2_readdir+0x14e/0x1b0 [ 79.723329][ T5055] ? __fdget_pos+0x254/0x2f0 [ 79.727952][ T5055] ? gfs2_fallocate+0x490/0x490 [pid 5057] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5054] exit_group(0 [pid 5057] <... futex resumed>) = ? [pid 5054] <... exit_group resumed>) = ? [pid 5057] +++ exited with 0 +++ [ 79.732841][ T5055] ? iterate_dir+0x228/0x570 [ 79.737440][ T5055] ? __down_read_common+0x184/0x2c0 [ 79.742655][ T5055] ? iterate_dir+0x10e/0x570 [ 79.747271][ T5055] iterate_dir+0x228/0x570 [ 79.751716][ T5055] ? gfs2_fallocate+0x490/0x490 [ 79.756590][ T5055] __se_sys_getdents64+0x20d/0x4f0 [ 79.761746][ T5055] ? _raw_spin_unlock_irq+0x2e/0x50 [ 79.766958][ T5055] ? __x64_sys_getdents64+0x80/0x80 [ 79.772193][ T5055] ? filldir+0x740/0x740 [ 79.776483][ T5055] ? syscall_enter_from_user_mode+0x32/0x230 [ 79.782474][ T5055] ? syscall_enter_from_user_mode+0x8c/0x230 [ 79.788482][ T5055] do_syscall_64+0x41/0xc0 [ 79.792933][ T5055] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 79.798833][ T5055] RIP: 0033:0x7f281a11eab9 [ 79.803257][ T5055] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 79.822881][ T5055] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5055] <... getdents64 resumed> ) = ? [pid 5055] +++ exited with 0 +++ [pid 5054] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5054, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- umount2("./14", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./14/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./14/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./14/binderfs") = 0 [ 79.831300][ T5055] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 79.839290][ T5055] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 79.847278][ T5055] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 79.855252][ T5055] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 79.863325][ T5055] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 79.871326][ T5055] umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./14/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./14/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./14/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./14/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./14") = 0 mkdir("./15", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5058 ./strace-static-x86_64: Process 5058 attached [pid 5058] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5058] chdir("./15") = 0 [pid 5058] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5058] setpgid(0, 0) = 0 [pid 5058] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5058] write(3, "1000", 4) = 4 [pid 5058] close(3) = 0 [pid 5058] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5058] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5058] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5058] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5058] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5059 attached [pid 5059] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5059] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5058] <... clone resumed>, parent_tid=[5059], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5059 [pid 5058] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5059] <... futex resumed>) = 0 [pid 5058] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5059] memfd_create("syzkaller", 0) = 3 [pid 5059] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5059] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5059] munmap(0x7f2811caa000, 16777216) = 0 [pid 5059] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5059] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5059] close(3) = 0 [pid 5059] mkdir("./file0", 0777) = 0 [ 80.257963][ T5059] loop0: detected capacity change from 0 to 32768 [ 80.269541][ T5059] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 80.277815][ T5059] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 80.287860][ T5059] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 80.296941][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 80.303879][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5059] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5059] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5059] chdir("./file0") = 0 [pid 5059] ioctl(4, LOOP_CLR_FD) = 0 [pid 5059] close(4) = 0 [pid 5059] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5058] <... futex resumed>) = 0 [pid 5059] open(".", O_RDONLY [pid 5058] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5058] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5059] <... open resumed>) = 4 [pid 5059] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5058] <... futex resumed>) = 0 [pid 5059] getdents64(4, [pid 5058] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 80.354090][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 50ms [ 80.361592][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 80.366944][ T5059] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 80.391936][ T5059] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5058] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5058] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5058] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5058] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5058] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5061], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5061 [pid 5058] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5058] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5061 attached [pid 5061] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5061] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5061] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5058] <... futex resumed>) = 0 [ 80.404403][ T5059] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 80.404403][ T5059] inode = 12 2341 [ 80.404403][ T5059] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 80.423760][ T5059] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 80.432828][ T5059] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5059 [syz-executor171] iterate_dir+0x228/0x570 [ 80.443162][ T5059] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5061] <... futex resumed>) = 1 [ 80.451899][ T5059] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 80.459413][ T5059] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 80.468404][ T5059] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 80.475215][ T5059] gfs2: fsid=syz:syz.0: File system withdrawn [ 80.481302][ T5059] CPU: 1 PID: 5059 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 80.491366][ T5059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 80.501422][ T5059] Call Trace: [ 80.504701][ T5059] [ 80.507643][ T5059] dump_stack_lvl+0x1e7/0x2d0 [ 80.512344][ T5059] ? nf_tcp_handle_invalid+0x650/0x650 [ 80.517830][ T5059] ? panic+0x770/0x770 [ 80.521933][ T5059] ? kobject_uevent_env+0x54e/0x8e0 [ 80.527143][ T5059] gfs2_withdraw+0xf48/0x1550 [ 80.531838][ T5059] ? gfs2_lm+0x240/0x240 [ 80.536209][ T5059] ? gfs2_dirent_scan+0xb2/0x640 [ 80.541152][ T5059] ? panic+0x770/0x770 [ 80.545231][ T5059] ? gfs2_consist_inode_i+0xf5/0x110 [ 80.550526][ T5059] gfs2_dirent_scan+0x512/0x640 [ 80.555382][ T5059] ? gfs2_dirent_scan+0x640/0x640 [ 80.560413][ T5059] gfs2_dir_read+0x82f/0x1af0 [ 80.565120][ T5059] ? inode_dio_wait+0x2ad/0x340 [ 80.569982][ T5059] ? inode_owner_or_capable+0x1c0/0x1c0 [ 80.575558][ T5059] ? gfs2_dir_hash_inval+0x80/0x80 [ 80.580678][ T5059] ? _raw_spin_unlock+0x28/0x40 [ 80.585532][ T5059] ? gfs2_glock_nq+0xcbf/0x16c0 [ 80.590394][ T5059] ? inode_go_held+0xea/0x200 [ 80.595088][ T5059] ? gfs2_glock_wait+0x21a/0x2b0 [ 80.600030][ T5059] gfs2_readdir+0x14e/0x1b0 [ 80.604534][ T5059] ? __fdget_pos+0x254/0x2f0 [ 80.609130][ T5059] ? gfs2_fallocate+0x490/0x490 [ 80.613995][ T5059] ? iterate_dir+0x228/0x570 [ 80.618604][ T5059] ? __down_read_common+0x184/0x2c0 [ 80.623813][ T5059] ? iterate_dir+0x10e/0x570 [ 80.628413][ T5059] iterate_dir+0x228/0x570 [ 80.632844][ T5059] ? gfs2_fallocate+0x490/0x490 [ 80.637707][ T5059] __se_sys_getdents64+0x20d/0x4f0 [ 80.642847][ T5059] ? _raw_spin_unlock_irq+0x2e/0x50 [ 80.648071][ T5059] ? __x64_sys_getdents64+0x80/0x80 [ 80.653286][ T5059] ? filldir+0x740/0x740 [ 80.657576][ T5059] ? syscall_enter_from_user_mode+0x32/0x230 [ 80.663570][ T5059] ? syscall_enter_from_user_mode+0x8c/0x230 [ 80.669559][ T5059] do_syscall_64+0x41/0xc0 [ 80.673985][ T5059] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 80.679881][ T5059] RIP: 0033:0x7f281a11eab9 [ 80.684304][ T5059] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5061] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5059] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5059] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5059] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5058] exit_group(0 [pid 5061] <... futex resumed>) = ? [pid 5059] <... futex resumed>) = ? [pid 5058] <... exit_group resumed>) = ? [pid 5061] +++ exited with 0 +++ [pid 5059] +++ exited with 0 +++ [pid 5058] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5058, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- umount2("./15", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./15/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./15/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./15/binderfs") = 0 [ 80.704001][ T5059] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 80.712423][ T5059] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 80.720395][ T5059] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 80.728369][ T5059] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 80.736340][ T5059] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 80.744306][ T5059] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 80.752287][ T5059] umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./15/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./15/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./15/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./15/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./15") = 0 mkdir("./16", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5062 ./strace-static-x86_64: Process 5062 attached [pid 5062] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5062] chdir("./16") = 0 [pid 5062] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5062] setpgid(0, 0) = 0 [pid 5062] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5062] write(3, "1000", 4) = 4 [pid 5062] close(3) = 0 [pid 5062] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5062] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5062] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5062] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5062] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5063 attached [pid 5063] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5063] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5062] <... clone resumed>, parent_tid=[5063], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5063 [pid 5062] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5063] <... futex resumed>) = 0 [pid 5062] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5063] memfd_create("syzkaller", 0) = 3 [pid 5063] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5063] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5063] munmap(0x7f2811caa000, 16777216) = 0 [pid 5063] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5063] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5063] close(3) = 0 [pid 5063] mkdir("./file0", 0777) = 0 [ 81.128669][ T5063] loop0: detected capacity change from 0 to 32768 [ 81.140375][ T5063] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 81.149474][ T5063] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 81.158759][ T5063] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 81.167266][ T900] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 81.174127][ T900] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5063] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5063] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5063] chdir("./file0") = 0 [pid 5063] ioctl(4, LOOP_CLR_FD) = 0 [pid 5063] close(4) = 0 [pid 5063] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5062] <... futex resumed>) = 0 [pid 5063] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5062] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5063] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5062] <... futex resumed>) = 0 [pid 5063] open(".", O_RDONLY [pid 5062] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5063] <... open resumed>) = 4 [pid 5063] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5062] <... futex resumed>) = 0 [pid 5063] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5062] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5063] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5062] <... futex resumed>) = 0 [ 81.219910][ T900] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 81.227433][ T900] gfs2: fsid=syz:syz.0: jid=0: Done [ 81.233443][ T5063] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5062] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 81.264525][ T5063] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 81.272879][ T5063] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 81.272879][ T5063] inode = 12 2341 [ 81.272879][ T5063] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 81.291992][ T5063] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 81.301275][ T5063] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5063 [syz-executor171] iterate_dir+0x228/0x570 [pid 5063] getdents64(4, [pid 5062] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5062] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5062] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5062] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5062] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5065], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5065 [pid 5062] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5062] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5065 attached [pid 5065] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5065] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5065] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5062] <... futex resumed>) = 0 [pid 5065] <... futex resumed>) = 1 [ 81.311310][ T5063] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 81.319838][ T5063] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 81.327355][ T5063] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 81.336462][ T5063] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 81.343441][ T5063] gfs2: fsid=syz:syz.0: File system withdrawn [ 81.349524][ T5063] CPU: 0 PID: 5063 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 81.359603][ T5063] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 81.369681][ T5063] Call Trace: [ 81.372980][ T5063] [ 81.375911][ T5063] dump_stack_lvl+0x1e7/0x2d0 [ 81.380595][ T5063] ? nf_tcp_handle_invalid+0x650/0x650 [ 81.386073][ T5063] ? panic+0x770/0x770 [ 81.390154][ T5063] ? kobject_uevent_env+0x54e/0x8e0 [ 81.395383][ T5063] gfs2_withdraw+0xf48/0x1550 [ 81.400099][ T5063] ? gfs2_lm+0x240/0x240 [ 81.404356][ T5063] ? gfs2_dirent_scan+0xb2/0x640 [ 81.409298][ T5063] ? panic+0x770/0x770 [ 81.413379][ T5063] ? gfs2_consist_inode_i+0xf5/0x110 [ 81.418707][ T5063] gfs2_dirent_scan+0x512/0x640 [ 81.423575][ T5063] ? gfs2_dirent_scan+0x640/0x640 [ 81.428602][ T5063] gfs2_dir_read+0x82f/0x1af0 [ 81.433302][ T5063] ? inode_dio_wait+0x2ad/0x340 [ 81.438176][ T5063] ? inode_owner_or_capable+0x1c0/0x1c0 [ 81.443735][ T5063] ? gfs2_dir_hash_inval+0x80/0x80 [ 81.448870][ T5063] ? _raw_spin_unlock+0x28/0x40 [ 81.453739][ T5063] ? gfs2_glock_nq+0xcbf/0x16c0 [ 81.458606][ T5063] ? inode_go_held+0xea/0x200 [ 81.463293][ T5063] ? gfs2_glock_wait+0x21a/0x2b0 [ 81.468242][ T5063] gfs2_readdir+0x14e/0x1b0 [ 81.472756][ T5063] ? __fdget_pos+0x254/0x2f0 [ 81.477347][ T5063] ? gfs2_fallocate+0x490/0x490 [ 81.482209][ T5063] ? iterate_dir+0x228/0x570 [ 81.486801][ T5063] ? __down_read_common+0x184/0x2c0 [ 81.492000][ T5063] ? iterate_dir+0x10e/0x570 [ 81.496601][ T5063] iterate_dir+0x228/0x570 [ 81.501034][ T5063] ? gfs2_fallocate+0x490/0x490 [ 81.505902][ T5063] __se_sys_getdents64+0x20d/0x4f0 [ 81.511022][ T5063] ? _raw_spin_unlock_irq+0x2e/0x50 [ 81.516244][ T5063] ? __x64_sys_getdents64+0x80/0x80 [ 81.521448][ T5063] ? filldir+0x740/0x740 [ 81.525711][ T5063] ? syscall_enter_from_user_mode+0x32/0x230 [ 81.531699][ T5063] ? syscall_enter_from_user_mode+0x8c/0x230 [ 81.537689][ T5063] do_syscall_64+0x41/0xc0 [ 81.542127][ T5063] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 81.548029][ T5063] RIP: 0033:0x7f281a11eab9 [ 81.552449][ T5063] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 81.572054][ T5063] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 81.580471][ T5063] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 81.588443][ T5063] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 81.596438][ T5063] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 81.604407][ T5063] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5065] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5063] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5063] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5063] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5062] exit_group(0 [pid 5065] <... futex resumed>) = ? [pid 5063] <... futex resumed>) = ? [pid 5062] <... exit_group resumed>) = ? [pid 5063] +++ exited with 0 +++ [pid 5065] +++ exited with 0 +++ [pid 5062] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5062, si_uid=0, si_status=0, si_utime=0, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./16", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./16/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./16/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./16/binderfs") = 0 [ 81.612374][ T5063] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 81.620354][ T5063] [ 81.625028][ T7] cfg80211: failed to load regulatory.db umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./16/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./16/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./16/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./16/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./16") = 0 mkdir("./17", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5066 ./strace-static-x86_64: Process 5066 attached [pid 5066] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5066] chdir("./17") = 0 [pid 5066] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5066] setpgid(0, 0) = 0 [pid 5066] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5066] write(3, "1000", 4) = 4 [pid 5066] close(3) = 0 [pid 5066] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5066] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5066] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5066] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5067 attached , parent_tid=[5067], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5067 [pid 5066] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5067] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5067] memfd_create("syzkaller", 0) = 3 [pid 5067] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5067] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5067] munmap(0x7f2811caa000, 16777216) = 0 [pid 5067] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5067] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5067] close(3) = 0 [pid 5067] mkdir("./file0", 0777) = 0 [ 82.021940][ T5067] loop0: detected capacity change from 0 to 32768 [ 82.034847][ T5067] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 82.043092][ T5067] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 82.053432][ T5067] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 82.062125][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 82.069216][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5067] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5067] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5067] chdir("./file0") = 0 [pid 5067] ioctl(4, LOOP_CLR_FD) = 0 [pid 5067] close(4) = 0 [pid 5067] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5066] <... futex resumed>) = 0 [pid 5067] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5066] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5067] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5066] <... futex resumed>) = 0 [pid 5067] open(".", O_RDONLY [ 82.111209][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 82.119555][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 82.125259][ T5067] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5066] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5067] <... open resumed>) = 4 [pid 5067] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5066] <... futex resumed>) = 0 [pid 5066] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 82.158974][ T5067] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 82.168183][ T5067] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 82.168183][ T5067] inode = 12 2341 [ 82.168183][ T5067] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 82.187515][ T5067] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 82.196976][ T5067] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5067 [syz-executor171] iterate_dir+0x228/0x570 [pid 5067] getdents64(4, [pid 5066] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5066] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5066] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5066] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5066] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5069 attached [pid 5069] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5069] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5066] <... clone resumed>, parent_tid=[5069], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5069 [pid 5066] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5069] <... futex resumed>) = 0 [pid 5069] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5069] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5069] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5066] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [ 82.207096][ T5067] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 82.216026][ T5067] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 82.224910][ T5067] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 82.235132][ T5067] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 82.244731][ T5067] gfs2: fsid=syz:syz.0: File system withdrawn [ 82.251665][ T5067] CPU: 0 PID: 5067 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 82.261754][ T5067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 82.271805][ T5067] Call Trace: [ 82.275091][ T5067] [ 82.278057][ T5067] dump_stack_lvl+0x1e7/0x2d0 [ 82.282789][ T5067] ? nf_tcp_handle_invalid+0x650/0x650 [ 82.288290][ T5067] ? panic+0x770/0x770 [ 82.292383][ T5067] ? kobject_uevent_env+0x54e/0x8e0 [ 82.297599][ T5067] gfs2_withdraw+0xf48/0x1550 [ 82.302299][ T5067] ? gfs2_lm+0x240/0x240 [ 82.306541][ T5067] ? gfs2_dirent_scan+0xb2/0x640 [ 82.311490][ T5067] ? panic+0x770/0x770 [ 82.315611][ T5067] ? gfs2_consist_inode_i+0xf5/0x110 [ 82.320930][ T5067] gfs2_dirent_scan+0x512/0x640 [ 82.325801][ T5067] ? gfs2_dirent_scan+0x640/0x640 [ 82.330880][ T5067] gfs2_dir_read+0x82f/0x1af0 [ 82.335608][ T5067] ? inode_dio_wait+0x2ad/0x340 [ 82.340502][ T5067] ? inode_owner_or_capable+0x1c0/0x1c0 [ 82.346101][ T5067] ? gfs2_dir_hash_inval+0x80/0x80 [ 82.351237][ T5067] ? _raw_spin_unlock+0x28/0x40 [pid 5066] exit_group(0 [pid 5069] <... futex resumed>) = ? [pid 5066] <... exit_group resumed>) = ? [pid 5069] +++ exited with 0 +++ [ 82.356095][ T5067] ? gfs2_glock_nq+0xcbf/0x16c0 [ 82.360965][ T5067] ? inode_go_held+0xea/0x200 [ 82.365646][ T5067] ? gfs2_glock_wait+0x21a/0x2b0 [ 82.370606][ T5067] gfs2_readdir+0x14e/0x1b0 [ 82.375152][ T5067] ? __fdget_pos+0x254/0x2f0 [ 82.379767][ T5067] ? gfs2_fallocate+0x490/0x490 [ 82.384648][ T5067] ? iterate_dir+0x228/0x570 [ 82.389250][ T5067] ? __down_read_common+0x184/0x2c0 [ 82.394475][ T5067] ? iterate_dir+0x10e/0x570 [ 82.399108][ T5067] iterate_dir+0x228/0x570 [ 82.403552][ T5067] ? gfs2_fallocate+0x490/0x490 [ 82.408436][ T5067] __se_sys_getdents64+0x20d/0x4f0 [ 82.413585][ T5067] ? _raw_spin_unlock_irq+0x2e/0x50 [ 82.418791][ T5067] ? __x64_sys_getdents64+0x80/0x80 [ 82.424007][ T5067] ? filldir+0x740/0x740 [ 82.428319][ T5067] ? syscall_enter_from_user_mode+0x32/0x230 [ 82.434342][ T5067] ? syscall_enter_from_user_mode+0x8c/0x230 [ 82.440333][ T5067] do_syscall_64+0x41/0xc0 [ 82.444781][ T5067] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 82.450689][ T5067] RIP: 0033:0x7f281a11eab9 [ 82.455138][ T5067] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 82.474767][ T5067] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 82.483215][ T5067] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 82.491198][ T5067] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 82.499194][ T5067] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5067] <... getdents64 resumed> ) = ? [pid 5067] +++ exited with 0 +++ [pid 5066] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5066, si_uid=0, si_status=0, si_utime=0, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./17", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./17/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./17/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./17/binderfs") = 0 [ 82.507174][ T5067] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 82.515163][ T5067] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 82.523147][ T5067] umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./17/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./17/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./17/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./17/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./17") = 0 mkdir("./18", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5070 ./strace-static-x86_64: Process 5070 attached [pid 5070] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5070] chdir("./18") = 0 [pid 5070] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5070] setpgid(0, 0) = 0 [pid 5070] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5070] write(3, "1000", 4) = 4 [pid 5070] close(3) = 0 [pid 5070] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5070] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5070] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5070] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5071], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5071 [pid 5070] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5071 attached [pid 5071] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5071] memfd_create("syzkaller", 0) = 3 [pid 5071] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5071] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5071] munmap(0x7f2811caa000, 16777216) = 0 [pid 5071] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5071] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5071] close(3) = 0 [pid 5071] mkdir("./file0", 0777) = 0 [ 82.884340][ T5071] loop0: detected capacity change from 0 to 32768 [ 82.897702][ T5071] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 82.905997][ T5071] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 82.916084][ T5071] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 82.924829][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 82.931604][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5071] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5071] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5071] chdir("./file0") = 0 [pid 5071] ioctl(4, LOOP_CLR_FD) = 0 [pid 5071] close(4) = 0 [pid 5071] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5070] <... futex resumed>) = 0 [pid 5071] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5070] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5070] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5071] <... futex resumed>) = 0 [pid 5071] open(".", O_RDONLY) = 4 [pid 5071] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5071] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5070] <... futex resumed>) = 0 [pid 5070] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5071] <... futex resumed>) = 0 [pid 5070] <... futex resumed>) = 1 [pid 5071] getdents64(4, [ 82.970734][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 82.979077][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 82.985037][ T5071] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 83.015925][ T5071] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 83.024945][ T5071] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 83.024945][ T5071] inode = 12 2341 [ 83.024945][ T5071] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 83.043694][ T5071] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 83.053032][ T5071] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5071 [syz-executor171] iterate_dir+0x228/0x570 [pid 5070] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5070] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5070] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5070] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5073], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5073 [pid 5070] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5070] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5073 attached [pid 5073] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5073] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5073] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5070] <... futex resumed>) = 0 [ 83.063527][ T5071] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 83.072018][ T5071] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 83.079723][ T5071] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 83.088966][ T5071] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 83.098154][ T5071] gfs2: fsid=syz:syz.0: File system withdrawn [ 83.104594][ T5071] CPU: 0 PID: 5071 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 83.114717][ T5071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 83.124779][ T5071] Call Trace: [ 83.128068][ T5071] [ 83.131024][ T5071] dump_stack_lvl+0x1e7/0x2d0 [ 83.135728][ T5071] ? nf_tcp_handle_invalid+0x650/0x650 [ 83.141201][ T5071] ? panic+0x770/0x770 [ 83.145298][ T5071] ? kobject_uevent_env+0x54e/0x8e0 [ 83.150616][ T5071] gfs2_withdraw+0xf48/0x1550 [ 83.155332][ T5071] ? gfs2_lm+0x240/0x240 [ 83.159617][ T5071] ? gfs2_dirent_scan+0xb2/0x640 [ 83.164590][ T5071] ? panic+0x770/0x770 [ 83.168694][ T5071] ? gfs2_consist_inode_i+0xf5/0x110 [ 83.174002][ T5071] gfs2_dirent_scan+0x512/0x640 [ 83.178880][ T5071] ? gfs2_dirent_scan+0x640/0x640 [ 83.183924][ T5071] gfs2_dir_read+0x82f/0x1af0 [ 83.188633][ T5071] ? inode_dio_wait+0x2ad/0x340 [ 83.193491][ T5071] ? inode_owner_or_capable+0x1c0/0x1c0 [ 83.199041][ T5071] ? gfs2_dir_hash_inval+0x80/0x80 [ 83.204151][ T5071] ? _raw_spin_unlock+0x28/0x40 [ 83.208996][ T5071] ? gfs2_glock_nq+0xcbf/0x16c0 [pid 5073] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5070] exit_group(0 [pid 5073] <... futex resumed>) = ? [pid 5070] <... exit_group resumed>) = ? [pid 5073] +++ exited with 0 +++ [ 83.213869][ T5071] ? inode_go_held+0xea/0x200 [ 83.218568][ T5071] ? gfs2_glock_wait+0x21a/0x2b0 [ 83.223513][ T5071] gfs2_readdir+0x14e/0x1b0 [ 83.228028][ T5071] ? __fdget_pos+0x254/0x2f0 [ 83.232634][ T5071] ? gfs2_fallocate+0x490/0x490 [ 83.237492][ T5071] ? iterate_dir+0x228/0x570 [ 83.242115][ T5071] ? __down_read_common+0x184/0x2c0 [ 83.247351][ T5071] ? iterate_dir+0x10e/0x570 [ 83.251969][ T5071] iterate_dir+0x228/0x570 [ 83.256403][ T5071] ? gfs2_fallocate+0x490/0x490 [ 83.261256][ T5071] __se_sys_getdents64+0x20d/0x4f0 [ 83.266369][ T5071] ? _raw_spin_unlock_irq+0x2e/0x50 [ 83.271566][ T5071] ? __x64_sys_getdents64+0x80/0x80 [ 83.276790][ T5071] ? filldir+0x740/0x740 [ 83.281073][ T5071] ? syscall_enter_from_user_mode+0x32/0x230 [ 83.287074][ T5071] ? syscall_enter_from_user_mode+0x8c/0x230 [ 83.293054][ T5071] do_syscall_64+0x41/0xc0 [ 83.297486][ T5071] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 83.303418][ T5071] RIP: 0033:0x7f281a11eab9 [ 83.307830][ T5071] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 83.327434][ T5071] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 83.335849][ T5071] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 83.343831][ T5071] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 83.351809][ T5071] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 83.359793][ T5071] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5071] <... getdents64 resumed> ) = ? [pid 5071] +++ exited with 0 +++ [pid 5070] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5070, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- umount2("./18", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./18/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./18/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./18/binderfs") = 0 [ 83.367767][ T5071] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 83.375760][ T5071] umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./18/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./18/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./18/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./18/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./18") = 0 mkdir("./19", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5074 ./strace-static-x86_64: Process 5074 attached [pid 5074] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5074] chdir("./19") = 0 [pid 5074] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5074] setpgid(0, 0) = 0 [pid 5074] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5074] write(3, "1000", 4) = 4 [pid 5074] close(3) = 0 [pid 5074] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5074] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5074] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5074] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5075], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5075 [pid 5074] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5075 attached [pid 5075] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5075] memfd_create("syzkaller", 0) = 3 [pid 5075] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5075] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5075] munmap(0x7f2811caa000, 16777216) = 0 [pid 5075] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5075] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5075] close(3) = 0 [pid 5075] mkdir("./file0", 0777) = 0 [ 83.741843][ T5075] loop0: detected capacity change from 0 to 32768 [ 83.752882][ T5075] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 83.761215][ T5075] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 83.771678][ T5075] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 83.780650][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 83.787922][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5075] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5075] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5075] chdir("./file0") = 0 [pid 5075] ioctl(4, LOOP_CLR_FD) = 0 [pid 5075] close(4) = 0 [pid 5075] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5074] <... futex resumed>) = 0 [pid 5074] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5075] <... futex resumed>) = 1 [pid 5075] open(".", O_RDONLY) = 4 [pid 5075] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5074] <... futex resumed>) = 0 [pid 5074] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5075] <... futex resumed>) = 1 [ 83.837246][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 49ms [ 83.845224][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 83.850504][ T5075] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 83.881106][ T5075] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 83.889908][ T5075] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 83.889908][ T5075] inode = 12 2341 [ 83.889908][ T5075] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 83.909479][ T5075] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 83.918711][ T5075] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5075 [syz-executor171] iterate_dir+0x228/0x570 [pid 5075] getdents64(4, [pid 5074] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5074] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5074] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5074] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5077], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5077 [pid 5074] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5074] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5077 attached [pid 5077] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5077] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5077] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5074] <... futex resumed>) = 0 [pid 5077] <... futex resumed>) = 1 [ 83.928867][ T5075] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 83.939268][ T5075] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 83.947325][ T5075] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 83.956993][ T5075] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 83.963865][ T5075] gfs2: fsid=syz:syz.0: File system withdrawn [ 83.969951][ T5075] CPU: 0 PID: 5075 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 83.980024][ T5075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 83.990077][ T5075] Call Trace: [ 83.993376][ T5075] [ 83.996328][ T5075] dump_stack_lvl+0x1e7/0x2d0 [ 84.001042][ T5075] ? nf_tcp_handle_invalid+0x650/0x650 [ 84.006546][ T5075] ? panic+0x770/0x770 [ 84.010676][ T5075] ? kobject_uevent_env+0x54e/0x8e0 [ 84.015927][ T5075] gfs2_withdraw+0xf48/0x1550 [ 84.020639][ T5075] ? gfs2_lm+0x240/0x240 [ 84.024933][ T5075] ? gfs2_dirent_scan+0xb2/0x640 [ 84.029885][ T5075] ? panic+0x770/0x770 [ 84.033986][ T5075] ? gfs2_consist_inode_i+0xf5/0x110 [ 84.039308][ T5075] gfs2_dirent_scan+0x512/0x640 [ 84.044174][ T5075] ? gfs2_dirent_scan+0x640/0x640 [ 84.049238][ T5075] gfs2_dir_read+0x82f/0x1af0 [ 84.053933][ T5075] ? inode_dio_wait+0x2ad/0x340 [ 84.058804][ T5075] ? inode_owner_or_capable+0x1c0/0x1c0 [ 84.064377][ T5075] ? gfs2_dir_hash_inval+0x80/0x80 [ 84.069507][ T5075] ? _raw_spin_unlock+0x28/0x40 [ 84.074361][ T5075] ? gfs2_glock_nq+0xcbf/0x16c0 [ 84.079229][ T5075] ? inode_go_held+0xea/0x200 [ 84.083916][ T5075] ? gfs2_glock_wait+0x21a/0x2b0 [ 84.088880][ T5075] gfs2_readdir+0x14e/0x1b0 [ 84.093388][ T5075] ? __fdget_pos+0x254/0x2f0 [ 84.097982][ T5075] ? gfs2_fallocate+0x490/0x490 [ 84.102857][ T5075] ? iterate_dir+0x228/0x570 [ 84.107460][ T5075] ? __down_read_common+0x184/0x2c0 [ 84.112673][ T5075] ? iterate_dir+0x10e/0x570 [ 84.117281][ T5075] iterate_dir+0x228/0x570 [ 84.121711][ T5075] ? gfs2_fallocate+0x490/0x490 [ 84.126576][ T5075] __se_sys_getdents64+0x20d/0x4f0 [ 84.131714][ T5075] ? _raw_spin_unlock_irq+0x2e/0x50 [ 84.136931][ T5075] ? __x64_sys_getdents64+0x80/0x80 [ 84.142139][ T5075] ? filldir+0x740/0x740 [ 84.146401][ T5075] ? syscall_enter_from_user_mode+0x32/0x230 [ 84.152398][ T5075] ? syscall_enter_from_user_mode+0x8c/0x230 [ 84.158386][ T5075] do_syscall_64+0x41/0xc0 [ 84.162815][ T5075] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 84.168736][ T5075] RIP: 0033:0x7f281a11eab9 [ 84.173168][ T5075] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 84.192771][ T5075] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 84.201188][ T5075] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 84.209173][ T5075] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 84.217146][ T5075] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5077] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5075] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5075] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5074] exit_group(0 [pid 5077] <... futex resumed>) = ? [pid 5077] +++ exited with 0 +++ [pid 5075] <... futex resumed>) = ? [pid 5074] <... exit_group resumed>) = ? [pid 5075] +++ exited with 0 +++ [pid 5074] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5074, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=31 /* 0.31 s */} --- umount2("./19", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./19/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./19/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./19/binderfs") = 0 [ 84.225124][ T5075] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 84.233107][ T5075] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 84.241091][ T5075] umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./19/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./19/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./19/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./19/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./19") = 0 mkdir("./20", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5078 ./strace-static-x86_64: Process 5078 attached [pid 5078] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5078] chdir("./20") = 0 [pid 5078] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5078] setpgid(0, 0) = 0 [pid 5078] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5078] write(3, "1000", 4) = 4 [pid 5078] close(3) = 0 [pid 5078] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5078] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5078] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5078] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5079], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5079 [pid 5078] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5079 attached [pid 5079] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5079] memfd_create("syzkaller", 0) = 3 [pid 5079] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5079] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5079] munmap(0x7f2811caa000, 16777216) = 0 [pid 5079] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5079] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5079] close(3) = 0 [pid 5079] mkdir("./file0", 0777) = 0 [ 84.610768][ T5079] loop0: detected capacity change from 0 to 32768 [ 84.622090][ T5079] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 84.630823][ T5079] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 84.641308][ T5079] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 84.650249][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 84.657265][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5079] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5079] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5079] chdir("./file0") = 0 [pid 5079] ioctl(4, LOOP_CLR_FD) = 0 [pid 5079] close(4) = 0 [pid 5079] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5078] <... futex resumed>) = 0 [pid 5078] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5079] <... futex resumed>) = 1 [pid 5079] open(".", O_RDONLY) = 4 [pid 5079] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5078] <... futex resumed>) = 0 [pid 5078] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5079] <... futex resumed>) = 1 [pid 5078] <... futex resumed>) = 0 [pid 5079] getdents64(4, [ 84.702571][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 84.710098][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 84.715427][ T5079] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 84.754604][ T5079] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 84.763058][ T5079] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 84.763058][ T5079] inode = 12 2341 [ 84.763058][ T5079] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 84.782207][ T5079] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 84.791335][ T5079] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5079 [syz-executor171] iterate_dir+0x228/0x570 [pid 5078] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5078] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5078] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5078] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5078] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5081], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5081 [pid 5078] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 84.801354][ T5079] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 84.809852][ T5079] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 84.817231][ T5079] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 84.826408][ T5079] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 84.833068][ T5079] gfs2: fsid=syz:syz.0: File system withdrawn [ 84.839570][ T5079] CPU: 0 PID: 5079 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [pid 5078] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5081 attached [pid 5081] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5081] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [ 84.849650][ T5079] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 84.859698][ T5079] Call Trace: [ 84.862983][ T5079] [ 84.865940][ T5079] dump_stack_lvl+0x1e7/0x2d0 [ 84.870652][ T5079] ? nf_tcp_handle_invalid+0x650/0x650 [ 84.876116][ T5079] ? panic+0x770/0x770 [ 84.880202][ T5079] ? kobject_uevent_env+0x54e/0x8e0 [ 84.885430][ T5079] gfs2_withdraw+0xf48/0x1550 [ 84.890145][ T5079] ? gfs2_lm+0x240/0x240 [ 84.894403][ T5079] ? gfs2_dirent_scan+0xb2/0x640 [ 84.899357][ T5079] ? panic+0x770/0x770 [pid 5081] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5078] <... futex resumed>) = 0 [ 84.903444][ T5079] ? gfs2_consist_inode_i+0xf5/0x110 [ 84.908777][ T5079] gfs2_dirent_scan+0x512/0x640 [ 84.913630][ T5079] ? gfs2_dirent_scan+0x640/0x640 [ 84.918674][ T5079] gfs2_dir_read+0x82f/0x1af0 [ 84.923371][ T5079] ? inode_dio_wait+0x2ad/0x340 [ 84.928260][ T5079] ? inode_owner_or_capable+0x1c0/0x1c0 [ 84.933840][ T5079] ? gfs2_dir_hash_inval+0x80/0x80 [ 84.938958][ T5079] ? _raw_spin_unlock+0x28/0x40 [ 84.943812][ T5079] ? gfs2_glock_nq+0xcbf/0x16c0 [ 84.948686][ T5079] ? inode_go_held+0xea/0x200 [ 84.953377][ T5079] ? gfs2_glock_wait+0x21a/0x2b0 [ 84.958324][ T5079] gfs2_readdir+0x14e/0x1b0 [ 84.962836][ T5079] ? __fdget_pos+0x254/0x2f0 [ 84.967421][ T5079] ? gfs2_fallocate+0x490/0x490 [ 84.972276][ T5079] ? iterate_dir+0x228/0x570 [ 84.976868][ T5079] ? __down_read_common+0x184/0x2c0 [ 84.982063][ T5079] ? iterate_dir+0x10e/0x570 [ 84.986659][ T5079] iterate_dir+0x228/0x570 [ 84.991105][ T5079] ? gfs2_fallocate+0x490/0x490 [ 84.995972][ T5079] __se_sys_getdents64+0x20d/0x4f0 [ 85.001118][ T5079] ? _raw_spin_unlock_irq+0x2e/0x50 [ 85.006323][ T5079] ? __x64_sys_getdents64+0x80/0x80 [ 85.011521][ T5079] ? filldir+0x740/0x740 [ 85.015773][ T5079] ? syscall_enter_from_user_mode+0x32/0x230 [ 85.021761][ T5079] ? syscall_enter_from_user_mode+0x8c/0x230 [ 85.027750][ T5079] do_syscall_64+0x41/0xc0 [ 85.032180][ T5079] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 85.038082][ T5079] RIP: 0033:0x7f281a11eab9 [ 85.042497][ T5079] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 85.062112][ T5079] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 85.070522][ T5079] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 85.078498][ T5079] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 85.086491][ T5079] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 85.094470][ T5079] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5081] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5079] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5079] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5079] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5078] exit_group(0 [pid 5079] <... futex resumed>) = ? [pid 5078] <... exit_group resumed>) = ? [pid 5079] +++ exited with 0 +++ [pid 5081] <... futex resumed>) = ? [pid 5081] +++ exited with 0 +++ [pid 5078] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5078, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./20", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./20/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./20/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./20/binderfs") = 0 [ 85.102442][ T5079] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 85.110514][ T5079] umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./20/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./20/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./20/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./20/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./20") = 0 mkdir("./21", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5082 ./strace-static-x86_64: Process 5082 attached [pid 5082] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5082] chdir("./21") = 0 [pid 5082] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5082] setpgid(0, 0) = 0 [pid 5082] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5082] write(3, "1000", 4) = 4 [pid 5082] close(3) = 0 [pid 5082] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5082] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5082] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5082] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5082] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5083 attached , parent_tid=[5083], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5083 [pid 5083] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5083] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5082] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5083] <... futex resumed>) = 0 [pid 5082] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5083] memfd_create("syzkaller", 0) = 3 [pid 5083] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5083] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5083] munmap(0x7f2811caa000, 16777216) = 0 [pid 5083] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5083] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5083] close(3) = 0 [pid 5083] mkdir("./file0", 0777) = 0 [ 85.480397][ T5083] loop0: detected capacity change from 0 to 32768 [ 85.494100][ T5083] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 85.502312][ T5083] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 85.512140][ T5083] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 85.520914][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 85.527838][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5083] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5083] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5083] chdir("./file0") = 0 [pid 5083] ioctl(4, LOOP_CLR_FD) = 0 [pid 5083] close(4) = 0 [pid 5083] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5083] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5082] <... futex resumed>) = 0 [pid 5082] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5083] <... futex resumed>) = 0 [pid 5083] open(".", O_RDONLY) = 4 [pid 5083] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5083] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5082] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 5082] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5083] <... futex resumed>) = 0 [pid 5082] <... futex resumed>) = 1 [pid 5082] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 85.567305][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 85.576490][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 85.581758][ T5083] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 85.608547][ T5083] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 85.617313][ T5083] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 85.617313][ T5083] inode = 12 2341 [ 85.617313][ T5083] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 85.636047][ T5083] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 85.645803][ T5083] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5083 [syz-executor171] iterate_dir+0x228/0x570 [pid 5083] getdents64(4, [pid 5082] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5082] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5082] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5082] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5082] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5085 attached , parent_tid=[5085], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5085 [pid 5085] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5085] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5082] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5082] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5085] <... futex resumed>) = 0 [pid 5085] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5085] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5082] <... futex resumed>) = 0 [pid 5085] <... futex resumed>) = 1 [ 85.655990][ T5083] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 85.664506][ T5083] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 85.672039][ T5083] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 85.681187][ T5083] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 85.691700][ T5083] gfs2: fsid=syz:syz.0: File system withdrawn [ 85.698214][ T5083] CPU: 0 PID: 5083 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 85.708318][ T5083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 85.718390][ T5083] Call Trace: [ 85.721681][ T5083] [ 85.724640][ T5083] dump_stack_lvl+0x1e7/0x2d0 [ 85.729363][ T5083] ? nf_tcp_handle_invalid+0x650/0x650 [ 85.734843][ T5083] ? panic+0x770/0x770 [ 85.738941][ T5083] ? kobject_uevent_env+0x54e/0x8e0 [ 85.744174][ T5083] gfs2_withdraw+0xf48/0x1550 [ 85.748871][ T5083] ? gfs2_lm+0x240/0x240 [ 85.753117][ T5083] ? gfs2_dirent_scan+0xb2/0x640 [ 85.758070][ T5083] ? panic+0x770/0x770 [ 85.762165][ T5083] ? gfs2_consist_inode_i+0xf5/0x110 [ 85.767511][ T5083] gfs2_dirent_scan+0x512/0x640 [ 85.772407][ T5083] ? gfs2_dirent_scan+0x640/0x640 [ 85.777453][ T5083] gfs2_dir_read+0x82f/0x1af0 [ 85.782151][ T5083] ? inode_dio_wait+0x2ad/0x340 [ 85.787025][ T5083] ? inode_owner_or_capable+0x1c0/0x1c0 [ 85.792576][ T5083] ? gfs2_dir_hash_inval+0x80/0x80 [ 85.797699][ T5083] ? _raw_spin_unlock+0x28/0x40 [ 85.802566][ T5083] ? gfs2_glock_nq+0xcbf/0x16c0 [pid 5085] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5082] exit_group(0 [pid 5085] <... futex resumed>) = ? [pid 5082] <... exit_group resumed>) = ? [pid 5085] +++ exited with 0 +++ [ 85.807417][ T5083] ? inode_go_held+0xea/0x200 [ 85.812092][ T5083] ? gfs2_glock_wait+0x21a/0x2b0 [ 85.817039][ T5083] gfs2_readdir+0x14e/0x1b0 [ 85.821546][ T5083] ? __fdget_pos+0x254/0x2f0 [ 85.826142][ T5083] ? gfs2_fallocate+0x490/0x490 [ 85.831015][ T5083] ? iterate_dir+0x228/0x570 [ 85.835635][ T5083] ? __down_read_common+0x184/0x2c0 [ 85.840868][ T5083] ? iterate_dir+0x10e/0x570 [ 85.845485][ T5083] iterate_dir+0x228/0x570 [ 85.849924][ T5083] ? gfs2_fallocate+0x490/0x490 [ 85.854793][ T5083] __se_sys_getdents64+0x20d/0x4f0 [ 85.859926][ T5083] ? _raw_spin_unlock_irq+0x2e/0x50 [ 85.865122][ T5083] ? __x64_sys_getdents64+0x80/0x80 [ 85.870317][ T5083] ? filldir+0x740/0x740 [ 85.874580][ T5083] ? syscall_enter_from_user_mode+0x32/0x230 [ 85.880559][ T5083] ? syscall_enter_from_user_mode+0x8c/0x230 [ 85.886548][ T5083] do_syscall_64+0x41/0xc0 [ 85.891002][ T5083] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 85.896920][ T5083] RIP: 0033:0x7f281a11eab9 [ 85.901332][ T5083] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 85.920940][ T5083] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 85.929358][ T5083] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 85.937342][ T5083] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 85.945336][ T5083] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5083] <... getdents64 resumed> ) = ? [pid 5083] +++ exited with 0 +++ [pid 5082] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5082, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- umount2("./21", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./21/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./21/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./21/binderfs") = 0 [ 85.953308][ T5083] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 85.961287][ T5083] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 85.969274][ T5083] umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./21/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./21/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./21/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./21/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./21") = 0 mkdir("./22", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5086 ./strace-static-x86_64: Process 5086 attached [pid 5086] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5086] chdir("./22") = 0 [pid 5086] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5086] setpgid(0, 0) = 0 [pid 5086] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5086] write(3, "1000", 4) = 4 [pid 5086] close(3) = 0 [pid 5086] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5086] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5086] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5086] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5087], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5087 [pid 5086] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5087 attached [pid 5087] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5087] memfd_create("syzkaller", 0) = 3 [pid 5087] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5087] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5087] munmap(0x7f2811caa000, 16777216) = 0 [pid 5087] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5087] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5087] close(3) = 0 [pid 5087] mkdir("./file0", 0777) = 0 [ 86.327354][ T5087] loop0: detected capacity change from 0 to 32768 [ 86.341102][ T5087] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 86.349847][ T5087] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 86.360102][ T5087] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 86.368946][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 86.375929][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5087] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5087] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5087] chdir("./file0") = 0 [pid 5087] ioctl(4, LOOP_CLR_FD) = 0 [pid 5087] close(4) = 0 [pid 5087] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5086] <... futex resumed>) = 0 [pid 5087] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5086] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5087] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5086] <... futex resumed>) = 0 [pid 5087] open(".", O_RDONLY [pid 5086] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5087] <... open resumed>) = 4 [pid 5087] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5086] <... futex resumed>) = 0 [pid 5087] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5086] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5087] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5086] <... futex resumed>) = 0 [pid 5087] getdents64(4, [ 86.417105][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 86.426279][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 86.431573][ T5087] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 86.465458][ T5087] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 86.474095][ T5087] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 86.474095][ T5087] inode = 12 2341 [ 86.474095][ T5087] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 86.493343][ T5087] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 86.502506][ T5087] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5087 [syz-executor171] iterate_dir+0x228/0x570 [pid 5086] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5086] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5086] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5086] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5089], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5089 [pid 5086] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5086] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5089 attached [pid 5089] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5089] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5089] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5086] <... futex resumed>) = 0 [pid 5089] <... futex resumed>) = 1 [ 86.512497][ T5087] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 86.521007][ T5087] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 86.528316][ T5087] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 86.537177][ T5087] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 86.544134][ T5087] gfs2: fsid=syz:syz.0: File system withdrawn [ 86.550218][ T5087] CPU: 1 PID: 5087 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 86.560272][ T5087] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 86.570315][ T5087] Call Trace: [ 86.573601][ T5087] [ 86.576561][ T5087] dump_stack_lvl+0x1e7/0x2d0 [ 86.581267][ T5087] ? nf_tcp_handle_invalid+0x650/0x650 [ 86.586730][ T5087] ? panic+0x770/0x770 [ 86.590811][ T5087] ? kobject_uevent_env+0x54e/0x8e0 [ 86.596037][ T5087] gfs2_withdraw+0xf48/0x1550 [ 86.600745][ T5087] ? gfs2_lm+0x240/0x240 [ 86.605040][ T5087] ? gfs2_dirent_scan+0xb2/0x640 [ 86.609992][ T5087] ? panic+0x770/0x770 [ 86.614091][ T5087] ? gfs2_consist_inode_i+0xf5/0x110 [ 86.619394][ T5087] gfs2_dirent_scan+0x512/0x640 [ 86.624279][ T5087] ? gfs2_dirent_scan+0x640/0x640 [ 86.629342][ T5087] gfs2_dir_read+0x82f/0x1af0 [ 86.634068][ T5087] ? inode_dio_wait+0x2ad/0x340 [ 86.638952][ T5087] ? inode_owner_or_capable+0x1c0/0x1c0 [ 86.644512][ T5087] ? gfs2_dir_hash_inval+0x80/0x80 [ 86.649634][ T5087] ? _raw_spin_unlock+0x28/0x40 [ 86.654499][ T5087] ? gfs2_glock_nq+0xcbf/0x16c0 [ 86.659383][ T5087] ? inode_go_held+0xea/0x200 [pid 5089] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5086] exit_group(0 [pid 5089] <... futex resumed>) = ? [pid 5086] <... exit_group resumed>) = ? [pid 5089] +++ exited with 0 +++ [ 86.664079][ T5087] ? gfs2_glock_wait+0x21a/0x2b0 [ 86.669052][ T5087] gfs2_readdir+0x14e/0x1b0 [ 86.673575][ T5087] ? __fdget_pos+0x254/0x2f0 [ 86.678217][ T5087] ? gfs2_fallocate+0x490/0x490 [ 86.683094][ T5087] ? iterate_dir+0x228/0x570 [ 86.687713][ T5087] ? __down_read_common+0x184/0x2c0 [ 86.692928][ T5087] ? iterate_dir+0x10e/0x570 [ 86.697565][ T5087] iterate_dir+0x228/0x570 [ 86.701988][ T5087] ? gfs2_fallocate+0x490/0x490 [ 86.706855][ T5087] __se_sys_getdents64+0x20d/0x4f0 [ 86.711983][ T5087] ? _raw_spin_unlock_irq+0x2e/0x50 [ 86.717189][ T5087] ? __x64_sys_getdents64+0x80/0x80 [ 86.722401][ T5087] ? filldir+0x740/0x740 [ 86.726684][ T5087] ? syscall_enter_from_user_mode+0x32/0x230 [ 86.732686][ T5087] ? syscall_enter_from_user_mode+0x8c/0x230 [ 86.738758][ T5087] do_syscall_64+0x41/0xc0 [ 86.743185][ T5087] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 86.749121][ T5087] RIP: 0033:0x7f281a11eab9 [ 86.753571][ T5087] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 86.773319][ T5087] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 86.781769][ T5087] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 86.789756][ T5087] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 86.797736][ T5087] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 86.805717][ T5087] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5087] <... getdents64 resumed> ) = ? [pid 5087] +++ exited with 0 +++ [pid 5086] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5086, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./22", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./22/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./22/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./22/binderfs") = 0 [ 86.813719][ T5087] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 86.821704][ T5087] umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./22/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./22/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./22/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./22/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./22") = 0 mkdir("./23", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5090 ./strace-static-x86_64: Process 5090 attached [pid 5090] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5090] chdir("./23") = 0 [pid 5090] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5090] setpgid(0, 0) = 0 [pid 5090] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5090] write(3, "1000", 4) = 4 [pid 5090] close(3) = 0 [pid 5090] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5090] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5090] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5090] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5090] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5091 attached , parent_tid=[5091], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5091 [pid 5091] set_robust_list(0x7f281a0ca9e0, 24 [pid 5090] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5091] <... set_robust_list resumed>) = 0 [pid 5090] <... futex resumed>) = 0 [pid 5090] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5091] memfd_create("syzkaller", 0) = 3 [pid 5091] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5091] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5091] munmap(0x7f2811caa000, 16777216) = 0 [pid 5091] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5091] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5091] close(3) = 0 [pid 5091] mkdir("./file0", 0777) = 0 [ 87.195032][ T5091] loop0: detected capacity change from 0 to 32768 [ 87.206845][ T5091] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 87.215304][ T5091] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 87.225588][ T5091] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 87.234310][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 87.241130][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5091] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5091] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5091] chdir("./file0") = 0 [pid 5091] ioctl(4, LOOP_CLR_FD) = 0 [pid 5091] close(4) = 0 [pid 5091] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5090] <... futex resumed>) = 0 [pid 5090] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5090] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5091] <... futex resumed>) = 1 [pid 5091] open(".", O_RDONLY) = 4 [pid 5091] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5090] <... futex resumed>) = 0 [pid 5090] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5090] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5091] <... futex resumed>) = 1 [ 87.279822][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 87.288932][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 87.294244][ T5091] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 87.311238][ T5091] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5091] getdents64(4, [pid 5090] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5090] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5090] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5090] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5090] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5093], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5093 [pid 5090] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5090] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5093 attached [pid 5093] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 87.323355][ T5091] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 87.323355][ T5091] inode = 12 2341 [ 87.323355][ T5091] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 87.342193][ T5091] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 87.351622][ T5091] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5091 [syz-executor171] iterate_dir+0x228/0x570 [ 87.362022][ T5091] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 87.370734][ T5093] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5093] open("./file0", O_RDONLY [pid 5090] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 87.370751][ T5093] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 87.370751][ T5093] inode = 12 2341 [ 87.370751][ T5093] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 87.370778][ T5093] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 87.370810][ T5093] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5091 [syz-executor171] iterate_dir+0x228/0x570 [ 87.370854][ T5093] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5093 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 87.370886][ T5093] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 87.371354][ T5093] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 87.371378][ T5093] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 87.371391][ T5093] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 87.372945][ T5093] gfs2: fsid=syz:syz.0: File system withdrawn [ 87.464626][ T5093] CPU: 1 PID: 5093 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 87.474683][ T5093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 87.484733][ T5093] Call Trace: [ 87.488023][ T5093] [ 87.490981][ T5093] dump_stack_lvl+0x1e7/0x2d0 [ 87.495685][ T5093] ? nf_tcp_handle_invalid+0x650/0x650 [ 87.501160][ T5093] ? panic+0x770/0x770 [ 87.505256][ T5093] ? kobject_uevent_env+0x54e/0x8e0 [ 87.510486][ T5093] gfs2_withdraw+0xf48/0x1550 [ 87.515192][ T5093] ? gfs2_lm+0x240/0x240 [ 87.519472][ T5093] ? gfs2_dirent_scan+0xb2/0x640 [ 87.524460][ T5093] ? panic+0x770/0x770 [pid 5090] exit_group(0) = ? [ 87.528542][ T5093] ? gfs2_consist_inode_i+0xf5/0x110 [ 87.533851][ T5093] gfs2_dirent_scan+0x512/0x640 [ 87.538719][ T5093] ? gfs2_permission+0x268/0x3c0 [ 87.543706][ T5093] ? gfs2_dirent_search+0x8c0/0x8c0 [ 87.548944][ T5093] gfs2_dirent_search+0x30e/0x8c0 [ 87.554003][ T5093] ? gfs2_dirent_search+0x8c0/0x8c0 [ 87.559226][ T5093] ? generic_permission+0x1df/0x550 [ 87.564460][ T5093] ? gfs2_dir_search+0x2f0/0x2f0 [ 87.569419][ T5093] ? gfs2_permission+0x34a/0x3c0 [ 87.574392][ T5093] gfs2_dir_search+0xb2/0x2f0 [ 87.579101][ T5093] ? do_filldir_main+0x520/0x520 [ 87.584049][ T5093] ? inode_go_held+0xea/0x200 [ 87.588735][ T5093] ? gfs2_glock_wait+0x21a/0x2b0 [ 87.593698][ T5093] gfs2_lookupi+0x460/0x5d0 [ 87.598225][ T5093] ? gfs2_lookup_simple+0x180/0x180 [ 87.603447][ T5093] ? __gfs2_lookup+0xa4/0x270 [ 87.608137][ T5093] __gfs2_lookup+0xa4/0x270 [ 87.612649][ T5093] ? gfs2_atomic_open+0x230/0x230 [ 87.617695][ T5093] ? __d_lookup+0x675/0x730 [ 87.622208][ T5093] ? d_hash_and_lookup+0x1b0/0x1b0 [ 87.627330][ T5093] gfs2_atomic_open+0x9e/0x230 [ 87.632100][ T5093] path_openat+0x103c/0x3170 [ 87.636715][ T5093] ? gfs2_rename2+0x25a0/0x25a0 [ 87.641588][ T5093] ? do_filp_open+0x490/0x490 [ 87.646289][ T5093] do_filp_open+0x234/0x490 [ 87.650800][ T5093] ? vfs_tmpfile+0x4a0/0x4a0 [ 87.655409][ T5093] ? _raw_spin_unlock+0x28/0x40 [ 87.660262][ T5093] ? alloc_fd+0x59c/0x640 [ 87.664629][ T5093] do_sys_openat2+0x13f/0x500 [ 87.669317][ T5093] ? print_irqtrace_events+0x220/0x220 [ 87.674794][ T5093] ? do_sys_open+0x230/0x230 [ 87.679394][ T5093] ? lockdep_hardirqs_on+0x98/0x140 [ 87.684607][ T5093] ? _raw_spin_unlock_irq+0x2e/0x50 [ 87.689811][ T5093] ? ptrace_notify+0x278/0x380 [ 87.694585][ T5093] __x64_sys_open+0x225/0x270 [ 87.699278][ T5093] ? do_sys_openat2+0x500/0x500 [ 87.704148][ T5093] ? syscall_enter_from_user_mode+0x32/0x230 [ 87.710144][ T5093] ? syscall_enter_from_user_mode+0x8c/0x230 [ 87.716137][ T5093] do_syscall_64+0x41/0xc0 [ 87.720573][ T5093] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 87.726474][ T5093] RIP: 0033:0x7f281a11eab9 [ 87.730891][ T5093] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 87.750503][ T5093] RSP: 002b:00007f2812ca9318 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 87.758923][ T5093] RAX: ffffffffffffffda RBX: 00007f281a1b57b8 RCX: 00007f281a11eab9 [ 87.766899][ T5093] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200025c0 [pid 5093] <... open resumed>) = ? [pid 5091] <... getdents64 resumed> ) = ? [pid 5093] +++ exited with 0 +++ [pid 5091] +++ exited with 0 +++ [pid 5090] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5090, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=37 /* 0.37 s */} --- umount2("./23", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./23/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./23/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./23/binderfs") = 0 [ 87.774891][ T5093] RBP: 00007f281a1b57b0 R08: 00007f2812ca9700 R09: 0000000000000000 [ 87.782873][ T5093] R10: 00007f2812ca9700 R11: 0000000000000246 R12: 0030656c69662f2e [ 87.790849][ T5093] R13: 00007ffe3f30c9ef R14: 00007f2812ca9400 R15: 0000000000022000 [ 87.798832][ T5093] umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./23/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./23/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./23/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./23/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./23") = 0 mkdir("./24", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5094 ./strace-static-x86_64: Process 5094 attached [pid 5094] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5094] chdir("./24") = 0 [pid 5094] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5094] setpgid(0, 0) = 0 [pid 5094] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5094] write(3, "1000", 4) = 4 [pid 5094] close(3) = 0 [pid 5094] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5094] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5094] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5094] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5094] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5095], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5095 [pid 5094] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5094] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5095 attached [pid 5095] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5095] memfd_create("syzkaller", 0) = 3 [pid 5095] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5095] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5095] munmap(0x7f2811caa000, 16777216) = 0 [pid 5095] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5095] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5095] close(3) = 0 [pid 5095] mkdir("./file0", 0777) = 0 [ 88.204829][ T5095] loop0: detected capacity change from 0 to 32768 [ 88.218135][ T5095] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 88.226427][ T5095] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 88.236164][ T5095] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 88.244780][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 88.251581][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5095] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5095] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5095] chdir("./file0") = 0 [pid 5095] ioctl(4, LOOP_CLR_FD) = 0 [pid 5095] close(4) = 0 [pid 5095] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5094] <... futex resumed>) = 0 [pid 5095] open(".", O_RDONLY [pid 5094] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5094] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5095] <... open resumed>) = 4 [pid 5095] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5094] <... futex resumed>) = 0 [pid 5095] getdents64(4, [pid 5094] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 88.289496][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 88.297988][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 88.303678][ T5095] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 88.324204][ T5095] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5094] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5094] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5094] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5094] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5094] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5097], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5097 ./strace-static-x86_64: Process 5097 attached [pid 5097] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5097] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 88.333407][ T5095] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 88.333407][ T5095] inode = 12 2341 [ 88.333407][ T5095] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 88.356294][ T5095] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 88.366396][ T5095] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5095 [syz-executor171] iterate_dir+0x228/0x570 [pid 5094] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5094] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5097] <... futex resumed>) = 0 [ 88.382236][ T5095] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 88.392765][ T5097] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 88.393356][ T5095] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 88.401562][ T5097] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 88.408435][ T5095] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 88.418087][ T5097] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5095 [syz-executor171] iterate_dir+0x228/0x570 [pid 5097] open("./file0", O_RDONLY [pid 5094] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 88.426298][ T5095] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 88.436531][ T5097] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5097 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 88.442761][ T5095] gfs2: fsid=syz:syz.0: File system withdrawn [ 88.454402][ T5097] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 88.460154][ T5095] CPU: 1 PID: 5095 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 88.477400][ T5095] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 88.487475][ T5095] Call Trace: [ 88.490786][ T5095] [ 88.493742][ T5095] dump_stack_lvl+0x1e7/0x2d0 [ 88.498442][ T5095] ? nf_tcp_handle_invalid+0x650/0x650 [ 88.503921][ T5095] ? panic+0x770/0x770 [ 88.508003][ T5095] ? kobject_uevent_env+0x54e/0x8e0 [ 88.513228][ T5095] gfs2_withdraw+0xf48/0x1550 [ 88.517964][ T5095] ? gfs2_lm+0x240/0x240 [ 88.522243][ T5095] ? gfs2_dirent_scan+0xb2/0x640 [ 88.527221][ T5095] ? panic+0x770/0x770 [ 88.531561][ T5095] ? gfs2_consist_inode_i+0xf5/0x110 [ 88.536865][ T5095] gfs2_dirent_scan+0x512/0x640 [ 88.541743][ T5095] ? gfs2_dirent_scan+0x640/0x640 [ 88.546789][ T5095] gfs2_dir_read+0x82f/0x1af0 [ 88.551493][ T5095] ? inode_dio_wait+0x2ad/0x340 [ 88.556351][ T5095] ? inode_owner_or_capable+0x1c0/0x1c0 [ 88.561910][ T5095] ? gfs2_dir_hash_inval+0x80/0x80 [ 88.567045][ T5095] ? _raw_spin_unlock+0x28/0x40 [ 88.571924][ T5095] ? gfs2_glock_nq+0xcbf/0x16c0 [ 88.576792][ T5095] ? inode_go_held+0xea/0x200 [ 88.581484][ T5095] ? gfs2_glock_wait+0x21a/0x2b0 [ 88.586449][ T5095] gfs2_readdir+0x14e/0x1b0 [pid 5094] exit_group(0) = ? [ 88.591002][ T5095] ? __fdget_pos+0x254/0x2f0 [ 88.595605][ T5095] ? gfs2_fallocate+0x490/0x490 [ 88.600486][ T5095] ? iterate_dir+0x228/0x570 [ 88.605101][ T5095] ? __down_read_common+0x184/0x2c0 [ 88.610326][ T5095] ? iterate_dir+0x10e/0x570 [ 88.615105][ T5095] iterate_dir+0x228/0x570 [ 88.619566][ T5095] ? gfs2_fallocate+0x490/0x490 [ 88.624430][ T5095] __se_sys_getdents64+0x20d/0x4f0 [ 88.629565][ T5095] ? _raw_spin_unlock_irq+0x2e/0x50 [ 88.634789][ T5095] ? __x64_sys_getdents64+0x80/0x80 [ 88.640040][ T5095] ? filldir+0x740/0x740 [ 88.644294][ T5095] ? syscall_enter_from_user_mode+0x32/0x230 [ 88.650289][ T5095] ? syscall_enter_from_user_mode+0x8c/0x230 [ 88.656291][ T5095] do_syscall_64+0x41/0xc0 [ 88.660721][ T5095] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 88.666709][ T5095] RIP: 0033:0x7f281a11eab9 [ 88.671132][ T5095] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 88.690773][ T5095] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 88.699235][ T5095] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 88.707219][ T5095] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 88.715209][ T5095] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 88.723192][ T5095] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 88.731179][ T5095] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [pid 5097] <... open resumed>) = ? [pid 5095] <... getdents64 resumed> ) = ? [pid 5097] +++ exited with 0 +++ [pid 5095] +++ exited with 0 +++ [pid 5094] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5094, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=43 /* 0.43 s */} --- umount2("./24", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./24/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./24/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./24/binderfs") = 0 [ 88.739182][ T5095] umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./24/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./24/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./24/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./24/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./24") = 0 mkdir("./25", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5098 ./strace-static-x86_64: Process 5098 attached [pid 5098] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5098] chdir("./25") = 0 [pid 5098] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5098] setpgid(0, 0) = 0 [pid 5098] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5098] write(3, "1000", 4) = 4 [pid 5098] close(3) = 0 [pid 5098] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5098] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5098] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5098] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5098] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5099 attached , parent_tid=[5099], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5099 [pid 5099] set_robust_list(0x7f281a0ca9e0, 24 [pid 5098] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5099] <... set_robust_list resumed>) = 0 [pid 5098] <... futex resumed>) = 0 [pid 5098] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5099] memfd_create("syzkaller", 0) = 3 [pid 5099] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5099] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5099] munmap(0x7f2811caa000, 16777216) = 0 [pid 5099] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5099] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5099] close(3) = 0 [pid 5099] mkdir("./file0", 0777) = 0 [ 89.104119][ T5099] loop0: detected capacity change from 0 to 32768 [ 89.116035][ T5099] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 89.124567][ T5099] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 89.134986][ T5099] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 89.143822][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 89.150706][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5099] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5099] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5099] chdir("./file0") = 0 [pid 5099] ioctl(4, LOOP_CLR_FD) = 0 [pid 5099] close(4) = 0 [pid 5099] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5098] <... futex resumed>) = 0 [pid 5099] open(".", O_RDONLY [pid 5098] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5099] <... open resumed>) = 4 [pid 5098] <... futex resumed>) = 0 [pid 5099] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5098] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5099] <... futex resumed>) = 0 [pid 5098] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5099] getdents64(4, [pid 5098] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 89.190822][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 89.198925][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 89.204175][ T5099] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 89.217445][ T5099] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 89.226325][ T5099] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 89.226325][ T5099] inode = 12 2341 [pid 5098] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 89.226325][ T5099] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 89.245542][ T5099] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 89.254933][ T5099] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5099 [syz-executor171] iterate_dir+0x228/0x570 [ 89.265120][ T5099] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 89.273755][ T5099] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 89.281001][ T5099] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5098] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5098] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5098] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5098] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5101], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5101 [pid 5098] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5098] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5101 attached [pid 5101] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5101] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5101] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5098] <... futex resumed>) = 0 [pid 5101] <... futex resumed>) = 1 [ 89.290278][ T5099] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 89.298206][ T5099] gfs2: fsid=syz:syz.0: File system withdrawn [ 89.304903][ T5099] CPU: 0 PID: 5099 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 89.314990][ T5099] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 89.325057][ T5099] Call Trace: [ 89.328364][ T5099] [ 89.331295][ T5099] dump_stack_lvl+0x1e7/0x2d0 [ 89.335980][ T5099] ? nf_tcp_handle_invalid+0x650/0x650 [ 89.341446][ T5099] ? panic+0x770/0x770 [ 89.345516][ T5099] ? kobject_uevent_env+0x54e/0x8e0 [ 89.350745][ T5099] gfs2_withdraw+0xf48/0x1550 [ 89.355489][ T5099] ? gfs2_lm+0x240/0x240 [ 89.359774][ T5099] ? gfs2_dirent_scan+0xb2/0x640 [ 89.364719][ T5099] ? panic+0x770/0x770 [ 89.368801][ T5099] ? gfs2_consist_inode_i+0xf5/0x110 [ 89.374108][ T5099] gfs2_dirent_scan+0x512/0x640 [ 89.378980][ T5099] ? gfs2_dirent_scan+0x640/0x640 [ 89.384020][ T5099] gfs2_dir_read+0x82f/0x1af0 [ 89.388755][ T5099] ? inode_dio_wait+0x2ad/0x340 [ 89.393633][ T5099] ? inode_owner_or_capable+0x1c0/0x1c0 [ 89.399211][ T5099] ? gfs2_dir_hash_inval+0x80/0x80 [ 89.404324][ T5099] ? _raw_spin_unlock+0x28/0x40 [ 89.409174][ T5099] ? gfs2_glock_nq+0xcbf/0x16c0 [ 89.414041][ T5099] ? inode_go_held+0xea/0x200 [ 89.418742][ T5099] ? gfs2_glock_wait+0x21a/0x2b0 [ 89.423694][ T5099] gfs2_readdir+0x14e/0x1b0 [ 89.428204][ T5099] ? __fdget_pos+0x254/0x2f0 [ 89.432800][ T5099] ? gfs2_fallocate+0x490/0x490 [ 89.437670][ T5099] ? iterate_dir+0x228/0x570 [ 89.442273][ T5099] ? __down_read_common+0x184/0x2c0 [ 89.447479][ T5099] ? iterate_dir+0x10e/0x570 [ 89.452106][ T5099] iterate_dir+0x228/0x570 [ 89.456537][ T5099] ? gfs2_fallocate+0x490/0x490 [ 89.461401][ T5099] __se_sys_getdents64+0x20d/0x4f0 [ 89.466521][ T5099] ? _raw_spin_unlock_irq+0x2e/0x50 [ 89.471723][ T5099] ? __x64_sys_getdents64+0x80/0x80 [ 89.476927][ T5099] ? filldir+0x740/0x740 [ 89.481183][ T5099] ? syscall_enter_from_user_mode+0x32/0x230 [ 89.487165][ T5099] ? syscall_enter_from_user_mode+0x8c/0x230 [ 89.493144][ T5099] do_syscall_64+0x41/0xc0 [ 89.497570][ T5099] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 89.503470][ T5099] RIP: 0033:0x7f281a11eab9 [ 89.507901][ T5099] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 89.527519][ T5099] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5101] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5099] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5099] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5098] exit_group(0 [pid 5101] <... futex resumed>) = ? [pid 5098] <... exit_group resumed>) = ? [pid 5101] +++ exited with 0 +++ [pid 5099] +++ exited with 0 +++ [pid 5098] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5098, si_uid=0, si_status=0, si_utime=0, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./25", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./25/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./25/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./25/binderfs") = 0 [ 89.535976][ T5099] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 89.543944][ T5099] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 89.551927][ T5099] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 89.559899][ T5099] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 89.567871][ T5099] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 89.575865][ T5099] umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./25/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./25/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./25/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./25/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./25") = 0 mkdir("./26", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5102 ./strace-static-x86_64: Process 5102 attached [pid 5102] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5102] chdir("./26") = 0 [pid 5102] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5102] setpgid(0, 0) = 0 [pid 5102] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5102] write(3, "1000", 4) = 4 [pid 5102] close(3) = 0 [pid 5102] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5102] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5102] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5102] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5102] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5103 attached , parent_tid=[5103], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5103 [pid 5102] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5102] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5103] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5103] memfd_create("syzkaller", 0) = 3 [pid 5103] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5103] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5103] munmap(0x7f2811caa000, 16777216) = 0 [pid 5103] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5103] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5103] close(3) = 0 [pid 5103] mkdir("./file0", 0777) = 0 [ 89.950756][ T5103] loop0: detected capacity change from 0 to 32768 [ 89.964662][ T5103] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 89.972931][ T5103] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 89.983031][ T5103] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 89.991645][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 89.998612][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5103] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5103] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5103] chdir("./file0") = 0 [pid 5103] ioctl(4, LOOP_CLR_FD) = 0 [pid 5103] close(4) = 0 [pid 5103] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5103] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5102] <... futex resumed>) = 0 [pid 5102] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5103] <... futex resumed>) = 0 [pid 5102] <... futex resumed>) = 1 [pid 5103] open(".", O_RDONLY) = 4 [pid 5103] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5103] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5102] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 5102] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5103] <... futex resumed>) = 0 [pid 5102] <... futex resumed>) = 1 [pid 5103] getdents64(4, [ 90.037451][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 90.046396][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 90.051628][ T5103] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 90.077048][ T5103] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5102] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5102] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5102] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5102] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5102] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5105], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5105 [pid 5102] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5102] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5105 attached [pid 5105] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5105] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [ 90.085534][ T5103] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 90.085534][ T5103] inode = 12 2341 [ 90.085534][ T5103] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 90.104274][ T5103] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 90.113367][ T5103] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5103 [syz-executor171] iterate_dir+0x228/0x570 [ 90.123355][ T5103] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5105] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5102] <... futex resumed>) = 0 [pid 5105] <... futex resumed>) = 1 [ 90.131796][ T5103] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 90.139065][ T5103] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 90.147878][ T5103] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 90.154493][ T5103] gfs2: fsid=syz:syz.0: File system withdrawn [ 90.160583][ T5103] CPU: 1 PID: 5103 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 90.170668][ T5103] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 90.180746][ T5103] Call Trace: [ 90.184028][ T5103] [ 90.186952][ T5103] dump_stack_lvl+0x1e7/0x2d0 [ 90.191645][ T5103] ? nf_tcp_handle_invalid+0x650/0x650 [ 90.197128][ T5103] ? panic+0x770/0x770 [ 90.201230][ T5103] ? kobject_uevent_env+0x54e/0x8e0 [ 90.206464][ T5103] gfs2_withdraw+0xf48/0x1550 [ 90.211161][ T5103] ? gfs2_lm+0x240/0x240 [ 90.215409][ T5103] ? gfs2_dirent_scan+0xb2/0x640 [ 90.220348][ T5103] ? panic+0x770/0x770 [ 90.224427][ T5103] ? gfs2_consist_inode_i+0xf5/0x110 [ 90.229718][ T5103] gfs2_dirent_scan+0x512/0x640 [ 90.234584][ T5103] ? gfs2_dirent_scan+0x640/0x640 [ 90.239644][ T5103] gfs2_dir_read+0x82f/0x1af0 [ 90.244331][ T5103] ? inode_dio_wait+0x2ad/0x340 [ 90.249190][ T5103] ? inode_owner_or_capable+0x1c0/0x1c0 [ 90.254741][ T5103] ? gfs2_dir_hash_inval+0x80/0x80 [ 90.259849][ T5103] ? _raw_spin_unlock+0x28/0x40 [ 90.264697][ T5103] ? gfs2_glock_nq+0xcbf/0x16c0 [ 90.269559][ T5103] ? inode_go_held+0xea/0x200 [ 90.274253][ T5103] ? gfs2_glock_wait+0x21a/0x2b0 [ 90.279199][ T5103] gfs2_readdir+0x14e/0x1b0 [ 90.283709][ T5103] ? __fdget_pos+0x254/0x2f0 [ 90.288311][ T5103] ? gfs2_fallocate+0x490/0x490 [ 90.293174][ T5103] ? iterate_dir+0x228/0x570 [ 90.297772][ T5103] ? __down_read_common+0x184/0x2c0 [ 90.302978][ T5103] ? iterate_dir+0x10e/0x570 [ 90.307606][ T5103] iterate_dir+0x228/0x570 [ 90.312038][ T5103] ? gfs2_fallocate+0x490/0x490 [ 90.316910][ T5103] __se_sys_getdents64+0x20d/0x4f0 [ 90.322027][ T5103] ? _raw_spin_unlock_irq+0x2e/0x50 [ 90.327230][ T5103] ? __x64_sys_getdents64+0x80/0x80 [ 90.332438][ T5103] ? filldir+0x740/0x740 [ 90.336693][ T5103] ? syscall_enter_from_user_mode+0x32/0x230 [ 90.342693][ T5103] ? syscall_enter_from_user_mode+0x8c/0x230 [ 90.348689][ T5103] do_syscall_64+0x41/0xc0 [ 90.353138][ T5103] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 90.359032][ T5103] RIP: 0033:0x7f281a11eab9 [ 90.363449][ T5103] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5105] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5103] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5103] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5103] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5102] exit_group(0 [pid 5105] <... futex resumed>) = ? [pid 5103] <... futex resumed>) = ? [pid 5102] <... exit_group resumed>) = ? [pid 5105] +++ exited with 0 +++ [pid 5103] +++ exited with 0 +++ [pid 5102] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5102, si_uid=0, si_status=0, si_utime=0, si_stime=34 /* 0.34 s */} --- umount2("./26", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./26/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./26/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./26/binderfs") = 0 [ 90.383143][ T5103] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 90.391579][ T5103] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 90.399549][ T5103] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 90.407521][ T5103] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 90.415526][ T5103] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 90.423497][ T5103] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 90.431484][ T5103] umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./26/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./26/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./26/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./26/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./26") = 0 mkdir("./27", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5106 ./strace-static-x86_64: Process 5106 attached [pid 5106] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5106] chdir("./27") = 0 [pid 5106] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5106] setpgid(0, 0) = 0 [pid 5106] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5106] write(3, "1000", 4) = 4 [pid 5106] close(3) = 0 [pid 5106] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5106] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5106] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5106] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5106] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5107], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5107 [pid 5106] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5106] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5107 attached [pid 5107] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5107] memfd_create("syzkaller", 0) = 3 [pid 5107] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5107] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5107] munmap(0x7f2811caa000, 16777216) = 0 [pid 5107] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5107] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5107] close(3) = 0 [pid 5107] mkdir("./file0", 0777) = 0 [ 90.789968][ T5107] loop0: detected capacity change from 0 to 32768 [ 90.802102][ T5107] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 90.810366][ T5107] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 90.819959][ T5107] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 90.828566][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 90.835682][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5107] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5107] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5107] chdir("./file0") = 0 [pid 5107] ioctl(4, LOOP_CLR_FD) = 0 [pid 5107] close(4) = 0 [pid 5107] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5106] <... futex resumed>) = 0 [pid 5106] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5107] open(".", O_RDONLY [pid 5106] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5107] <... open resumed>) = 4 [pid 5107] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5106] <... futex resumed>) = 0 [pid 5107] getdents64(4, [pid 5106] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 90.881856][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 90.890767][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 90.896060][ T5107] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 90.936163][ T5107] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 90.945226][ T5107] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 90.945226][ T5107] inode = 12 2341 [ 90.945226][ T5107] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 90.963853][ T5107] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 90.972897][ T5107] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5107 [syz-executor171] iterate_dir+0x228/0x570 [pid 5106] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5106] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5106] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5106] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5106] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5109], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5109 [pid 5106] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5106] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5109 attached [pid 5109] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 90.982837][ T5107] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 90.989464][ T5109] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 90.991613][ T5107] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 91.000293][ T5109] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 91.007110][ T5107] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 91.007124][ T5107] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 91.007289][ T5107] gfs2: fsid=syz:syz.0: File system withdrawn [ 91.037558][ T5107] CPU: 0 PID: 5107 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 91.047658][ T5107] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 91.057728][ T5107] Call Trace: [ 91.061054][ T5107] [ 91.064024][ T5107] dump_stack_lvl+0x1e7/0x2d0 [ 91.068743][ T5107] ? nf_tcp_handle_invalid+0x650/0x650 [ 91.074211][ T5107] ? panic+0x770/0x770 [ 91.078313][ T5107] ? kobject_uevent_env+0x54e/0x8e0 [ 91.083567][ T5107] gfs2_withdraw+0xf48/0x1550 [ 91.088306][ T5107] ? gfs2_lm+0x240/0x240 [ 91.092566][ T5107] ? gfs2_dirent_scan+0xb2/0x640 [ 91.097512][ T5107] ? panic+0x770/0x770 [ 91.101632][ T5107] ? gfs2_consist_inode_i+0xf5/0x110 [ 91.106986][ T5107] gfs2_dirent_scan+0x512/0x640 [ 91.111873][ T5107] ? gfs2_dirent_scan+0x640/0x640 [ 91.116904][ T5107] gfs2_dir_read+0x82f/0x1af0 [ 91.121595][ T5107] ? inode_dio_wait+0x2ad/0x340 [ 91.126453][ T5107] ? inode_owner_or_capable+0x1c0/0x1c0 [ 91.132011][ T5107] ? gfs2_dir_hash_inval+0x80/0x80 [ 91.137132][ T5107] ? _raw_spin_unlock+0x28/0x40 [ 91.141985][ T5107] ? gfs2_glock_nq+0xcbf/0x16c0 [ 91.146844][ T5107] ? inode_go_held+0xea/0x200 [ 91.151521][ T5107] ? gfs2_glock_wait+0x21a/0x2b0 [ 91.156467][ T5107] gfs2_readdir+0x14e/0x1b0 [ 91.160976][ T5107] ? __fdget_pos+0x254/0x2f0 [ 91.165569][ T5107] ? gfs2_fallocate+0x490/0x490 [ 91.170439][ T5107] ? iterate_dir+0x228/0x570 [ 91.175036][ T5107] ? __down_read_common+0x184/0x2c0 [ 91.180234][ T5107] ? iterate_dir+0x10e/0x570 [ 91.184828][ T5107] iterate_dir+0x228/0x570 [ 91.189252][ T5107] ? gfs2_fallocate+0x490/0x490 [ 91.194127][ T5107] __se_sys_getdents64+0x20d/0x4f0 [ 91.199249][ T5107] ? _raw_spin_unlock_irq+0x2e/0x50 [ 91.204469][ T5107] ? __x64_sys_getdents64+0x80/0x80 [ 91.209683][ T5107] ? filldir+0x740/0x740 [ 91.213945][ T5107] ? syscall_enter_from_user_mode+0x32/0x230 [ 91.219923][ T5107] ? syscall_enter_from_user_mode+0x8c/0x230 [ 91.225904][ T5107] do_syscall_64+0x41/0xc0 [ 91.230327][ T5107] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 91.236234][ T5107] RIP: 0033:0x7f281a11eab9 [ 91.240646][ T5107] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 91.260254][ T5107] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 91.268690][ T5107] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 91.276673][ T5107] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [pid 5109] open("./file0", O_RDONLY [pid 5106] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5107] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5107] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5107] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5109] <... open resumed>) = -1 EIO (Input/output error) [pid 5109] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5106] exit_group(0 [pid 5109] <... futex resumed>) = 0 [pid 5109] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5107] <... futex resumed>) = ? [pid 5106] <... exit_group resumed>) = ? [pid 5107] +++ exited with 0 +++ [pid 5109] <... futex resumed>) = ? [pid 5109] +++ exited with 0 +++ [pid 5106] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5106, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=39 /* 0.39 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./27", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./27/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./27/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./27/binderfs") = 0 [ 91.284653][ T5107] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 91.292632][ T5107] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 91.300612][ T5107] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 91.308599][ T5107] [ 91.315341][ T5109] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5109 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 91.325688][ T5109] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./27/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./27/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./27/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./27/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./27") = 0 mkdir("./28", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5110 ./strace-static-x86_64: Process 5110 attached [pid 5110] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5110] chdir("./28") = 0 [pid 5110] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5110] setpgid(0, 0) = 0 [pid 5110] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5110] write(3, "1000", 4) = 4 [pid 5110] close(3) = 0 [pid 5110] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5110] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5110] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5110] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5110] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5111], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5111 [pid 5110] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5110] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5111 attached [pid 5111] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5111] memfd_create("syzkaller", 0) = 3 [pid 5111] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5111] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5111] munmap(0x7f2811caa000, 16777216) = 0 [pid 5111] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5111] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5111] close(3) = 0 [pid 5111] mkdir("./file0", 0777) = 0 [ 91.731567][ T5111] loop0: detected capacity change from 0 to 32768 [ 91.743882][ T5111] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 91.752117][ T5111] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 91.762747][ T5111] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 91.771674][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 91.778819][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5111] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5111] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5111] chdir("./file0") = 0 [pid 5111] ioctl(4, LOOP_CLR_FD) = 0 [pid 5111] close(4) = 0 [pid 5111] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5110] <... futex resumed>) = 0 [pid 5110] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5110] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5111] <... futex resumed>) = 1 [pid 5111] open(".", O_RDONLY) = 4 [pid 5111] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5110] <... futex resumed>) = 0 [pid 5110] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5110] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5111] <... futex resumed>) = 1 [ 91.814748][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 91.822282][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 91.827823][ T5111] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 91.852480][ T5111] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5111] getdents64(4, [pid 5110] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5110] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5110] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5110] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5110] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5113], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5113 [pid 5110] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5110] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5113 attached [ 91.861614][ T5111] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 91.861614][ T5111] inode = 12 2341 [ 91.861614][ T5111] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 91.880847][ T5111] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 91.890341][ T5111] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5111 [syz-executor171] iterate_dir+0x228/0x570 [ 91.900684][ T5111] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5113] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5113] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5113] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5110] <... futex resumed>) = 0 [pid 5113] <... futex resumed>) = 1 [ 91.909459][ T5111] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 91.916951][ T5111] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 91.925764][ T5111] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 91.932481][ T5111] gfs2: fsid=syz:syz.0: File system withdrawn [ 91.938748][ T5111] CPU: 1 PID: 5111 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 91.948833][ T5111] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 91.958883][ T5111] Call Trace: [ 91.962166][ T5111] [ 91.965112][ T5111] dump_stack_lvl+0x1e7/0x2d0 [ 91.969823][ T5111] ? nf_tcp_handle_invalid+0x650/0x650 [ 91.975303][ T5111] ? panic+0x770/0x770 [ 91.979392][ T5111] ? kobject_uevent_env+0x54e/0x8e0 [ 91.984606][ T5111] gfs2_withdraw+0xf48/0x1550 [ 91.989301][ T5111] ? gfs2_lm+0x240/0x240 [ 91.993552][ T5111] ? gfs2_dirent_scan+0xb2/0x640 [ 91.998507][ T5111] ? panic+0x770/0x770 [ 92.002613][ T5111] ? gfs2_consist_inode_i+0xf5/0x110 [ 92.007930][ T5111] gfs2_dirent_scan+0x512/0x640 [pid 5113] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5110] exit_group(0 [pid 5113] <... futex resumed>) = ? [pid 5110] <... exit_group resumed>) = ? [pid 5113] +++ exited with 0 +++ [ 92.012803][ T5111] ? gfs2_dirent_scan+0x640/0x640 [ 92.017852][ T5111] gfs2_dir_read+0x82f/0x1af0 [ 92.022542][ T5111] ? inode_dio_wait+0x2ad/0x340 [ 92.027413][ T5111] ? inode_owner_or_capable+0x1c0/0x1c0 [ 92.033005][ T5111] ? gfs2_dir_hash_inval+0x80/0x80 [ 92.038152][ T5111] ? _raw_spin_unlock+0x28/0x40 [ 92.043008][ T5111] ? gfs2_glock_nq+0xcbf/0x16c0 [ 92.047892][ T5111] ? inode_go_held+0xea/0x200 [ 92.052590][ T5111] ? gfs2_glock_wait+0x21a/0x2b0 [ 92.057553][ T5111] gfs2_readdir+0x14e/0x1b0 [ 92.062104][ T5111] ? __fdget_pos+0x254/0x2f0 [ 92.066719][ T5111] ? gfs2_fallocate+0x490/0x490 [ 92.071597][ T5111] ? iterate_dir+0x228/0x570 [ 92.076220][ T5111] ? __down_read_common+0x184/0x2c0 [ 92.081436][ T5111] ? iterate_dir+0x10e/0x570 [ 92.086048][ T5111] iterate_dir+0x228/0x570 [ 92.090464][ T5111] ? gfs2_fallocate+0x490/0x490 [ 92.095333][ T5111] __se_sys_getdents64+0x20d/0x4f0 [ 92.100470][ T5111] ? _raw_spin_unlock_irq+0x2e/0x50 [ 92.105677][ T5111] ? __x64_sys_getdents64+0x80/0x80 [ 92.110883][ T5111] ? filldir+0x740/0x740 [ 92.115148][ T5111] ? syscall_enter_from_user_mode+0x32/0x230 [ 92.121147][ T5111] ? syscall_enter_from_user_mode+0x8c/0x230 [ 92.127124][ T5111] do_syscall_64+0x41/0xc0 [ 92.131553][ T5111] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 92.137465][ T5111] RIP: 0033:0x7f281a11eab9 [ 92.141882][ T5111] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5111] <... getdents64 resumed> ) = ? [pid 5111] +++ exited with 0 +++ [pid 5110] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5110, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=33 /* 0.33 s */} --- umount2("./28", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./28/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./28/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./28/binderfs") = 0 [ 92.161484][ T5111] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 92.169906][ T5111] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 92.177874][ T5111] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 92.185854][ T5111] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 92.193842][ T5111] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 92.201810][ T5111] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 92.209809][ T5111] umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./28/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./28/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./28/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./28/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./28") = 0 mkdir("./29", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5114 ./strace-static-x86_64: Process 5114 attached [pid 5114] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5114] chdir("./29") = 0 [pid 5114] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5114] setpgid(0, 0) = 0 [pid 5114] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5114] write(3, "1000", 4) = 4 [pid 5114] close(3) = 0 [pid 5114] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5114] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5114] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5114] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5115 attached , parent_tid=[5115], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5115 [pid 5114] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5115] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5115] memfd_create("syzkaller", 0) = 3 [pid 5115] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5115] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5115] munmap(0x7f2811caa000, 16777216) = 0 [pid 5115] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5115] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5115] close(3) = 0 [pid 5115] mkdir("./file0", 0777) = 0 [ 92.601258][ T5115] loop0: detected capacity change from 0 to 32768 [ 92.612058][ T5115] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 92.620344][ T5115] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 92.630883][ T5115] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 92.639847][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 92.646720][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5115] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5115] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5115] chdir("./file0") = 0 [pid 5115] ioctl(4, LOOP_CLR_FD) = 0 [pid 5115] close(4) = 0 [pid 5115] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5114] <... futex resumed>) = 0 [pid 5114] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5115] <... futex resumed>) = 1 [pid 5115] open(".", O_RDONLY) = 4 [pid 5115] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5114] <... futex resumed>) = 0 [pid 5114] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5115] <... futex resumed>) = 1 [ 92.685975][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 92.693494][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 92.698733][ T5115] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 92.725234][ T5115] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 92.733931][ T5115] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 92.733931][ T5115] inode = 12 2341 [ 92.733931][ T5115] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 92.752807][ T5115] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 92.761979][ T5115] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5115 [syz-executor171] iterate_dir+0x228/0x570 [ 92.772004][ T5115] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5115] getdents64(4, [pid 5114] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5114] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5114] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5114] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5117], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5117 [pid 5114] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5114] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5117 attached [pid 5117] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5117] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5117] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5114] <... futex resumed>) = 0 [ 92.780543][ T5115] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 92.788965][ T5115] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 92.798822][ T5115] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 92.805854][ T5115] gfs2: fsid=syz:syz.0: File system withdrawn [ 92.812206][ T5115] CPU: 0 PID: 5115 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 92.822267][ T5115] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 92.832314][ T5115] Call Trace: [ 92.835601][ T5115] [ 92.838557][ T5115] dump_stack_lvl+0x1e7/0x2d0 [ 92.843283][ T5115] ? nf_tcp_handle_invalid+0x650/0x650 [ 92.848774][ T5115] ? panic+0x770/0x770 [ 92.852880][ T5115] ? kobject_uevent_env+0x54e/0x8e0 [ 92.858089][ T5115] gfs2_withdraw+0xf48/0x1550 [ 92.862784][ T5115] ? gfs2_lm+0x240/0x240 [ 92.867042][ T5115] ? gfs2_dirent_scan+0xb2/0x640 [ 92.871985][ T5115] ? panic+0x770/0x770 [ 92.876072][ T5115] ? gfs2_consist_inode_i+0xf5/0x110 [ 92.881370][ T5115] gfs2_dirent_scan+0x512/0x640 [ 92.886253][ T5115] ? gfs2_dirent_scan+0x640/0x640 [ 92.891296][ T5115] gfs2_dir_read+0x82f/0x1af0 [ 92.895977][ T5115] ? inode_dio_wait+0x2ad/0x340 [ 92.900850][ T5115] ? inode_owner_or_capable+0x1c0/0x1c0 [ 92.906442][ T5115] ? gfs2_dir_hash_inval+0x80/0x80 [ 92.911579][ T5115] ? _raw_spin_unlock+0x28/0x40 [ 92.916441][ T5115] ? gfs2_glock_nq+0xcbf/0x16c0 [ 92.921342][ T5115] ? inode_go_held+0xea/0x200 [ 92.926017][ T5115] ? gfs2_glock_wait+0x21a/0x2b0 [ 92.930962][ T5115] gfs2_readdir+0x14e/0x1b0 [pid 5117] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5114] exit_group(0 [pid 5117] <... futex resumed>) = ? [pid 5114] <... exit_group resumed>) = ? [pid 5117] +++ exited with 0 +++ [ 92.935462][ T5115] ? __fdget_pos+0x254/0x2f0 [ 92.940043][ T5115] ? gfs2_fallocate+0x490/0x490 [ 92.944907][ T5115] ? iterate_dir+0x228/0x570 [ 92.949503][ T5115] ? __down_read_common+0x184/0x2c0 [ 92.954712][ T5115] ? iterate_dir+0x10e/0x570 [ 92.959322][ T5115] iterate_dir+0x228/0x570 [ 92.963768][ T5115] ? gfs2_fallocate+0x490/0x490 [ 92.968632][ T5115] __se_sys_getdents64+0x20d/0x4f0 [ 92.973766][ T5115] ? _raw_spin_unlock_irq+0x2e/0x50 [ 92.978977][ T5115] ? __x64_sys_getdents64+0x80/0x80 [ 92.984196][ T5115] ? filldir+0x740/0x740 [ 92.988453][ T5115] ? syscall_enter_from_user_mode+0x32/0x230 [ 92.994447][ T5115] ? syscall_enter_from_user_mode+0x8c/0x230 [ 93.000439][ T5115] do_syscall_64+0x41/0xc0 [ 93.004856][ T5115] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 93.010759][ T5115] RIP: 0033:0x7f281a11eab9 [ 93.015191][ T5115] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5115] <... getdents64 resumed> ) = ? [pid 5115] +++ exited with 0 +++ [pid 5114] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5114, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=35 /* 0.35 s */} --- umount2("./29", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./29/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./29/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./29/binderfs") = 0 [ 93.034808][ T5115] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 93.043232][ T5115] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 93.051218][ T5115] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 93.059189][ T5115] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 93.067170][ T5115] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 93.075140][ T5115] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 93.083130][ T5115] umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./29/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./29/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./29/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./29/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./29") = 0 mkdir("./30", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5118 ./strace-static-x86_64: Process 5118 attached [pid 5118] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5118] chdir("./30") = 0 [pid 5118] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5118] setpgid(0, 0) = 0 [pid 5118] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5118] write(3, "1000", 4) = 4 [pid 5118] close(3) = 0 [pid 5118] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5118] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5118] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5118] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5118] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5119], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5119 [pid 5118] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5118] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5119 attached [pid 5119] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5119] memfd_create("syzkaller", 0) = 3 [pid 5119] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5119] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5119] munmap(0x7f2811caa000, 16777216) = 0 [pid 5119] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5119] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5119] close(3) = 0 [pid 5119] mkdir("./file0", 0777) = 0 [ 93.460873][ T5119] loop0: detected capacity change from 0 to 32768 [ 93.471999][ T5119] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 93.481743][ T5119] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 93.491380][ T5119] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 93.500003][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 93.506832][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5119] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5119] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5119] chdir("./file0") = 0 [pid 5119] ioctl(4, LOOP_CLR_FD) = 0 [pid 5119] close(4) = 0 [pid 5119] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5118] <... futex resumed>) = 0 [pid 5119] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5118] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5119] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5118] <... futex resumed>) = 0 [pid 5119] open(".", O_RDONLY [pid 5118] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5119] <... open resumed>) = 4 [pid 5119] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5118] <... futex resumed>) = 0 [pid 5119] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5118] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5119] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5118] <... futex resumed>) = 0 [pid 5119] getdents64(4, [ 93.546634][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 93.555740][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 93.561001][ T5119] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 93.602330][ T5119] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 93.611027][ T5119] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 93.611027][ T5119] inode = 12 2341 [ 93.611027][ T5119] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 93.629728][ T5119] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 93.639062][ T5119] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5119 [syz-executor171] iterate_dir+0x228/0x570 [pid 5118] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5118] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5118] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5118] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5118] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5121 attached , parent_tid=[5121], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5121 [pid 5121] set_robust_list(0x7f2812ca99e0, 24 [pid 5118] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5118] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5121] <... set_robust_list resumed>) = 0 [pid 5121] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5121] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5118] <... futex resumed>) = 0 [ 93.649189][ T5119] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 93.657752][ T5119] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 93.665010][ T5119] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 93.674187][ T5119] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 93.681773][ T5119] gfs2: fsid=syz:syz.0: File system withdrawn [ 93.691771][ T5119] CPU: 0 PID: 5119 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 93.701886][ T5119] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 93.711973][ T5119] Call Trace: [ 93.715265][ T5119] [ 93.718219][ T5119] dump_stack_lvl+0x1e7/0x2d0 [ 93.722917][ T5119] ? nf_tcp_handle_invalid+0x650/0x650 [ 93.728391][ T5119] ? panic+0x770/0x770 [ 93.732489][ T5119] ? kobject_uevent_env+0x54e/0x8e0 [ 93.737722][ T5119] gfs2_withdraw+0xf48/0x1550 [ 93.742433][ T5119] ? gfs2_lm+0x240/0x240 [ 93.746700][ T5119] ? gfs2_dirent_scan+0xb2/0x640 [ 93.751642][ T5119] ? panic+0x770/0x770 [ 93.755726][ T5119] ? gfs2_consist_inode_i+0xf5/0x110 [ 93.761049][ T5119] gfs2_dirent_scan+0x512/0x640 [ 93.765941][ T5119] ? gfs2_dirent_scan+0x640/0x640 [ 93.770971][ T5119] gfs2_dir_read+0x82f/0x1af0 [ 93.775675][ T5119] ? inode_dio_wait+0x2ad/0x340 [ 93.780552][ T5119] ? inode_owner_or_capable+0x1c0/0x1c0 [ 93.786102][ T5119] ? gfs2_dir_hash_inval+0x80/0x80 [ 93.791217][ T5119] ? _raw_spin_unlock+0x28/0x40 [ 93.796075][ T5119] ? gfs2_glock_nq+0xcbf/0x16c0 [ 93.800937][ T5119] ? inode_go_held+0xea/0x200 [ 93.805616][ T5119] ? gfs2_glock_wait+0x21a/0x2b0 [ 93.810564][ T5119] gfs2_readdir+0x14e/0x1b0 [ 93.815073][ T5119] ? __fdget_pos+0x254/0x2f0 [ 93.819661][ T5119] ? gfs2_fallocate+0x490/0x490 [ 93.824513][ T5119] ? iterate_dir+0x228/0x570 [ 93.829102][ T5119] ? __down_read_common+0x184/0x2c0 [ 93.834315][ T5119] ? iterate_dir+0x10e/0x570 [ 93.838910][ T5119] iterate_dir+0x228/0x570 [ 93.843347][ T5119] ? gfs2_fallocate+0x490/0x490 [ 93.848208][ T5119] __se_sys_getdents64+0x20d/0x4f0 [ 93.853329][ T5119] ? _raw_spin_unlock_irq+0x2e/0x50 [ 93.858537][ T5119] ? __x64_sys_getdents64+0x80/0x80 [ 93.863750][ T5119] ? filldir+0x740/0x740 [ 93.868004][ T5119] ? syscall_enter_from_user_mode+0x32/0x230 [ 93.873994][ T5119] ? syscall_enter_from_user_mode+0x8c/0x230 [ 93.879975][ T5119] do_syscall_64+0x41/0xc0 [ 93.884396][ T5119] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 93.890293][ T5119] RIP: 0033:0x7f281a11eab9 [ 93.894711][ T5119] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 93.914315][ T5119] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 93.922823][ T5119] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 93.930799][ T5119] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 93.938775][ T5119] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5121] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5119] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5119] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5118] exit_group(0 [pid 5119] <... futex resumed>) = ? [pid 5118] <... exit_group resumed>) = ? [pid 5121] <... futex resumed>) = ? [pid 5119] +++ exited with 0 +++ [pid 5121] +++ exited with 0 +++ [pid 5118] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5118, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./30", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./30/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./30/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./30/binderfs") = 0 [ 93.946744][ T5119] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 93.954715][ T5119] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 93.962700][ T5119] umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./30/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./30/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./30/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./30/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./30") = 0 mkdir("./31", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5122 ./strace-static-x86_64: Process 5122 attached [pid 5122] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5122] chdir("./31") = 0 [pid 5122] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5122] setpgid(0, 0) = 0 [pid 5122] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5122] write(3, "1000", 4) = 4 [pid 5122] close(3) = 0 [pid 5122] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5122] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5122] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5122] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5122] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5123], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5123 ./strace-static-x86_64: Process 5123 attached [pid 5122] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5122] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5123] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5123] memfd_create("syzkaller", 0) = 3 [pid 5123] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5123] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5123] munmap(0x7f2811caa000, 16777216) = 0 [pid 5123] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5123] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5123] close(3) = 0 [pid 5123] mkdir("./file0", 0777) = 0 [ 94.348225][ T5123] loop0: detected capacity change from 0 to 32768 [ 94.360031][ T5123] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 94.368323][ T5123] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 94.377652][ T5123] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 94.386368][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 94.393184][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5123] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5123] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5123] chdir("./file0") = 0 [pid 5123] ioctl(4, LOOP_CLR_FD) = 0 [pid 5123] close(4) = 0 [pid 5123] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5122] <... futex resumed>) = 0 [pid 5122] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5122] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5123] open(".", O_RDONLY) = 4 [pid 5123] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5122] <... futex resumed>) = 0 [pid 5123] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5122] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5123] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5122] <... futex resumed>) = 0 [ 94.439731][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 94.447423][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 94.452706][ T5123] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5123] getdents64(4, [ 94.496355][ T5123] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 94.505056][ T5123] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 94.505056][ T5123] inode = 12 2341 [ 94.505056][ T5123] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 94.524111][ T5123] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 94.533163][ T5123] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5123 [syz-executor171] iterate_dir+0x228/0x570 [pid 5122] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5122] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5122] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5122] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5122] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5125], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5125 [pid 5122] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5122] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5125 attached [pid 5125] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5125] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5125] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5122] <... futex resumed>) = 0 [pid 5125] <... futex resumed>) = 1 [ 94.543161][ T5123] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 94.551828][ T5123] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 94.559668][ T5123] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 94.568505][ T5123] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 94.576630][ T5123] gfs2: fsid=syz:syz.0: File system withdrawn [ 94.582724][ T5123] CPU: 0 PID: 5123 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 94.592788][ T5123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 94.602852][ T5123] Call Trace: [ 94.606139][ T5123] [ 94.609105][ T5123] dump_stack_lvl+0x1e7/0x2d0 [ 94.613813][ T5123] ? nf_tcp_handle_invalid+0x650/0x650 [ 94.619285][ T5123] ? panic+0x770/0x770 [ 94.623381][ T5123] ? kobject_uevent_env+0x54e/0x8e0 [ 94.628610][ T5123] gfs2_withdraw+0xf48/0x1550 [ 94.633354][ T5123] ? gfs2_lm+0x240/0x240 [ 94.637643][ T5123] ? gfs2_dirent_scan+0xb2/0x640 [ 94.642609][ T5123] ? panic+0x770/0x770 [ 94.646681][ T5123] ? gfs2_consist_inode_i+0xf5/0x110 [ 94.651992][ T5123] gfs2_dirent_scan+0x512/0x640 [ 94.656868][ T5123] ? gfs2_dirent_scan+0x640/0x640 [ 94.661917][ T5123] gfs2_dir_read+0x82f/0x1af0 [ 94.666626][ T5123] ? inode_dio_wait+0x2ad/0x340 [ 94.671486][ T5123] ? inode_owner_or_capable+0x1c0/0x1c0 [ 94.677038][ T5123] ? gfs2_dir_hash_inval+0x80/0x80 [ 94.682165][ T5123] ? _raw_spin_unlock+0x28/0x40 [ 94.687049][ T5123] ? gfs2_glock_nq+0xcbf/0x16c0 [ 94.691942][ T5123] ? inode_go_held+0xea/0x200 [ 94.696647][ T5123] ? gfs2_glock_wait+0x21a/0x2b0 [ 94.701617][ T5123] gfs2_readdir+0x14e/0x1b0 [ 94.706150][ T5123] ? __fdget_pos+0x254/0x2f0 [ 94.710775][ T5123] ? gfs2_fallocate+0x490/0x490 [ 94.715668][ T5123] ? iterate_dir+0x228/0x570 [ 94.720272][ T5123] ? __down_read_common+0x184/0x2c0 [ 94.725493][ T5123] ? iterate_dir+0x10e/0x570 [ 94.730097][ T5123] iterate_dir+0x228/0x570 [ 94.734528][ T5123] ? gfs2_fallocate+0x490/0x490 [ 94.739383][ T5123] __se_sys_getdents64+0x20d/0x4f0 [pid 5125] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5122] exit_group(0 [pid 5125] <... futex resumed>) = ? [pid 5122] <... exit_group resumed>) = ? [pid 5125] +++ exited with 0 +++ [ 94.744533][ T5123] ? _raw_spin_unlock_irq+0x2e/0x50 [ 94.749771][ T5123] ? __x64_sys_getdents64+0x80/0x80 [ 94.754973][ T5123] ? filldir+0x740/0x740 [ 94.759227][ T5123] ? syscall_enter_from_user_mode+0x32/0x230 [ 94.765203][ T5123] ? syscall_enter_from_user_mode+0x8c/0x230 [ 94.771179][ T5123] do_syscall_64+0x41/0xc0 [ 94.775596][ T5123] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 94.781481][ T5123] RIP: 0033:0x7f281a11eab9 [ 94.785888][ T5123] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 94.805489][ T5123] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 94.813898][ T5123] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 94.821888][ T5123] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 94.829853][ T5123] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 94.837826][ T5123] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5123] <... getdents64 resumed> ) = ? [pid 5123] +++ exited with 0 +++ [pid 5122] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5122, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- umount2("./31", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./31/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./31/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./31/binderfs") = 0 [ 94.845802][ T5123] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 94.853804][ T5123] umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./31/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./31/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./31/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./31/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./31") = 0 mkdir("./32", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5126 ./strace-static-x86_64: Process 5126 attached [pid 5126] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5126] chdir("./32") = 0 [pid 5126] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5126] setpgid(0, 0) = 0 [pid 5126] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5126] write(3, "1000", 4) = 4 [pid 5126] close(3) = 0 [pid 5126] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5126] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5126] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5126] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5127 attached [pid 5127] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5127] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5126] <... clone resumed>, parent_tid=[5127], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5127 [pid 5126] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5127] <... futex resumed>) = 0 [pid 5126] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5127] memfd_create("syzkaller", 0) = 3 [pid 5127] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5127] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5127] munmap(0x7f2811caa000, 16777216) = 0 [pid 5127] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5127] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5127] close(3) = 0 [pid 5127] mkdir("./file0", 0777) = 0 [ 95.218594][ T5127] loop0: detected capacity change from 0 to 32768 [ 95.229258][ T5127] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 95.238304][ T5127] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 95.247902][ T5127] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 95.256482][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 95.263372][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5127] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5127] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5127] chdir("./file0") = 0 [pid 5127] ioctl(4, LOOP_CLR_FD) = 0 [pid 5127] close(4) = 0 [pid 5127] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5126] <... futex resumed>) = 0 [pid 5126] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5127] <... futex resumed>) = 1 [pid 5127] open(".", O_RDONLY) = 4 [pid 5127] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5126] <... futex resumed>) = 0 [pid 5126] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5127] <... futex resumed>) = 1 [ 95.298515][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 95.306118][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 95.312133][ T5127] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 95.337981][ T5127] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5127] getdents64(4, [pid 5126] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5126] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5126] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5126] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5129], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5129 [pid 5126] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5126] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5129 attached [pid 5129] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 95.353382][ T5127] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 95.353382][ T5127] inode = 12 2341 [ 95.353382][ T5127] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 95.372610][ T5127] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 95.381906][ T5127] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5127 [syz-executor171] iterate_dir+0x228/0x570 [ 95.392103][ T5127] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5129] open("./file0", O_RDONLY [pid 5126] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 95.395184][ T5129] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 95.400871][ T5127] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 95.409430][ T5129] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 95.416484][ T5127] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 95.434252][ T5127] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 95.440799][ T5127] gfs2: fsid=syz:syz.0: File system withdrawn [ 95.447195][ T5127] CPU: 1 PID: 5127 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 95.457279][ T5127] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 95.467332][ T5127] Call Trace: [ 95.470604][ T5127] [ 95.473529][ T5127] dump_stack_lvl+0x1e7/0x2d0 [ 95.478235][ T5127] ? nf_tcp_handle_invalid+0x650/0x650 [ 95.483709][ T5127] ? panic+0x770/0x770 [ 95.487796][ T5127] ? kobject_uevent_env+0x54e/0x8e0 [ 95.493011][ T5127] gfs2_withdraw+0xf48/0x1550 [ 95.497712][ T5127] ? gfs2_lm+0x240/0x240 [ 95.501961][ T5127] ? gfs2_dirent_scan+0xb2/0x640 [ 95.506903][ T5127] ? panic+0x770/0x770 [ 95.510981][ T5127] ? gfs2_consist_inode_i+0xf5/0x110 [ 95.516277][ T5127] gfs2_dirent_scan+0x512/0x640 [ 95.521184][ T5127] ? gfs2_dirent_scan+0x640/0x640 [ 95.526215][ T5127] gfs2_dir_read+0x82f/0x1af0 [ 95.530902][ T5127] ? inode_dio_wait+0x2ad/0x340 [ 95.535774][ T5127] ? inode_owner_or_capable+0x1c0/0x1c0 [ 95.541340][ T5127] ? gfs2_dir_hash_inval+0x80/0x80 [ 95.546467][ T5127] ? _raw_spin_unlock+0x28/0x40 [ 95.551316][ T5127] ? gfs2_glock_nq+0xcbf/0x16c0 [ 95.556181][ T5127] ? inode_go_held+0xea/0x200 [ 95.560874][ T5127] ? gfs2_glock_wait+0x21a/0x2b0 [ 95.565837][ T5127] gfs2_readdir+0x14e/0x1b0 [ 95.570368][ T5127] ? __fdget_pos+0x254/0x2f0 [ 95.574957][ T5127] ? gfs2_fallocate+0x490/0x490 [ 95.579815][ T5127] ? iterate_dir+0x228/0x570 [ 95.584404][ T5127] ? __down_read_common+0x184/0x2c0 [ 95.589600][ T5127] ? iterate_dir+0x10e/0x570 [ 95.594196][ T5127] iterate_dir+0x228/0x570 [ 95.598622][ T5127] ? gfs2_fallocate+0x490/0x490 [ 95.603485][ T5127] __se_sys_getdents64+0x20d/0x4f0 [ 95.608623][ T5127] ? _raw_spin_unlock_irq+0x2e/0x50 [ 95.613830][ T5127] ? __x64_sys_getdents64+0x80/0x80 [ 95.619037][ T5127] ? filldir+0x740/0x740 [ 95.623298][ T5127] ? syscall_enter_from_user_mode+0x32/0x230 [ 95.629292][ T5127] ? syscall_enter_from_user_mode+0x8c/0x230 [ 95.635273][ T5127] do_syscall_64+0x41/0xc0 [ 95.639696][ T5127] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 95.645624][ T5127] RIP: 0033:0x7f281a11eab9 [ 95.650040][ T5127] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 95.669651][ T5127] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 95.678073][ T5127] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 95.686051][ T5127] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 95.694023][ T5127] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5127] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5127] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5127] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5129] <... open resumed>) = -1 EIO (Input/output error) [pid 5129] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5129] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5126] exit_group(0 [pid 5127] <... futex resumed>) = ? [pid 5126] <... exit_group resumed>) = ? [pid 5129] <... futex resumed>) = ? [pid 5127] +++ exited with 0 +++ [pid 5129] +++ exited with 0 +++ [pid 5126] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5126, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=40 /* 0.40 s */} --- umount2("./32", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./32", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./32/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./32/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./32/binderfs") = 0 [ 95.701995][ T5127] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 95.709978][ T5127] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 95.717965][ T5127] [ 95.725309][ T5129] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5129 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 95.735891][ T5129] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./32/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./32/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./32/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./32/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./32") = 0 mkdir("./33", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5130 ./strace-static-x86_64: Process 5130 attached [pid 5130] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5130] chdir("./33") = 0 [pid 5130] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5130] setpgid(0, 0) = 0 [pid 5130] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5130] write(3, "1000", 4) = 4 [pid 5130] close(3) = 0 [pid 5130] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5130] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5130] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5130] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5131], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5131 ./strace-static-x86_64: Process 5131 attached [pid 5130] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5131] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5131] memfd_create("syzkaller", 0) = 3 [pid 5131] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5131] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5131] munmap(0x7f2811caa000, 16777216) = 0 [pid 5131] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5131] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5131] close(3) = 0 [pid 5131] mkdir("./file0", 0777) = 0 [ 96.087908][ T5131] loop0: detected capacity change from 0 to 32768 [ 96.101587][ T5131] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 96.109823][ T5131] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 96.119390][ T5131] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 96.128003][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 96.135218][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5131] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5131] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5131] chdir("./file0") = 0 [pid 5131] ioctl(4, LOOP_CLR_FD) = 0 [pid 5131] close(4) = 0 [pid 5131] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5130] <... futex resumed>) = 0 [pid 5130] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5131] open(".", O_RDONLY) = 4 [pid 5131] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5130] <... futex resumed>) = 0 [pid 5130] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 96.175418][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 96.183794][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 96.189059][ T5131] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 96.223148][ T5131] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 96.232110][ T5131] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 96.232110][ T5131] inode = 12 2341 [ 96.232110][ T5131] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 96.251392][ T5131] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 96.260810][ T5131] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5131 [syz-executor171] iterate_dir+0x228/0x570 [pid 5131] getdents64(4, [pid 5130] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5130] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5130] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5130] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5133], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5133 [pid 5130] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5133 attached [pid 5133] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5133] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5133] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5130] <... futex resumed>) = 0 [ 96.271058][ T5131] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 96.279952][ T5131] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 96.287471][ T5131] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 96.296512][ T5131] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 96.303420][ T5131] gfs2: fsid=syz:syz.0: File system withdrawn [ 96.309841][ T5131] CPU: 0 PID: 5131 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 96.319901][ T5131] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 96.329947][ T5131] Call Trace: [ 96.333218][ T5131] [ 96.336159][ T5131] dump_stack_lvl+0x1e7/0x2d0 [ 96.340845][ T5131] ? nf_tcp_handle_invalid+0x650/0x650 [ 96.346308][ T5131] ? panic+0x770/0x770 [ 96.350376][ T5131] ? kobject_uevent_env+0x54e/0x8e0 [ 96.355576][ T5131] gfs2_withdraw+0xf48/0x1550 [ 96.360277][ T5131] ? gfs2_lm+0x240/0x240 [ 96.364520][ T5131] ? gfs2_dirent_scan+0xb2/0x640 [ 96.369456][ T5131] ? panic+0x770/0x770 [ 96.373531][ T5131] ? gfs2_consist_inode_i+0xf5/0x110 [ 96.378816][ T5131] gfs2_dirent_scan+0x512/0x640 [ 96.383672][ T5131] ? gfs2_dirent_scan+0x640/0x640 [ 96.388713][ T5131] gfs2_dir_read+0x82f/0x1af0 [ 96.393421][ T5131] ? inode_dio_wait+0x2ad/0x340 [ 96.398298][ T5131] ? inode_owner_or_capable+0x1c0/0x1c0 [ 96.403859][ T5131] ? gfs2_dir_hash_inval+0x80/0x80 [ 96.408974][ T5131] ? _raw_spin_unlock+0x28/0x40 [ 96.413831][ T5131] ? gfs2_glock_nq+0xcbf/0x16c0 [ 96.418704][ T5131] ? inode_go_held+0xea/0x200 [ 96.423399][ T5131] ? gfs2_glock_wait+0x21a/0x2b0 [ 96.428349][ T5131] gfs2_readdir+0x14e/0x1b0 [ 96.432861][ T5131] ? __fdget_pos+0x254/0x2f0 [ 96.437455][ T5131] ? gfs2_fallocate+0x490/0x490 [ 96.442342][ T5131] ? iterate_dir+0x228/0x570 [ 96.446942][ T5131] ? __down_read_common+0x184/0x2c0 [ 96.452145][ T5131] ? iterate_dir+0x10e/0x570 [ 96.456747][ T5131] iterate_dir+0x228/0x570 [ 96.461173][ T5131] ? gfs2_fallocate+0x490/0x490 [ 96.466065][ T5131] __se_sys_getdents64+0x20d/0x4f0 [ 96.471189][ T5131] ? _raw_spin_unlock_irq+0x2e/0x50 [ 96.476407][ T5131] ? __x64_sys_getdents64+0x80/0x80 [ 96.481614][ T5131] ? filldir+0x740/0x740 [ 96.485871][ T5131] ? syscall_enter_from_user_mode+0x32/0x230 [ 96.491853][ T5131] ? syscall_enter_from_user_mode+0x8c/0x230 [ 96.497863][ T5131] do_syscall_64+0x41/0xc0 [ 96.502292][ T5131] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 96.508189][ T5131] RIP: 0033:0x7f281a11eab9 [ 96.512608][ T5131] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 96.532209][ T5131] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 96.540623][ T5131] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 96.548595][ T5131] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 96.556571][ T5131] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 96.564544][ T5131] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5133] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5131] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5131] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5130] exit_group(0 [pid 5133] <... futex resumed>) = ? [pid 5130] <... exit_group resumed>) = ? [pid 5133] +++ exited with 0 +++ [pid 5131] +++ exited with 0 +++ [pid 5130] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5130, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./33", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./33/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./33/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./33/binderfs") = 0 [ 96.572531][ T5131] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 96.580517][ T5131] umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./33/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./33/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./33/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./33/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./33") = 0 mkdir("./34", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5134 ./strace-static-x86_64: Process 5134 attached [pid 5134] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5134] chdir("./34") = 0 [pid 5134] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5134] setpgid(0, 0) = 0 [pid 5134] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5134] write(3, "1000", 4) = 4 [pid 5134] close(3) = 0 [pid 5134] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5134] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5134] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5134] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5134] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5135 attached [pid 5135] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5135] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5134] <... clone resumed>, parent_tid=[5135], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5135 [pid 5134] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5135] <... futex resumed>) = 0 [pid 5134] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5135] memfd_create("syzkaller", 0) = 3 [pid 5135] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5135] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5135] munmap(0x7f2811caa000, 16777216) = 0 [pid 5135] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5135] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5135] close(3) = 0 [pid 5135] mkdir("./file0", 0777) = 0 [ 96.946444][ T5135] loop0: detected capacity change from 0 to 32768 [ 96.958750][ T5135] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 96.966958][ T5135] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 96.976731][ T5135] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 96.985299][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 96.992294][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5135] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5135] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5135] chdir("./file0") = 0 [pid 5135] ioctl(4, LOOP_CLR_FD) = 0 [pid 5135] close(4) = 0 [pid 5135] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5134] <... futex resumed>) = 0 [pid 5135] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5134] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5135] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5134] <... futex resumed>) = 0 [pid 5135] open(".", O_RDONLY [pid 5134] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5135] <... open resumed>) = 4 [pid 5135] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5134] <... futex resumed>) = 0 [pid 5135] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5134] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5135] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5134] <... futex resumed>) = 0 [pid 5135] getdents64(4, [ 97.032714][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 97.040306][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 97.045584][ T5135] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 97.071378][ T5135] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5134] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 97.080012][ T5135] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 97.080012][ T5135] inode = 12 2341 [ 97.080012][ T5135] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 97.099062][ T5135] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 97.108231][ T5135] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5135 [syz-executor171] iterate_dir+0x228/0x570 [ 97.118348][ T5135] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5134] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5134] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5134] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5134] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5137], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5137 [pid 5134] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5134] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5137 attached [pid 5137] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5137] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5137] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5134] <... futex resumed>) = 0 [ 97.126891][ T5135] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 97.134413][ T5135] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 97.143799][ T5135] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 97.150567][ T5135] gfs2: fsid=syz:syz.0: File system withdrawn [ 97.156981][ T5135] CPU: 0 PID: 5135 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 97.167129][ T5135] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 97.177205][ T5135] Call Trace: [ 97.180510][ T5135] [ 97.183467][ T5135] dump_stack_lvl+0x1e7/0x2d0 [ 97.188184][ T5135] ? nf_tcp_handle_invalid+0x650/0x650 [ 97.193666][ T5135] ? panic+0x770/0x770 [ 97.197771][ T5135] ? kobject_uevent_env+0x54e/0x8e0 [ 97.203003][ T5135] gfs2_withdraw+0xf48/0x1550 [ 97.207716][ T5135] ? gfs2_lm+0x240/0x240 [ 97.211998][ T5135] ? gfs2_dirent_scan+0xb2/0x640 [ 97.216974][ T5135] ? panic+0x770/0x770 [ 97.221069][ T5135] ? gfs2_consist_inode_i+0xf5/0x110 [ 97.226378][ T5135] gfs2_dirent_scan+0x512/0x640 [ 97.231344][ T5135] ? gfs2_dirent_scan+0x640/0x640 [ 97.236387][ T5135] gfs2_dir_read+0x82f/0x1af0 [ 97.241130][ T5135] ? inode_dio_wait+0x2ad/0x340 [ 97.246027][ T5135] ? inode_owner_or_capable+0x1c0/0x1c0 [ 97.251606][ T5135] ? gfs2_dir_hash_inval+0x80/0x80 [ 97.256733][ T5135] ? _raw_spin_unlock+0x28/0x40 [ 97.261692][ T5135] ? gfs2_glock_nq+0xcbf/0x16c0 [ 97.266568][ T5135] ? inode_go_held+0xea/0x200 [ 97.271287][ T5135] ? gfs2_glock_wait+0x21a/0x2b0 [ 97.276295][ T5135] gfs2_readdir+0x14e/0x1b0 [pid 5137] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5134] exit_group(0 [pid 5137] <... futex resumed>) = ? [pid 5134] <... exit_group resumed>) = ? [pid 5137] +++ exited with 0 +++ [ 97.280807][ T5135] ? __fdget_pos+0x254/0x2f0 [ 97.285409][ T5135] ? gfs2_fallocate+0x490/0x490 [ 97.290301][ T5135] ? iterate_dir+0x228/0x570 [ 97.294899][ T5135] ? __down_read_common+0x184/0x2c0 [ 97.300115][ T5135] ? iterate_dir+0x10e/0x570 [ 97.304721][ T5135] iterate_dir+0x228/0x570 [ 97.309249][ T5135] ? gfs2_fallocate+0x490/0x490 [ 97.314115][ T5135] __se_sys_getdents64+0x20d/0x4f0 [ 97.319337][ T5135] ? _raw_spin_unlock_irq+0x2e/0x50 [ 97.324543][ T5135] ? __x64_sys_getdents64+0x80/0x80 [ 97.329844][ T5135] ? filldir+0x740/0x740 [ 97.334118][ T5135] ? syscall_enter_from_user_mode+0x32/0x230 [ 97.340130][ T5135] ? syscall_enter_from_user_mode+0x8c/0x230 [ 97.346137][ T5135] do_syscall_64+0x41/0xc0 [ 97.350574][ T5135] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 97.356503][ T5135] RIP: 0033:0x7f281a11eab9 [ 97.360977][ T5135] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5135] <... getdents64 resumed> ) = ? [pid 5135] +++ exited with 0 +++ [pid 5134] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5134, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- umount2("./34", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./34", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./34/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./34/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./34/binderfs") = 0 [ 97.380586][ T5135] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 97.389001][ T5135] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 97.396994][ T5135] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 97.404985][ T5135] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 97.412953][ T5135] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 97.420936][ T5135] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 97.428938][ T5135] umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./34/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./34/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./34/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./34/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./34") = 0 mkdir("./35", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5138 ./strace-static-x86_64: Process 5138 attached [pid 5138] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5138] chdir("./35") = 0 [pid 5138] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5138] setpgid(0, 0) = 0 [pid 5138] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5138] write(3, "1000", 4) = 4 [pid 5138] close(3) = 0 [pid 5138] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5138] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5138] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5138] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5139], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5139 [pid 5138] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5139 attached [pid 5139] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5139] memfd_create("syzkaller", 0) = 3 [pid 5139] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5139] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5139] munmap(0x7f2811caa000, 16777216) = 0 [pid 5139] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5139] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5139] close(3) = 0 [pid 5139] mkdir("./file0", 0777) = 0 [ 97.790122][ T5139] loop0: detected capacity change from 0 to 32768 [ 97.801909][ T5139] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 97.810465][ T5139] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 97.820768][ T5139] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 97.829522][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 97.836375][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5139] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5139] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5139] chdir("./file0") = 0 [pid 5139] ioctl(4, LOOP_CLR_FD) = 0 [pid 5139] close(4) = 0 [pid 5139] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5138] <... futex resumed>) = 0 [pid 5138] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5139] <... futex resumed>) = 1 [pid 5139] open(".", O_RDONLY) = 4 [pid 5139] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5138] <... futex resumed>) = 0 [pid 5138] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5139] <... futex resumed>) = 1 [ 97.877449][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 97.885111][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 97.890354][ T5139] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 97.912353][ T5139] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5139] getdents64(4, [pid 5138] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 97.921160][ T5139] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 97.921160][ T5139] inode = 12 2341 [ 97.921160][ T5139] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 97.940309][ T5139] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 97.949641][ T5139] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5139 [syz-executor171] iterate_dir+0x228/0x570 [ 97.959657][ T5139] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 97.968197][ T5139] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5138] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5138] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5138] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5141], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5141 [pid 5138] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5138] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5141 attached [pid 5141] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5141] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5141] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5138] <... futex resumed>) = 0 [ 97.975815][ T5139] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 97.985197][ T5139] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 97.992785][ T5139] gfs2: fsid=syz:syz.0: File system withdrawn [ 97.999302][ T5139] CPU: 0 PID: 5139 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 98.009409][ T5139] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 98.019580][ T5139] Call Trace: [ 98.022875][ T5139] [ 98.025824][ T5139] dump_stack_lvl+0x1e7/0x2d0 [ 98.030567][ T5139] ? nf_tcp_handle_invalid+0x650/0x650 [ 98.036074][ T5139] ? panic+0x770/0x770 [ 98.040272][ T5139] ? kobject_uevent_env+0x54e/0x8e0 [ 98.045521][ T5139] gfs2_withdraw+0xf48/0x1550 [ 98.050250][ T5139] ? gfs2_lm+0x240/0x240 [ 98.054521][ T5139] ? gfs2_dirent_scan+0xb2/0x640 [ 98.059491][ T5139] ? panic+0x770/0x770 [ 98.063575][ T5139] ? gfs2_consist_inode_i+0xf5/0x110 [ 98.068894][ T5139] gfs2_dirent_scan+0x512/0x640 [ 98.073784][ T5139] ? gfs2_dirent_scan+0x640/0x640 [ 98.078847][ T5139] gfs2_dir_read+0x82f/0x1af0 [ 98.083574][ T5139] ? inode_dio_wait+0x2ad/0x340 [ 98.088472][ T5139] ? inode_owner_or_capable+0x1c0/0x1c0 [ 98.094050][ T5139] ? gfs2_dir_hash_inval+0x80/0x80 [ 98.099173][ T5139] ? _raw_spin_unlock+0x28/0x40 [ 98.104053][ T5139] ? gfs2_glock_nq+0xcbf/0x16c0 [ 98.108916][ T5139] ? inode_go_held+0xea/0x200 [ 98.113603][ T5139] ? gfs2_glock_wait+0x21a/0x2b0 [ 98.118571][ T5139] gfs2_readdir+0x14e/0x1b0 [ 98.123097][ T5139] ? __fdget_pos+0x254/0x2f0 [pid 5141] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5138] exit_group(0 [pid 5141] <... futex resumed>) = ? [pid 5138] <... exit_group resumed>) = ? [pid 5141] +++ exited with 0 +++ [ 98.127705][ T5139] ? gfs2_fallocate+0x490/0x490 [ 98.132592][ T5139] ? iterate_dir+0x228/0x570 [ 98.137191][ T5139] ? __down_read_common+0x184/0x2c0 [ 98.142405][ T5139] ? iterate_dir+0x10e/0x570 [ 98.147039][ T5139] iterate_dir+0x228/0x570 [ 98.151461][ T5139] ? gfs2_fallocate+0x490/0x490 [ 98.156344][ T5139] __se_sys_getdents64+0x20d/0x4f0 [ 98.161531][ T5139] ? _raw_spin_unlock_irq+0x2e/0x50 [ 98.166749][ T5139] ? __x64_sys_getdents64+0x80/0x80 [ 98.171949][ T5139] ? filldir+0x740/0x740 [ 98.176196][ T5139] ? syscall_enter_from_user_mode+0x32/0x230 [ 98.182199][ T5139] ? syscall_enter_from_user_mode+0x8c/0x230 [ 98.188200][ T5139] do_syscall_64+0x41/0xc0 [ 98.192651][ T5139] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 98.198548][ T5139] RIP: 0033:0x7f281a11eab9 [ 98.202966][ T5139] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5139] <... getdents64 resumed> ) = ? [pid 5139] +++ exited with 0 +++ [pid 5138] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5138, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./35", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./35/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./35/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./35/binderfs") = 0 [ 98.222748][ T5139] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 98.231160][ T5139] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 98.239140][ T5139] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 98.247121][ T5139] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 98.255088][ T5139] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 98.263057][ T5139] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 98.271068][ T5139] umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./35/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./35/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./35/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./35/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./35") = 0 mkdir("./36", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5142 ./strace-static-x86_64: Process 5142 attached [pid 5142] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5142] chdir("./36") = 0 [pid 5142] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5142] setpgid(0, 0) = 0 [pid 5142] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5142] write(3, "1000", 4) = 4 [pid 5142] close(3) = 0 [pid 5142] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5142] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5142] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5142] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5143], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5143 [pid 5142] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5143 attached [pid 5143] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5143] memfd_create("syzkaller", 0) = 3 [pid 5143] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5143] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5143] munmap(0x7f2811caa000, 16777216) = 0 [pid 5143] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5143] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5143] close(3) = 0 [pid 5143] mkdir("./file0", 0777) = 0 [ 98.661790][ T5143] loop0: detected capacity change from 0 to 32768 [ 98.673795][ T5143] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 98.682065][ T5143] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 98.692630][ T5143] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 98.701673][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 98.708806][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5143] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5143] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5143] chdir("./file0") = 0 [pid 5143] ioctl(4, LOOP_CLR_FD) = 0 [pid 5143] close(4) = 0 [pid 5143] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5142] <... futex resumed>) = 0 [pid 5142] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5143] <... futex resumed>) = 1 [pid 5143] open(".", O_RDONLY) = 4 [pid 5143] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5142] <... futex resumed>) = 0 [pid 5142] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5143] <... futex resumed>) = 1 [ 98.752589][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 98.760698][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 98.766320][ T5143] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 98.788414][ T5143] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5143] getdents64(4, [pid 5142] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5142] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5142] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5142] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5145], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5145 [pid 5142] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5142] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5145 attached [pid 5145] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5145] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5145] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5142] <... futex resumed>) = 0 [pid 5145] <... futex resumed>) = 1 [ 98.797394][ T5143] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 98.797394][ T5143] inode = 12 2341 [ 98.797394][ T5143] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 98.816947][ T5143] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 98.826681][ T5143] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5143 [syz-executor171] iterate_dir+0x228/0x570 [ 98.836731][ T5143] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 98.845756][ T5143] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 98.852979][ T5143] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 98.861972][ T5143] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 98.868775][ T5143] gfs2: fsid=syz:syz.0: File system withdrawn [ 98.875251][ T5143] CPU: 0 PID: 5143 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 98.885324][ T5143] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 98.895372][ T5143] Call Trace: [ 98.898658][ T5143] [ 98.901609][ T5143] dump_stack_lvl+0x1e7/0x2d0 [ 98.906292][ T5143] ? nf_tcp_handle_invalid+0x650/0x650 [ 98.911752][ T5143] ? panic+0x770/0x770 [ 98.915814][ T5143] ? kobject_uevent_env+0x54e/0x8e0 [ 98.921016][ T5143] gfs2_withdraw+0xf48/0x1550 [ 98.925720][ T5143] ? gfs2_lm+0x240/0x240 [ 98.930047][ T5143] ? gfs2_dirent_scan+0xb2/0x640 [ 98.935000][ T5143] ? panic+0x770/0x770 [ 98.939078][ T5143] ? gfs2_consist_inode_i+0xf5/0x110 [ 98.944373][ T5143] gfs2_dirent_scan+0x512/0x640 [ 98.949234][ T5143] ? gfs2_dirent_scan+0x640/0x640 [ 98.954268][ T5143] gfs2_dir_read+0x82f/0x1af0 [ 98.958959][ T5143] ? inode_dio_wait+0x2ad/0x340 [ 98.963853][ T5143] ? inode_owner_or_capable+0x1c0/0x1c0 [ 98.969414][ T5143] ? gfs2_dir_hash_inval+0x80/0x80 [ 98.974796][ T5143] ? _raw_spin_unlock+0x28/0x40 [ 98.979649][ T5143] ? gfs2_glock_nq+0xcbf/0x16c0 [ 98.984522][ T5143] ? inode_go_held+0xea/0x200 [ 98.989208][ T5143] ? gfs2_glock_wait+0x21a/0x2b0 [ 98.994159][ T5143] gfs2_readdir+0x14e/0x1b0 [ 98.998684][ T5143] ? __fdget_pos+0x254/0x2f0 [ 99.003293][ T5143] ? gfs2_fallocate+0x490/0x490 [ 99.008160][ T5143] ? iterate_dir+0x228/0x570 [ 99.012786][ T5143] ? __down_read_common+0x184/0x2c0 [ 99.018010][ T5143] ? iterate_dir+0x10e/0x570 [ 99.022616][ T5143] iterate_dir+0x228/0x570 [ 99.027040][ T5143] ? gfs2_fallocate+0x490/0x490 [ 99.031901][ T5143] __se_sys_getdents64+0x20d/0x4f0 [ 99.037029][ T5143] ? _raw_spin_unlock_irq+0x2e/0x50 [ 99.042242][ T5143] ? __x64_sys_getdents64+0x80/0x80 [ 99.047458][ T5143] ? filldir+0x740/0x740 [ 99.051719][ T5143] ? syscall_enter_from_user_mode+0x32/0x230 [ 99.057715][ T5143] ? syscall_enter_from_user_mode+0x8c/0x230 [ 99.063733][ T5143] do_syscall_64+0x41/0xc0 [ 99.068171][ T5143] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 99.074074][ T5143] RIP: 0033:0x7f281a11eab9 [ 99.078500][ T5143] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5145] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5143] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5143] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5143] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5142] exit_group(0) = ? [pid 5145] <... futex resumed>) = ? [pid 5143] <... futex resumed>) = ? [pid 5143] +++ exited with 0 +++ [pid 5145] +++ exited with 0 +++ [pid 5142] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5142, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./36", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./36", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./36/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./36/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./36/binderfs") = 0 [ 99.098202][ T5143] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 99.106640][ T5143] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 99.114645][ T5143] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 99.122632][ T5143] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 99.130612][ T5143] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 99.138588][ T5143] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 99.146592][ T5143] umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./36/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./36/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./36/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./36/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./36") = 0 mkdir("./37", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5146 ./strace-static-x86_64: Process 5146 attached [pid 5146] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5146] chdir("./37") = 0 [pid 5146] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5146] setpgid(0, 0) = 0 [pid 5146] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5146] write(3, "1000", 4) = 4 [pid 5146] close(3) = 0 [pid 5146] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5146] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5146] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5146] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5146] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5147], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5147 [pid 5146] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5146] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5147 attached [pid 5147] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5147] memfd_create("syzkaller", 0) = 3 [pid 5147] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5147] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5147] munmap(0x7f2811caa000, 16777216) = 0 [pid 5147] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5147] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5147] close(3) = 0 [pid 5147] mkdir("./file0", 0777) = 0 [ 99.512352][ T5147] loop0: detected capacity change from 0 to 32768 [ 99.525534][ T5147] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 99.533985][ T5147] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 99.544044][ T5147] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 99.552363][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 99.559366][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5147] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5147] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5147] chdir("./file0") = 0 [pid 5147] ioctl(4, LOOP_CLR_FD) = 0 [pid 5147] close(4) = 0 [pid 5147] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5146] <... futex resumed>) = 0 [pid 5147] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5146] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5147] open(".", O_RDONLY [pid 5146] <... futex resumed>) = 0 [pid 5147] <... open resumed>) = 4 [pid 5146] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5147] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5146] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5147] <... futex resumed>) = 0 [pid 5146] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5147] getdents64(4, [pid 5146] <... futex resumed>) = 0 [ 99.598850][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 99.607449][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 99.612716][ T5147] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 99.656405][ T5147] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 99.664871][ T5147] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 99.664871][ T5147] inode = 12 2341 [ 99.664871][ T5147] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 99.683640][ T5147] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 99.692709][ T5147] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5147 [syz-executor171] iterate_dir+0x228/0x570 [pid 5146] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5146] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5146] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5146] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5146] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5149], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5149 [pid 5146] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5146] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5149 attached [pid 5149] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5149] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5149] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5146] <... futex resumed>) = 0 [pid 5149] <... futex resumed>) = 1 [ 99.702794][ T5147] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 99.711334][ T5147] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 99.718636][ T5147] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 99.727763][ T5147] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 99.735203][ T5147] gfs2: fsid=syz:syz.0: File system withdrawn [ 99.741602][ T5147] CPU: 1 PID: 5147 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 99.751692][ T5147] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 99.761749][ T5147] Call Trace: [ 99.765025][ T5147] [ 99.767959][ T5147] dump_stack_lvl+0x1e7/0x2d0 [ 99.772658][ T5147] ? nf_tcp_handle_invalid+0x650/0x650 [ 99.778127][ T5147] ? panic+0x770/0x770 [ 99.782205][ T5147] ? kobject_uevent_env+0x54e/0x8e0 [ 99.787420][ T5147] gfs2_withdraw+0xf48/0x1550 [ 99.792126][ T5147] ? gfs2_lm+0x240/0x240 [ 99.796382][ T5147] ? gfs2_dirent_scan+0xb2/0x640 [ 99.801325][ T5147] ? panic+0x770/0x770 [ 99.805399][ T5147] ? gfs2_consist_inode_i+0xf5/0x110 [ 99.810689][ T5147] gfs2_dirent_scan+0x512/0x640 [ 99.815544][ T5147] ? gfs2_dirent_scan+0x640/0x640 [ 99.820572][ T5147] gfs2_dir_read+0x82f/0x1af0 [ 99.825259][ T5147] ? inode_dio_wait+0x2ad/0x340 [ 99.830118][ T5147] ? inode_owner_or_capable+0x1c0/0x1c0 [ 99.835762][ T5147] ? gfs2_dir_hash_inval+0x80/0x80 [ 99.840882][ T5147] ? _raw_spin_unlock+0x28/0x40 [ 99.845732][ T5147] ? gfs2_glock_nq+0xcbf/0x16c0 [ 99.850589][ T5147] ? inode_go_held+0xea/0x200 [ 99.855265][ T5147] ? gfs2_glock_wait+0x21a/0x2b0 [ 99.860207][ T5147] gfs2_readdir+0x14e/0x1b0 [ 99.864714][ T5147] ? __fdget_pos+0x254/0x2f0 [ 99.869305][ T5147] ? gfs2_fallocate+0x490/0x490 [ 99.874163][ T5147] ? iterate_dir+0x228/0x570 [ 99.878759][ T5147] ? __down_read_common+0x184/0x2c0 [ 99.883959][ T5147] ? iterate_dir+0x10e/0x570 [ 99.888563][ T5147] iterate_dir+0x228/0x570 [ 99.892993][ T5147] ? gfs2_fallocate+0x490/0x490 [ 99.897856][ T5147] __se_sys_getdents64+0x20d/0x4f0 [ 99.902991][ T5147] ? _raw_spin_unlock_irq+0x2e/0x50 [ 99.908215][ T5147] ? __x64_sys_getdents64+0x80/0x80 [ 99.913425][ T5147] ? filldir+0x740/0x740 [ 99.917679][ T5147] ? syscall_enter_from_user_mode+0x32/0x230 [ 99.923671][ T5147] ? syscall_enter_from_user_mode+0x8c/0x230 [ 99.929660][ T5147] do_syscall_64+0x41/0xc0 [ 99.934150][ T5147] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 99.940085][ T5147] RIP: 0033:0x7f281a11eab9 [ 99.944502][ T5147] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 99.964110][ T5147] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 99.972523][ T5147] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 99.980508][ T5147] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 99.988481][ T5147] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 99.996458][ T5147] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5149] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5147] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5147] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5147] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5146] exit_group(0 [pid 5149] <... futex resumed>) = ? [pid 5147] <... futex resumed>) = ? [pid 5146] <... exit_group resumed>) = ? [pid 5147] +++ exited with 0 +++ [pid 5149] +++ exited with 0 +++ [pid 5146] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5146, si_uid=0, si_status=0, si_utime=0, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./37", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./37", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./37/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./37/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./37/binderfs") = 0 [ 100.004428][ T5147] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 100.012430][ T5147] umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./37/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./37/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./37/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./37/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./37") = 0 mkdir("./38", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5150 ./strace-static-x86_64: Process 5150 attached [pid 5150] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5150] chdir("./38") = 0 [pid 5150] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5150] setpgid(0, 0) = 0 [pid 5150] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5150] write(3, "1000", 4) = 4 [pid 5150] close(3) = 0 [pid 5150] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5150] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5150] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5150] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5151 attached [pid 5151] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5151] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5150] <... clone resumed>, parent_tid=[5151], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5151 [pid 5150] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5151] <... futex resumed>) = 0 [pid 5150] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5151] memfd_create("syzkaller", 0) = 3 [pid 5151] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5151] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5151] munmap(0x7f2811caa000, 16777216) = 0 [pid 5151] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5151] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5151] close(3) = 0 [pid 5151] mkdir("./file0", 0777) = 0 [ 100.423130][ T5151] loop0: detected capacity change from 0 to 32768 [ 100.434979][ T5151] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 100.443167][ T5151] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 100.452522][ T5151] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 100.461328][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 100.468569][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5151] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5151] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5151] chdir("./file0") = 0 [pid 5151] ioctl(4, LOOP_CLR_FD) = 0 [pid 5151] close(4) = 0 [pid 5151] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5150] <... futex resumed>) = 0 [pid 5151] open(".", O_RDONLY [pid 5150] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5151] <... open resumed>) = 4 [pid 5150] <... futex resumed>) = 0 [pid 5151] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5150] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5151] <... futex resumed>) = 0 [pid 5150] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5151] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5150] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5151] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5150] <... futex resumed>) = 0 [pid 5151] getdents64(4, [ 100.510621][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 100.521655][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 100.527055][ T5151] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 100.553142][ T5151] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 100.561617][ T5151] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 100.561617][ T5151] inode = 12 2341 [ 100.561617][ T5151] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 100.580425][ T5151] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 100.589832][ T5151] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5151 [syz-executor171] iterate_dir+0x228/0x570 [pid 5150] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5150] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5150] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5150] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5154], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5154 [pid 5150] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5150] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5154 attached [pid 5154] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5154] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5154] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5150] <... futex resumed>) = 0 [pid 5154] <... futex resumed>) = 1 [ 100.599827][ T5151] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 100.608318][ T5151] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 100.615630][ T5151] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 100.624421][ T5151] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 100.631163][ T5151] gfs2: fsid=syz:syz.0: File system withdrawn [ 100.637765][ T5151] CPU: 1 PID: 5151 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 100.647882][ T5151] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 100.657955][ T5151] Call Trace: [ 100.661260][ T5151] [ 100.664219][ T5151] dump_stack_lvl+0x1e7/0x2d0 [ 100.668935][ T5151] ? nf_tcp_handle_invalid+0x650/0x650 [ 100.674415][ T5151] ? panic+0x770/0x770 [ 100.678511][ T5151] ? kobject_uevent_env+0x54e/0x8e0 [ 100.683765][ T5151] gfs2_withdraw+0xf48/0x1550 [ 100.688491][ T5151] ? gfs2_lm+0x240/0x240 [ 100.692777][ T5151] ? gfs2_dirent_scan+0xb2/0x640 [ 100.697734][ T5151] ? panic+0x770/0x770 [pid 5154] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5150] exit_group(0 [pid 5154] <... futex resumed>) = ? [pid 5150] <... exit_group resumed>) = ? [ 100.701849][ T5151] ? gfs2_consist_inode_i+0xf5/0x110 [ 100.707183][ T5151] gfs2_dirent_scan+0x512/0x640 [ 100.712083][ T5151] ? gfs2_dirent_scan+0x640/0x640 [ 100.717136][ T5151] gfs2_dir_read+0x82f/0x1af0 [ 100.721829][ T5151] ? inode_dio_wait+0x2ad/0x340 [ 100.726711][ T5151] ? inode_owner_or_capable+0x1c0/0x1c0 [ 100.732314][ T5151] ? gfs2_dir_hash_inval+0x80/0x80 [ 100.737443][ T5151] ? _raw_spin_unlock+0x28/0x40 [ 100.742301][ T5151] ? gfs2_glock_nq+0xcbf/0x16c0 [ 100.747212][ T5151] ? inode_go_held+0xea/0x200 [pid 5154] +++ exited with 0 +++ [ 100.751903][ T5151] ? gfs2_glock_wait+0x21a/0x2b0 [ 100.756888][ T5151] gfs2_readdir+0x14e/0x1b0 [ 100.761432][ T5151] ? __fdget_pos+0x254/0x2f0 [ 100.766020][ T5151] ? gfs2_fallocate+0x490/0x490 [ 100.770903][ T5151] ? iterate_dir+0x228/0x570 [ 100.775509][ T5151] ? __down_read_common+0x184/0x2c0 [ 100.780720][ T5151] ? iterate_dir+0x10e/0x570 [ 100.785312][ T5151] iterate_dir+0x228/0x570 [ 100.789755][ T5151] ? gfs2_fallocate+0x490/0x490 [ 100.794618][ T5151] __se_sys_getdents64+0x20d/0x4f0 [ 100.799756][ T5151] ? _raw_spin_unlock_irq+0x2e/0x50 [ 100.804981][ T5151] ? __x64_sys_getdents64+0x80/0x80 [ 100.810181][ T5151] ? filldir+0x740/0x740 [ 100.814428][ T5151] ? syscall_enter_from_user_mode+0x32/0x230 [ 100.820416][ T5151] ? syscall_enter_from_user_mode+0x8c/0x230 [ 100.826413][ T5151] do_syscall_64+0x41/0xc0 [ 100.830837][ T5151] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 100.836748][ T5151] RIP: 0033:0x7f281a11eab9 [ 100.841208][ T5151] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 100.860828][ T5151] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 100.869237][ T5151] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 100.877215][ T5151] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 100.885218][ T5151] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 100.893209][ T5151] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5151] <... getdents64 resumed> ) = ? [pid 5151] +++ exited with 0 +++ [pid 5150] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5150, si_uid=0, si_status=0, si_utime=0, si_stime=37 /* 0.37 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./38", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./38/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./38/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./38/binderfs") = 0 [ 100.901203][ T5151] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 100.909184][ T5151] umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./38/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./38/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./38/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./38/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./38") = 0 mkdir("./39", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5156 ./strace-static-x86_64: Process 5156 attached [pid 5156] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5156] chdir("./39") = 0 [pid 5156] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5156] setpgid(0, 0) = 0 [pid 5156] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5156] write(3, "1000", 4) = 4 [pid 5156] close(3) = 0 [pid 5156] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5156] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5156] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5156] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5156] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5157 attached , parent_tid=[5157], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5157 [pid 5157] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5157] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5156] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5157] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5156] <... futex resumed>) = 0 [pid 5156] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5157] memfd_create("syzkaller", 0) = 3 [pid 5157] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5157] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5157] munmap(0x7f2811caa000, 16777216) = 0 [pid 5157] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5157] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5157] close(3) = 0 [pid 5157] mkdir("./file0", 0777) = 0 [ 101.281813][ T5157] loop0: detected capacity change from 0 to 32768 [ 101.293457][ T5157] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 101.301628][ T5157] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 101.312419][ T5157] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 101.321179][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 101.328049][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5157] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5157] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5157] chdir("./file0") = 0 [pid 5157] ioctl(4, LOOP_CLR_FD) = 0 [pid 5157] close(4) = 0 [pid 5157] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5156] <... futex resumed>) = 0 [pid 5156] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5156] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5157] open(".", O_RDONLY) = 4 [pid 5157] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5156] <... futex resumed>) = 0 [pid 5157] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5156] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5157] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5156] <... futex resumed>) = 0 [pid 5157] getdents64(4, [ 101.363012][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 101.371452][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 101.376815][ T5157] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 101.409721][ T5157] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 101.419359][ T5157] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 101.419359][ T5157] inode = 12 2341 [ 101.419359][ T5157] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 101.438745][ T5157] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 101.448287][ T5157] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5157 [syz-executor171] iterate_dir+0x228/0x570 [pid 5156] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5156] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5156] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5156] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5156] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5160], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5160 [pid 5156] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5156] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5160 attached [pid 5160] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5160] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5160] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5156] <... futex resumed>) = 0 [pid 5160] <... futex resumed>) = 1 [ 101.458842][ T5157] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 101.467703][ T5157] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 101.475176][ T5157] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 101.484330][ T5157] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 101.490908][ T5157] gfs2: fsid=syz:syz.0: File system withdrawn [ 101.497587][ T5157] CPU: 0 PID: 5157 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 101.507693][ T5157] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 101.517780][ T5157] Call Trace: [ 101.521072][ T5157] [ 101.524002][ T5157] dump_stack_lvl+0x1e7/0x2d0 [ 101.528698][ T5157] ? nf_tcp_handle_invalid+0x650/0x650 [ 101.534203][ T5157] ? panic+0x770/0x770 [ 101.538352][ T5157] ? kobject_uevent_env+0x54e/0x8e0 [ 101.543594][ T5157] gfs2_withdraw+0xf48/0x1550 [ 101.548327][ T5157] ? gfs2_lm+0x240/0x240 [ 101.552582][ T5157] ? gfs2_dirent_scan+0xb2/0x640 [ 101.557537][ T5157] ? panic+0x770/0x770 [ 101.561629][ T5157] ? gfs2_consist_inode_i+0xf5/0x110 [ 101.566924][ T5157] gfs2_dirent_scan+0x512/0x640 [ 101.571783][ T5157] ? gfs2_dirent_scan+0x640/0x640 [ 101.576824][ T5157] gfs2_dir_read+0x82f/0x1af0 [ 101.581515][ T5157] ? inode_dio_wait+0x2ad/0x340 [ 101.586384][ T5157] ? inode_owner_or_capable+0x1c0/0x1c0 [ 101.591971][ T5157] ? gfs2_dir_hash_inval+0x80/0x80 [ 101.597106][ T5157] ? _raw_spin_unlock+0x28/0x40 [ 101.601989][ T5157] ? gfs2_glock_nq+0xcbf/0x16c0 [pid 5160] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5156] exit_group(0 [pid 5160] <... futex resumed>) = ? [pid 5156] <... exit_group resumed>) = ? [pid 5160] +++ exited with 0 +++ [ 101.606870][ T5157] ? inode_go_held+0xea/0x200 [ 101.611547][ T5157] ? gfs2_glock_wait+0x21a/0x2b0 [ 101.616515][ T5157] gfs2_readdir+0x14e/0x1b0 [ 101.621040][ T5157] ? __fdget_pos+0x254/0x2f0 [ 101.625642][ T5157] ? gfs2_fallocate+0x490/0x490 [ 101.630518][ T5157] ? iterate_dir+0x228/0x570 [ 101.635120][ T5157] ? __down_read_common+0x184/0x2c0 [ 101.640350][ T5157] ? iterate_dir+0x10e/0x570 [ 101.644951][ T5157] iterate_dir+0x228/0x570 [ 101.649408][ T5157] ? gfs2_fallocate+0x490/0x490 [ 101.654269][ T5157] __se_sys_getdents64+0x20d/0x4f0 [ 101.659390][ T5157] ? _raw_spin_unlock_irq+0x2e/0x50 [ 101.664606][ T5157] ? __x64_sys_getdents64+0x80/0x80 [ 101.669834][ T5157] ? filldir+0x740/0x740 [ 101.674086][ T5157] ? syscall_enter_from_user_mode+0x32/0x230 [ 101.680085][ T5157] ? syscall_enter_from_user_mode+0x8c/0x230 [ 101.686102][ T5157] do_syscall_64+0x41/0xc0 [ 101.690540][ T5157] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 101.696442][ T5157] RIP: 0033:0x7f281a11eab9 [ 101.700863][ T5157] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 101.720470][ T5157] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 101.728885][ T5157] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 101.736863][ T5157] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 101.744847][ T5157] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 101.752934][ T5157] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5157] <... getdents64 resumed> ) = ? [pid 5157] +++ exited with 0 +++ [pid 5156] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5156, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./39", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./39/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./39/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./39/binderfs") = 0 [ 101.761016][ T5157] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 101.769000][ T5157] umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./39/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./39/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./39/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./39/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./39") = 0 mkdir("./40", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5163 ./strace-static-x86_64: Process 5163 attached [pid 5163] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5163] chdir("./40") = 0 [pid 5163] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5163] setpgid(0, 0) = 0 [pid 5163] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5163] write(3, "1000", 4) = 4 [pid 5163] close(3) = 0 [pid 5163] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5163] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5163] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5163] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5163] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5164 attached , parent_tid=[5164], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5164 [pid 5163] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5163] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5164] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5164] memfd_create("syzkaller", 0) = 3 [pid 5164] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5164] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5164] munmap(0x7f2811caa000, 16777216) = 0 [pid 5164] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5164] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5164] close(3) = 0 [pid 5164] mkdir("./file0", 0777) = 0 [ 102.161045][ T5164] loop0: detected capacity change from 0 to 32768 [ 102.173178][ T5164] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 102.182277][ T5164] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 102.192584][ T5164] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 102.201480][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 102.208625][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5164] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5164] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5164] chdir("./file0") = 0 [pid 5164] ioctl(4, LOOP_CLR_FD) = 0 [pid 5164] close(4) = 0 [pid 5164] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5164] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5163] <... futex resumed>) = 0 [pid 5163] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5163] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5164] <... futex resumed>) = 0 [pid 5164] open(".", O_RDONLY) = 4 [pid 5164] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5163] <... futex resumed>) = 0 [pid 5163] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5163] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5164] <... futex resumed>) = 1 [ 102.253804][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 102.261335][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 102.266820][ T5164] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 102.289552][ T5164] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5164] getdents64(4, [pid 5163] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5163] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5163] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5163] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5163] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5167], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5167 [pid 5163] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5163] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5167 attached [pid 5167] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5167] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5167] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5163] <... futex resumed>) = 0 [pid 5167] <... futex resumed>) = 1 [ 102.298670][ T5164] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 102.298670][ T5164] inode = 12 2341 [ 102.298670][ T5164] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 102.317998][ T5164] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 102.327182][ T5164] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5164 [syz-executor171] iterate_dir+0x228/0x570 [ 102.337819][ T5164] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 102.346531][ T5164] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 102.354089][ T5164] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 102.362931][ T5164] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 102.369971][ T5164] gfs2: fsid=syz:syz.0: File system withdrawn [ 102.376491][ T5164] CPU: 0 PID: 5164 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 102.386555][ T5164] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 102.396604][ T5164] Call Trace: [ 102.399889][ T5164] [ 102.402836][ T5164] dump_stack_lvl+0x1e7/0x2d0 [ 102.407548][ T5164] ? nf_tcp_handle_invalid+0x650/0x650 [ 102.413026][ T5164] ? panic+0x770/0x770 [ 102.417088][ T5164] ? kobject_uevent_env+0x54e/0x8e0 [ 102.422293][ T5164] gfs2_withdraw+0xf48/0x1550 [ 102.426983][ T5164] ? gfs2_lm+0x240/0x240 [ 102.431231][ T5164] ? gfs2_dirent_scan+0xb2/0x640 [ 102.436177][ T5164] ? panic+0x770/0x770 [ 102.440246][ T5164] ? gfs2_consist_inode_i+0xf5/0x110 [ 102.445539][ T5164] gfs2_dirent_scan+0x512/0x640 [ 102.450398][ T5164] ? gfs2_dirent_scan+0x640/0x640 [ 102.455442][ T5164] gfs2_dir_read+0x82f/0x1af0 [ 102.460137][ T5164] ? inode_dio_wait+0x2ad/0x340 [ 102.465004][ T5164] ? inode_owner_or_capable+0x1c0/0x1c0 [ 102.470564][ T5164] ? gfs2_dir_hash_inval+0x80/0x80 [ 102.475683][ T5164] ? _raw_spin_unlock+0x28/0x40 [ 102.480539][ T5164] ? gfs2_glock_nq+0xcbf/0x16c0 [ 102.485404][ T5164] ? inode_go_held+0xea/0x200 [ 102.490089][ T5164] ? gfs2_glock_wait+0x21a/0x2b0 [ 102.495037][ T5164] gfs2_readdir+0x14e/0x1b0 [ 102.499548][ T5164] ? __fdget_pos+0x254/0x2f0 [ 102.504142][ T5164] ? gfs2_fallocate+0x490/0x490 [ 102.509001][ T5164] ? iterate_dir+0x228/0x570 [ 102.513595][ T5164] ? __down_read_common+0x184/0x2c0 [ 102.518811][ T5164] ? iterate_dir+0x10e/0x570 [ 102.523418][ T5164] iterate_dir+0x228/0x570 [ 102.527849][ T5164] ? gfs2_fallocate+0x490/0x490 [ 102.532720][ T5164] __se_sys_getdents64+0x20d/0x4f0 [ 102.537846][ T5164] ? _raw_spin_unlock_irq+0x2e/0x50 [ 102.543059][ T5164] ? __x64_sys_getdents64+0x80/0x80 [ 102.548275][ T5164] ? filldir+0x740/0x740 [ 102.552537][ T5164] ? syscall_enter_from_user_mode+0x32/0x230 [ 102.558526][ T5164] ? syscall_enter_from_user_mode+0x8c/0x230 [ 102.564519][ T5164] do_syscall_64+0x41/0xc0 [ 102.568946][ T5164] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 102.574847][ T5164] RIP: 0033:0x7f281a11eab9 [ 102.579280][ T5164] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5167] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5164] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5164] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5164] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5163] exit_group(0) = ? [pid 5164] <... futex resumed>) = ? [pid 5164] +++ exited with 0 +++ [pid 5167] <... futex resumed>) = ? [pid 5167] +++ exited with 0 +++ [pid 5163] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5163, si_uid=0, si_status=0, si_utime=0, si_stime=36 /* 0.36 s */} --- umount2("./40", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./40/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./40/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./40/binderfs") = 0 [ 102.598892][ T5164] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 102.607318][ T5164] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 102.615289][ T5164] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 102.623266][ T5164] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 102.631241][ T5164] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 102.639215][ T5164] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 102.647199][ T5164] umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./40/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./40/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./40/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./40/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./40") = 0 mkdir("./41", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5168 ./strace-static-x86_64: Process 5168 attached [pid 5168] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5168] chdir("./41") = 0 [pid 5168] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5168] setpgid(0, 0) = 0 [pid 5168] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5168] write(3, "1000", 4) = 4 [pid 5168] close(3) = 0 [pid 5168] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5168] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5168] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5168] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5169], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5169 ./strace-static-x86_64: Process 5169 attached [pid 5168] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5169] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5169] memfd_create("syzkaller", 0) = 3 [pid 5169] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5169] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5169] munmap(0x7f2811caa000, 16777216) = 0 [pid 5169] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5169] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5169] close(3) = 0 [pid 5169] mkdir("./file0", 0777) = 0 [ 103.000855][ T5169] loop0: detected capacity change from 0 to 32768 [ 103.012460][ T5169] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 103.021142][ T5169] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 103.030558][ T5169] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 103.039463][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 103.046428][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5169] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5169] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5169] chdir("./file0") = 0 [pid 5169] ioctl(4, LOOP_CLR_FD) = 0 [pid 5169] close(4) = 0 [pid 5169] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5169] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5168] <... futex resumed>) = 0 [pid 5168] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5169] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5169] open(".", O_RDONLY) = 4 [pid 5169] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5168] <... futex resumed>) = 0 [pid 5168] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 103.088455][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 103.097605][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 103.102859][ T5169] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 103.136444][ T5169] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 103.145469][ T5169] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 103.145469][ T5169] inode = 12 2341 [ 103.145469][ T5169] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 103.164629][ T5169] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 103.173966][ T5169] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5169 [syz-executor171] iterate_dir+0x228/0x570 [pid 5169] getdents64(4, [pid 5168] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5168] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5168] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5168] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5171], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5171 [pid 5168] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5168] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5171 attached [pid 5171] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5171] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5171] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5168] <... futex resumed>) = 0 [pid 5171] <... futex resumed>) = 1 [ 103.184230][ T5169] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 103.192776][ T5169] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 103.200284][ T5169] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 103.209232][ T5169] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 103.216291][ T5169] gfs2: fsid=syz:syz.0: File system withdrawn [ 103.222383][ T5169] CPU: 1 PID: 5169 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 103.232440][ T5169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 103.242511][ T5169] Call Trace: [ 103.245792][ T5169] [ 103.248751][ T5169] dump_stack_lvl+0x1e7/0x2d0 [ 103.253481][ T5169] ? nf_tcp_handle_invalid+0x650/0x650 [ 103.258968][ T5169] ? panic+0x770/0x770 [ 103.263060][ T5169] ? kobject_uevent_env+0x54e/0x8e0 [ 103.268273][ T5169] gfs2_withdraw+0xf48/0x1550 [ 103.273003][ T5169] ? gfs2_lm+0x240/0x240 [ 103.277265][ T5169] ? gfs2_dirent_scan+0xb2/0x640 [ 103.282214][ T5169] ? panic+0x770/0x770 [pid 5171] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5168] exit_group(0 [pid 5171] <... futex resumed>) = ? [pid 5168] <... exit_group resumed>) = ? [pid 5171] +++ exited with 0 +++ [ 103.286300][ T5169] ? gfs2_consist_inode_i+0xf5/0x110 [ 103.291624][ T5169] gfs2_dirent_scan+0x512/0x640 [ 103.296505][ T5169] ? gfs2_dirent_scan+0x640/0x640 [ 103.301588][ T5169] gfs2_dir_read+0x82f/0x1af0 [ 103.306297][ T5169] ? inode_dio_wait+0x2ad/0x340 [ 103.311183][ T5169] ? inode_owner_or_capable+0x1c0/0x1c0 [ 103.316835][ T5169] ? gfs2_dir_hash_inval+0x80/0x80 [ 103.321971][ T5169] ? _raw_spin_unlock+0x28/0x40 [ 103.326837][ T5169] ? gfs2_glock_nq+0xcbf/0x16c0 [ 103.331747][ T5169] ? inode_go_held+0xea/0x200 [ 103.336446][ T5169] ? gfs2_glock_wait+0x21a/0x2b0 [ 103.341432][ T5169] gfs2_readdir+0x14e/0x1b0 [ 103.345960][ T5169] ? __fdget_pos+0x254/0x2f0 [ 103.350551][ T5169] ? gfs2_fallocate+0x490/0x490 [ 103.355522][ T5169] ? iterate_dir+0x228/0x570 [ 103.360143][ T5169] ? __down_read_common+0x184/0x2c0 [ 103.365372][ T5169] ? iterate_dir+0x10e/0x570 [ 103.369987][ T5169] iterate_dir+0x228/0x570 [ 103.374408][ T5169] ? gfs2_fallocate+0x490/0x490 [ 103.379263][ T5169] __se_sys_getdents64+0x20d/0x4f0 [ 103.384382][ T5169] ? _raw_spin_unlock_irq+0x2e/0x50 [ 103.389592][ T5169] ? __x64_sys_getdents64+0x80/0x80 [ 103.394822][ T5169] ? filldir+0x740/0x740 [ 103.399079][ T5169] ? syscall_enter_from_user_mode+0x32/0x230 [ 103.405094][ T5169] ? syscall_enter_from_user_mode+0x8c/0x230 [ 103.411123][ T5169] do_syscall_64+0x41/0xc0 [ 103.415617][ T5169] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 103.421512][ T5169] RIP: 0033:0x7f281a11eab9 [ 103.425919][ T5169] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 103.445523][ T5169] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 103.453987][ T5169] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 103.461982][ T5169] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 103.469950][ T5169] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 103.477925][ T5169] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5169] <... getdents64 resumed> ) = ? [pid 5169] +++ exited with 0 +++ [pid 5168] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5168, si_uid=0, si_status=0, si_utime=0, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./41", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./41", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./41/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./41/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./41/binderfs") = 0 [ 103.485910][ T5169] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 103.493928][ T5169] umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./41/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./41/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./41/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./41/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./41") = 0 mkdir("./42", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5172 ./strace-static-x86_64: Process 5172 attached [pid 5172] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5172] chdir("./42") = 0 [pid 5172] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5172] setpgid(0, 0) = 0 [pid 5172] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5172] write(3, "1000", 4) = 4 [pid 5172] close(3) = 0 [pid 5172] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5172] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5172] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5172] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5172] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5173], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5173 ./strace-static-x86_64: Process 5173 attached [pid 5172] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5172] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5173] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5173] memfd_create("syzkaller", 0) = 3 [pid 5173] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5173] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5173] munmap(0x7f2811caa000, 16777216) = 0 [pid 5173] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5173] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5173] close(3) = 0 [pid 5173] mkdir("./file0", 0777) = 0 [ 103.873471][ T5173] loop0: detected capacity change from 0 to 32768 [ 103.884924][ T5173] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 103.893100][ T5173] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 103.903133][ T5173] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 103.911790][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 103.919084][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5173] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5173] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5173] chdir("./file0") = 0 [pid 5173] ioctl(4, LOOP_CLR_FD) = 0 [pid 5173] close(4) = 0 [pid 5173] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5173] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5172] <... futex resumed>) = 0 [pid 5172] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5172] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5173] <... futex resumed>) = 0 [pid 5173] open(".", O_RDONLY) = 4 [pid 5173] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5172] <... futex resumed>) = 0 [pid 5173] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5172] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5173] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5172] <... futex resumed>) = 0 [pid 5173] getdents64(4, [ 103.961517][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 103.970546][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 103.975896][ T5173] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 103.999669][ T5173] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5172] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5172] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5172] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5172] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5172] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5175], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5175 [pid 5172] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5172] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5175 attached [pid 5175] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5175] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5175] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5172] <... futex resumed>) = 0 [pid 5175] <... futex resumed>) = 1 [ 104.008858][ T5173] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 104.008858][ T5173] inode = 12 2341 [ 104.008858][ T5173] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 104.028084][ T5173] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 104.037522][ T5173] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5173 [syz-executor171] iterate_dir+0x228/0x570 [ 104.048072][ T5173] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 104.056875][ T5173] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 104.064358][ T5173] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 104.073140][ T5173] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 104.080456][ T5173] gfs2: fsid=syz:syz.0: File system withdrawn [ 104.087095][ T5173] CPU: 0 PID: 5173 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 104.097170][ T5173] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 104.107229][ T5173] Call Trace: [ 104.110511][ T5173] [ 104.113453][ T5173] dump_stack_lvl+0x1e7/0x2d0 [ 104.118151][ T5173] ? nf_tcp_handle_invalid+0x650/0x650 [ 104.123622][ T5173] ? panic+0x770/0x770 [ 104.127699][ T5173] ? kobject_uevent_env+0x54e/0x8e0 [ 104.132913][ T5173] gfs2_withdraw+0xf48/0x1550 [ 104.137630][ T5173] ? gfs2_lm+0x240/0x240 [ 104.141880][ T5173] ? gfs2_dirent_scan+0xb2/0x640 [ 104.146822][ T5173] ? panic+0x770/0x770 [ 104.150895][ T5173] ? gfs2_consist_inode_i+0xf5/0x110 [ 104.156196][ T5173] gfs2_dirent_scan+0x512/0x640 [ 104.161067][ T5173] ? gfs2_dirent_scan+0x640/0x640 [ 104.166099][ T5173] gfs2_dir_read+0x82f/0x1af0 [ 104.170790][ T5173] ? inode_dio_wait+0x2ad/0x340 [ 104.175661][ T5173] ? inode_owner_or_capable+0x1c0/0x1c0 [ 104.181214][ T5173] ? gfs2_dir_hash_inval+0x80/0x80 [ 104.186327][ T5173] ? _raw_spin_unlock+0x28/0x40 [ 104.191172][ T5173] ? gfs2_glock_nq+0xcbf/0x16c0 [ 104.196030][ T5173] ? inode_go_held+0xea/0x200 [ 104.200707][ T5173] ? gfs2_glock_wait+0x21a/0x2b0 [ 104.205654][ T5173] gfs2_readdir+0x14e/0x1b0 [ 104.210160][ T5173] ? __fdget_pos+0x254/0x2f0 [ 104.214744][ T5173] ? gfs2_fallocate+0x490/0x490 [ 104.219596][ T5173] ? iterate_dir+0x228/0x570 [ 104.224186][ T5173] ? __down_read_common+0x184/0x2c0 [ 104.229379][ T5173] ? iterate_dir+0x10e/0x570 [ 104.233970][ T5173] iterate_dir+0x228/0x570 [ 104.238391][ T5173] ? gfs2_fallocate+0x490/0x490 [ 104.243268][ T5173] __se_sys_getdents64+0x20d/0x4f0 [ 104.248394][ T5173] ? _raw_spin_unlock_irq+0x2e/0x50 [ 104.253596][ T5173] ? __x64_sys_getdents64+0x80/0x80 [ 104.258790][ T5173] ? filldir+0x740/0x740 [ 104.263118][ T5173] ? syscall_enter_from_user_mode+0x32/0x230 [ 104.269119][ T5173] ? syscall_enter_from_user_mode+0x8c/0x230 [ 104.275096][ T5173] do_syscall_64+0x41/0xc0 [ 104.279510][ T5173] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 104.285398][ T5173] RIP: 0033:0x7f281a11eab9 [ 104.289892][ T5173] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5175] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5173] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5173] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5173] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5172] exit_group(0 [pid 5175] <... futex resumed>) = ? [pid 5172] <... exit_group resumed>) = ? [pid 5173] <... futex resumed>) = ? [pid 5175] +++ exited with 0 +++ [pid 5173] +++ exited with 0 +++ [pid 5172] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5172, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=31 /* 0.31 s */} --- umount2("./42", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./42", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./42/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./42/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./42/binderfs") = 0 [ 104.309492][ T5173] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 104.317905][ T5173] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 104.325879][ T5173] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 104.333844][ T5173] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 104.341807][ T5173] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 104.349860][ T5173] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 104.357842][ T5173] umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./42/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./42/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./42/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./42/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./42") = 0 mkdir("./43", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5176 ./strace-static-x86_64: Process 5176 attached [pid 5176] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5176] chdir("./43") = 0 [pid 5176] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5176] setpgid(0, 0) = 0 [pid 5176] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5176] write(3, "1000", 4) = 4 [pid 5176] close(3) = 0 [pid 5176] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5176] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5176] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5176] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5176] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5177], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5177 [pid 5176] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5176] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5177 attached [pid 5177] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5177] memfd_create("syzkaller", 0) = 3 [pid 5177] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5177] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5177] munmap(0x7f2811caa000, 16777216) = 0 [pid 5177] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5177] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5177] close(3) = 0 [pid 5177] mkdir("./file0", 0777) = 0 [ 104.691409][ T5177] loop0: detected capacity change from 0 to 32768 [ 104.703018][ T5177] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 104.711570][ T5177] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 104.721647][ T5177] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 104.730659][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 104.737719][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5177] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5177] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5177] chdir("./file0") = 0 [pid 5177] ioctl(4, LOOP_CLR_FD) = 0 [pid 5177] close(4) = 0 [pid 5177] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5176] <... futex resumed>) = 0 [pid 5177] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5176] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5177] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5176] <... futex resumed>) = 0 [pid 5177] open(".", O_RDONLY [pid 5176] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5177] <... open resumed>) = 4 [pid 5177] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5176] <... futex resumed>) = 0 [pid 5177] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5176] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5177] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5176] <... futex resumed>) = 0 [pid 5177] getdents64(4, [ 104.769902][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 32ms [ 104.777459][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 104.782693][ T5177] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 104.821366][ T5177] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 104.830397][ T5177] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 104.830397][ T5177] inode = 12 2341 [ 104.830397][ T5177] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 104.849441][ T5177] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 104.858876][ T5177] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5177 [syz-executor171] iterate_dir+0x228/0x570 [pid 5176] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5176] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5176] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [ 104.869038][ T5177] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 104.877668][ T5177] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 104.885336][ T5177] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 104.894485][ T5177] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 104.901169][ T5177] gfs2: fsid=syz:syz.0: File system withdrawn [ 104.908091][ T5177] CPU: 0 PID: 5177 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [pid 5176] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5176] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5179], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5179 [pid 5176] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 104.918209][ T5177] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 104.928269][ T5177] Call Trace: [ 104.931562][ T5177] [ 104.934523][ T5177] dump_stack_lvl+0x1e7/0x2d0 [ 104.939242][ T5177] ? nf_tcp_handle_invalid+0x650/0x650 [ 104.944727][ T5177] ? panic+0x770/0x770 [ 104.948810][ T5177] ? kobject_uevent_env+0x54e/0x8e0 [ 104.954013][ T5177] gfs2_withdraw+0xf48/0x1550 [ 104.958748][ T5177] ? gfs2_lm+0x240/0x240 [ 104.963015][ T5177] ? gfs2_dirent_scan+0xb2/0x640 [ 104.967954][ T5177] ? panic+0x770/0x770 [pid 5176] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5179 attached [pid 5179] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5179] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5179] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5176] <... futex resumed>) = 0 [ 104.972118][ T5177] ? gfs2_consist_inode_i+0xf5/0x110 [ 104.977414][ T5177] gfs2_dirent_scan+0x512/0x640 [ 104.982282][ T5177] ? gfs2_dirent_scan+0x640/0x640 [ 104.987323][ T5177] gfs2_dir_read+0x82f/0x1af0 [ 104.992017][ T5177] ? inode_dio_wait+0x2ad/0x340 [ 104.996913][ T5177] ? inode_owner_or_capable+0x1c0/0x1c0 [ 105.002468][ T5177] ? gfs2_dir_hash_inval+0x80/0x80 [ 105.007611][ T5177] ? _raw_spin_unlock+0x28/0x40 [ 105.012500][ T5177] ? gfs2_glock_nq+0xcbf/0x16c0 [ 105.017384][ T5177] ? inode_go_held+0xea/0x200 [ 105.022082][ T5177] ? gfs2_glock_wait+0x21a/0x2b0 [ 105.027044][ T5177] gfs2_readdir+0x14e/0x1b0 [ 105.031555][ T5177] ? __fdget_pos+0x254/0x2f0 [ 105.036146][ T5177] ? gfs2_fallocate+0x490/0x490 [ 105.041009][ T5177] ? iterate_dir+0x228/0x570 [ 105.045616][ T5177] ? __down_read_common+0x184/0x2c0 [ 105.050841][ T5177] ? iterate_dir+0x10e/0x570 [ 105.055450][ T5177] iterate_dir+0x228/0x570 [ 105.059904][ T5177] ? gfs2_fallocate+0x490/0x490 [ 105.064783][ T5177] __se_sys_getdents64+0x20d/0x4f0 [ 105.069915][ T5177] ? _raw_spin_unlock_irq+0x2e/0x50 [ 105.076253][ T5177] ? __x64_sys_getdents64+0x80/0x80 [ 105.081477][ T5177] ? filldir+0x740/0x740 [ 105.085732][ T5177] ? syscall_enter_from_user_mode+0x32/0x230 [ 105.091738][ T5177] ? syscall_enter_from_user_mode+0x8c/0x230 [ 105.097734][ T5177] do_syscall_64+0x41/0xc0 [ 105.102168][ T5177] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 105.108066][ T5177] RIP: 0033:0x7f281a11eab9 [ 105.112489][ T5177] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 105.132093][ T5177] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 105.140507][ T5177] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 105.148484][ T5177] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 105.156463][ T5177] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 105.164482][ T5177] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5179] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5177] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5177] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5177] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5176] exit_group(0 [pid 5177] <... futex resumed>) = ? [pid 5176] <... exit_group resumed>) = ? [pid 5179] <... futex resumed>) = ? [pid 5177] +++ exited with 0 +++ [pid 5179] +++ exited with 0 +++ [pid 5176] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5176, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./43", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./43", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./43/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./43/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./43/binderfs") = 0 [ 105.172454][ T5177] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 105.180444][ T5177] umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./43/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./43/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./43/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./43/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./43") = 0 mkdir("./44", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5180 ./strace-static-x86_64: Process 5180 attached [pid 5180] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5180] chdir("./44") = 0 [pid 5180] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5180] setpgid(0, 0) = 0 [pid 5180] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5180] write(3, "1000", 4) = 4 [pid 5180] close(3) = 0 [pid 5180] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5180] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5180] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5180] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5181 attached [pid 5181] set_robust_list(0x7f281a0ca9e0, 24 [pid 5180] <... clone resumed>, parent_tid=[5181], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5181 [pid 5181] <... set_robust_list resumed>) = 0 [pid 5180] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5181] memfd_create("syzkaller", 0) = 3 [pid 5181] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5181] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5181] munmap(0x7f2811caa000, 16777216) = 0 [pid 5181] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5181] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5181] close(3) = 0 [pid 5181] mkdir("./file0", 0777) = 0 [ 105.552520][ T5181] loop0: detected capacity change from 0 to 32768 [ 105.565871][ T5181] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 105.574186][ T5181] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 105.584215][ T5181] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 105.592736][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 105.599626][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5181] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5181] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5181] chdir("./file0") = 0 [pid 5181] ioctl(4, LOOP_CLR_FD) = 0 [pid 5181] close(4) = 0 [pid 5181] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5180] <... futex resumed>) = 0 [pid 5180] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5181] open(".", O_RDONLY) = 4 [pid 5181] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5181] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5180] <... futex resumed>) = 0 [pid 5180] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5180] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5181] <... futex resumed>) = 0 [ 105.636780][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 105.644427][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 105.649697][ T5181] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 105.682953][ T5181] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 105.691939][ T5181] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 105.691939][ T5181] inode = 12 2341 [ 105.691939][ T5181] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 105.710801][ T5181] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 105.720191][ T5181] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5181 [syz-executor171] iterate_dir+0x228/0x570 [pid 5181] getdents64(4, [pid 5180] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5180] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5180] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5180] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5183], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5183 [pid 5180] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5180] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5183 attached [pid 5183] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 105.730311][ T5181] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 105.741679][ T5183] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 105.742034][ T5181] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 105.750986][ T5183] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 105.757404][ T5181] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 105.757421][ T5181] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 105.758427][ T5181] gfs2: fsid=syz:syz.0: File system withdrawn [ 105.768170][ T5183] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5181 [syz-executor171] iterate_dir+0x228/0x570 [ 105.775729][ T5181] CPU: 0 PID: 5181 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 105.782122][ T5183] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5183 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 105.787801][ T5181] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 105.787816][ T5181] Call Trace: [ 105.787824][ T5181] [ 105.787833][ T5181] dump_stack_lvl+0x1e7/0x2d0 [ 105.787872][ T5181] ? nf_tcp_handle_invalid+0x650/0x650 [ 105.787906][ T5181] ? panic+0x770/0x770 [ 105.799221][ T5183] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 105.807828][ T5181] ? kobject_uevent_env+0x54e/0x8e0 [ 105.807874][ T5181] gfs2_withdraw+0xf48/0x1550 [ 105.807924][ T5181] ? gfs2_lm+0x240/0x240 [ 105.870834][ T5181] ? gfs2_dirent_scan+0xb2/0x640 [ 105.875779][ T5181] ? panic+0x770/0x770 [ 105.879852][ T5181] ? gfs2_consist_inode_i+0xf5/0x110 [ 105.885162][ T5181] gfs2_dirent_scan+0x512/0x640 [ 105.890030][ T5181] ? gfs2_dirent_scan+0x640/0x640 [ 105.895072][ T5181] gfs2_dir_read+0x82f/0x1af0 [ 105.899763][ T5181] ? inode_dio_wait+0x2ad/0x340 [ 105.904636][ T5181] ? inode_owner_or_capable+0x1c0/0x1c0 [ 105.910196][ T5181] ? gfs2_dir_hash_inval+0x80/0x80 [ 105.915313][ T5181] ? _raw_spin_unlock+0x28/0x40 [ 105.920171][ T5181] ? gfs2_glock_nq+0xcbf/0x16c0 [ 105.925051][ T5181] ? inode_go_held+0xea/0x200 [ 105.929744][ T5181] ? gfs2_glock_wait+0x21a/0x2b0 [ 105.934704][ T5181] gfs2_readdir+0x14e/0x1b0 [ 105.939224][ T5181] ? __fdget_pos+0x254/0x2f0 [ 105.943826][ T5181] ? gfs2_fallocate+0x490/0x490 [ 105.948783][ T5181] ? iterate_dir+0x228/0x570 [ 105.953385][ T5181] ? __down_read_common+0x184/0x2c0 [ 105.958599][ T5181] ? iterate_dir+0x10e/0x570 [ 105.963219][ T5181] iterate_dir+0x228/0x570 [ 105.967668][ T5181] ? gfs2_fallocate+0x490/0x490 [ 105.972540][ T5181] __se_sys_getdents64+0x20d/0x4f0 [ 105.977668][ T5181] ? _raw_spin_unlock_irq+0x2e/0x50 [ 105.982880][ T5181] ? __x64_sys_getdents64+0x80/0x80 [ 105.988094][ T5181] ? filldir+0x740/0x740 [ 105.992364][ T5181] ? syscall_enter_from_user_mode+0x32/0x230 [ 105.998361][ T5181] ? syscall_enter_from_user_mode+0x8c/0x230 [ 106.004378][ T5181] do_syscall_64+0x41/0xc0 [ 106.008815][ T5181] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 106.014718][ T5181] RIP: 0033:0x7f281a11eab9 [ 106.019161][ T5181] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 106.038789][ T5181] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 106.047214][ T5181] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 106.055205][ T5181] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 106.063205][ T5181] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 106.071192][ T5181] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5183] open("./file0", O_RDONLY [pid 5180] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5181] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5181] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5181] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5183] <... open resumed>) = -1 EIO (Input/output error) [pid 5183] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5183] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5180] exit_group(0 [pid 5181] <... futex resumed>) = ? [pid 5180] <... exit_group resumed>) = ? [pid 5181] +++ exited with 0 +++ [pid 5183] <... futex resumed>) = ? [pid 5183] +++ exited with 0 +++ [pid 5180] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5180, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=39 /* 0.39 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./44", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./44/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./44/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./44/binderfs") = 0 [ 106.079187][ T5181] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 106.087208][ T5181] umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./44/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./44/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./44/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./44/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./44") = 0 mkdir("./45", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5184 ./strace-static-x86_64: Process 5184 attached [pid 5184] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5184] chdir("./45") = 0 [pid 5184] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5184] setpgid(0, 0) = 0 [pid 5184] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5184] write(3, "1000", 4) = 4 [pid 5184] close(3) = 0 [pid 5184] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5184] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5184] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5184] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5185 attached [pid 5185] set_robust_list(0x7f281a0ca9e0, 24 [pid 5184] <... clone resumed>, parent_tid=[5185], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5185 [pid 5185] <... set_robust_list resumed>) = 0 [pid 5184] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5185] memfd_create("syzkaller", 0) = 3 [pid 5185] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5185] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5185] munmap(0x7f2811caa000, 16777216) = 0 [pid 5185] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5185] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5185] close(3) = 0 [pid 5185] mkdir("./file0", 0777) = 0 [ 106.453204][ T5185] loop0: detected capacity change from 0 to 32768 [ 106.464953][ T5185] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 106.473426][ T5185] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 106.482389][ T5185] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 106.491347][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 106.498180][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5185] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5185] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5185] chdir("./file0") = 0 [pid 5185] ioctl(4, LOOP_CLR_FD) = 0 [pid 5185] close(4) = 0 [pid 5185] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5184] <... futex resumed>) = 0 [pid 5184] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5185] open(".", O_RDONLY) = 4 [pid 5185] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5184] <... futex resumed>) = 0 [pid 5184] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 106.534109][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 106.543680][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 106.548952][ T5185] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5185] getdents64(4, [pid 5184] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5184] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 106.580318][ T5185] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 106.589028][ T5185] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 106.589028][ T5185] inode = 12 2341 [ 106.589028][ T5185] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 106.608183][ T5185] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 106.617296][ T5185] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5185 [syz-executor171] iterate_dir+0x228/0x570 [pid 5184] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5184] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5184] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5187], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5187 [pid 5184] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5184] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5187 attached [pid 5187] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5187] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5187] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5184] <... futex resumed>) = 0 [pid 5187] <... futex resumed>) = 1 [ 106.627275][ T5185] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 106.636605][ T5185] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 106.644448][ T5185] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 106.653302][ T5185] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 106.659845][ T5185] gfs2: fsid=syz:syz.0: File system withdrawn [ 106.665981][ T5185] CPU: 0 PID: 5185 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 106.676064][ T5185] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 106.686125][ T5185] Call Trace: [ 106.689406][ T5185] [ 106.692343][ T5185] dump_stack_lvl+0x1e7/0x2d0 [ 106.697060][ T5185] ? nf_tcp_handle_invalid+0x650/0x650 [ 106.702538][ T5185] ? panic+0x770/0x770 [ 106.706620][ T5185] ? kobject_uevent_env+0x54e/0x8e0 [ 106.711856][ T5185] gfs2_withdraw+0xf48/0x1550 [ 106.716572][ T5185] ? gfs2_lm+0x240/0x240 [ 106.720829][ T5185] ? gfs2_dirent_scan+0xb2/0x640 [ 106.725782][ T5185] ? panic+0x770/0x770 [ 106.729864][ T5185] ? gfs2_consist_inode_i+0xf5/0x110 [ 106.735185][ T5185] gfs2_dirent_scan+0x512/0x640 [ 106.740053][ T5185] ? gfs2_dirent_scan+0x640/0x640 [ 106.745095][ T5185] gfs2_dir_read+0x82f/0x1af0 [ 106.749793][ T5185] ? inode_dio_wait+0x2ad/0x340 [ 106.754665][ T5185] ? inode_owner_or_capable+0x1c0/0x1c0 [ 106.760228][ T5185] ? gfs2_dir_hash_inval+0x80/0x80 [ 106.765351][ T5185] ? _raw_spin_unlock+0x28/0x40 [ 106.770212][ T5185] ? gfs2_glock_nq+0xcbf/0x16c0 [ 106.775087][ T5185] ? inode_go_held+0xea/0x200 [ 106.779779][ T5185] ? gfs2_glock_wait+0x21a/0x2b0 [ 106.784735][ T5185] gfs2_readdir+0x14e/0x1b0 [ 106.789272][ T5185] ? __fdget_pos+0x254/0x2f0 [ 106.793871][ T5185] ? gfs2_fallocate+0x490/0x490 [ 106.798740][ T5185] ? iterate_dir+0x228/0x570 [ 106.803346][ T5185] ? __down_read_common+0x184/0x2c0 [ 106.808557][ T5185] ? iterate_dir+0x10e/0x570 [ 106.813173][ T5185] iterate_dir+0x228/0x570 [ 106.817607][ T5185] ? gfs2_fallocate+0x490/0x490 [ 106.822488][ T5185] __se_sys_getdents64+0x20d/0x4f0 [ 106.827619][ T5185] ? _raw_spin_unlock_irq+0x2e/0x50 [ 106.832834][ T5185] ? __x64_sys_getdents64+0x80/0x80 [ 106.838050][ T5185] ? filldir+0x740/0x740 [ 106.842311][ T5185] ? syscall_enter_from_user_mode+0x32/0x230 [ 106.848307][ T5185] ? syscall_enter_from_user_mode+0x8c/0x230 [ 106.854301][ T5185] do_syscall_64+0x41/0xc0 [ 106.858746][ T5185] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 106.864652][ T5185] RIP: 0033:0x7f281a11eab9 [ 106.869078][ T5185] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 106.888701][ T5185] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 106.897137][ T5185] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 106.905119][ T5185] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 106.913113][ T5185] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 106.921099][ T5185] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5187] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5185] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5185] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5185] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5184] exit_group(0 [pid 5187] <... futex resumed>) = ? [pid 5185] <... futex resumed>) = ? [pid 5184] <... exit_group resumed>) = ? [pid 5185] +++ exited with 0 +++ [pid 5187] +++ exited with 0 +++ [pid 5184] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5184, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./45", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./45", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./45/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./45/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./45/binderfs") = 0 [ 106.929076][ T5185] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 106.937077][ T5185] umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./45/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./45/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./45/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./45/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./45") = 0 mkdir("./46", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5188 ./strace-static-x86_64: Process 5188 attached [pid 5188] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5188] chdir("./46") = 0 [pid 5188] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5188] setpgid(0, 0) = 0 [pid 5188] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5188] write(3, "1000", 4) = 4 [pid 5188] close(3) = 0 [pid 5188] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5188] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5188] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5188] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5188] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5189 attached , parent_tid=[5189], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5189 [pid 5188] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5189] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5188] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5189] memfd_create("syzkaller", 0) = 3 [pid 5189] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5189] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5189] munmap(0x7f2811caa000, 16777216) = 0 [pid 5189] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5189] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5189] close(3) = 0 [pid 5189] mkdir("./file0", 0777) = 0 [ 107.339353][ T5189] loop0: detected capacity change from 0 to 32768 [ 107.351144][ T5189] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 107.359605][ T5189] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 107.369518][ T5189] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 107.378277][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 107.385143][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5189] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5189] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5189] chdir("./file0") = 0 [pid 5189] ioctl(4, LOOP_CLR_FD) = 0 [pid 5189] close(4) = 0 [pid 5189] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5188] <... futex resumed>) = 0 [pid 5188] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5188] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5189] <... futex resumed>) = 1 [pid 5189] open(".", O_RDONLY) = 4 [pid 5189] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5188] <... futex resumed>) = 0 [pid 5188] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5188] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5189] <... futex resumed>) = 1 [ 107.421875][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 107.429522][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 107.434814][ T5189] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 107.463801][ T5189] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 107.472176][ T5189] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 107.472176][ T5189] inode = 12 2341 [ 107.472176][ T5189] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 107.491234][ T5189] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 107.500458][ T5189] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5189 [syz-executor171] iterate_dir+0x228/0x570 [pid 5189] getdents64(4, [pid 5188] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5188] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5188] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5188] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5188] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5191], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5191 [pid 5188] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5188] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5191 attached [pid 5191] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5191] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5191] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5188] <... futex resumed>) = 0 [ 107.511316][ T5189] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 107.520696][ T5189] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 107.528257][ T5189] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 107.537702][ T5189] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 107.544856][ T5189] gfs2: fsid=syz:syz.0: File system withdrawn [ 107.551368][ T5189] CPU: 0 PID: 5189 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 107.561434][ T5189] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 107.571497][ T5189] Call Trace: [ 107.574797][ T5189] [ 107.577750][ T5189] dump_stack_lvl+0x1e7/0x2d0 [ 107.582468][ T5189] ? nf_tcp_handle_invalid+0x650/0x650 [ 107.587946][ T5189] ? panic+0x770/0x770 [ 107.592052][ T5189] ? kobject_uevent_env+0x54e/0x8e0 [ 107.597281][ T5189] gfs2_withdraw+0xf48/0x1550 [ 107.602005][ T5189] ? gfs2_lm+0x240/0x240 [ 107.606281][ T5189] ? gfs2_dirent_scan+0xb2/0x640 [ 107.611245][ T5189] ? panic+0x770/0x770 [ 107.615331][ T5189] ? gfs2_consist_inode_i+0xf5/0x110 [ 107.620633][ T5189] gfs2_dirent_scan+0x512/0x640 [ 107.625513][ T5189] ? gfs2_dirent_scan+0x640/0x640 [ 107.630551][ T5189] gfs2_dir_read+0x82f/0x1af0 [ 107.635242][ T5189] ? inode_dio_wait+0x2ad/0x340 [ 107.640104][ T5189] ? inode_owner_or_capable+0x1c0/0x1c0 [ 107.645666][ T5189] ? gfs2_dir_hash_inval+0x80/0x80 [ 107.650785][ T5189] ? _raw_spin_unlock+0x28/0x40 [ 107.655643][ T5189] ? gfs2_glock_nq+0xcbf/0x16c0 [ 107.660514][ T5189] ? inode_go_held+0xea/0x200 [ 107.665197][ T5189] ? gfs2_glock_wait+0x21a/0x2b0 [ 107.670148][ T5189] gfs2_readdir+0x14e/0x1b0 [ 107.674659][ T5189] ? __fdget_pos+0x254/0x2f0 [ 107.679259][ T5189] ? gfs2_fallocate+0x490/0x490 [ 107.684128][ T5189] ? iterate_dir+0x228/0x570 [ 107.688750][ T5189] ? __down_read_common+0x184/0x2c0 [ 107.693957][ T5189] ? iterate_dir+0x10e/0x570 [ 107.698563][ T5189] iterate_dir+0x228/0x570 [ 107.703008][ T5189] ? gfs2_fallocate+0x490/0x490 [ 107.707894][ T5189] __se_sys_getdents64+0x20d/0x4f0 [ 107.713043][ T5189] ? _raw_spin_unlock_irq+0x2e/0x50 [ 107.718259][ T5189] ? __x64_sys_getdents64+0x80/0x80 [ 107.723475][ T5189] ? filldir+0x740/0x740 [ 107.727731][ T5189] ? syscall_enter_from_user_mode+0x32/0x230 [ 107.733729][ T5189] ? syscall_enter_from_user_mode+0x8c/0x230 [ 107.739733][ T5189] do_syscall_64+0x41/0xc0 [ 107.744177][ T5189] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 107.750076][ T5189] RIP: 0033:0x7f281a11eab9 [ 107.754508][ T5189] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 107.774112][ T5189] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 107.782530][ T5189] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 107.790505][ T5189] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 107.798481][ T5189] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 107.806458][ T5189] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5191] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5189] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5189] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5189] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5188] exit_group(0 [pid 5191] <... futex resumed>) = ? [pid 5189] <... futex resumed>) = ? [pid 5188] <... exit_group resumed>) = ? [pid 5189] +++ exited with 0 +++ [pid 5191] +++ exited with 0 +++ [pid 5188] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5188, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=29 /* 0.29 s */} --- umount2("./46", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./46", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./46/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./46/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./46/binderfs") = 0 [ 107.814439][ T5189] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 107.822419][ T5189] umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./46/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./46/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./46/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./46/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./46") = 0 mkdir("./47", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5192 ./strace-static-x86_64: Process 5192 attached [pid 5192] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5192] chdir("./47") = 0 [pid 5192] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5192] setpgid(0, 0) = 0 [pid 5192] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5192] write(3, "1000", 4) = 4 [pid 5192] close(3) = 0 [pid 5192] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5192] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5192] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5192] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5193 attached [pid 5193] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5193] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5192] <... clone resumed>, parent_tid=[5193], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5193 [pid 5192] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5193] <... futex resumed>) = 0 [pid 5192] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5193] memfd_create("syzkaller", 0) = 3 [pid 5193] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5193] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5193] munmap(0x7f2811caa000, 16777216) = 0 [pid 5193] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5193] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5193] close(3) = 0 [pid 5193] mkdir("./file0", 0777) = 0 [ 108.196883][ T5193] loop0: detected capacity change from 0 to 32768 [ 108.208232][ T5193] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 108.216940][ T5193] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 108.227302][ T5193] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 108.236154][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 108.242991][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5193] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5193] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5193] chdir("./file0") = 0 [pid 5193] ioctl(4, LOOP_CLR_FD) = 0 [pid 5193] close(4) = 0 [pid 5193] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5192] <... futex resumed>) = 0 [pid 5193] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5192] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5193] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5192] <... futex resumed>) = 0 [pid 5192] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5193] open(".", O_RDONLY) = 4 [pid 5193] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5192] <... futex resumed>) = 0 [pid 5193] <... futex resumed>) = 1 [pid 5192] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 108.290425][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 47ms [ 108.298737][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 108.304564][ T5193] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5192] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 108.337854][ T5193] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 108.346961][ T5193] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 108.346961][ T5193] inode = 12 2341 [ 108.346961][ T5193] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 108.366190][ T5193] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 108.375466][ T5193] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5193 [syz-executor171] iterate_dir+0x228/0x570 [pid 5193] getdents64(4, [pid 5192] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5192] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5192] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5192] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5192] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5195 attached , parent_tid=[5195], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5195 [pid 5192] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5195] set_robust_list(0x7f2812ca99e0, 24 [pid 5192] <... futex resumed>) = 0 [pid 5195] <... set_robust_list resumed>) = 0 [pid 5192] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5195] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5195] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5192] <... futex resumed>) = 0 [ 108.385553][ T5193] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 108.394475][ T5193] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 108.402143][ T5193] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 108.415557][ T5193] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 108.422288][ T5193] gfs2: fsid=syz:syz.0: File system withdrawn [ 108.428717][ T5193] CPU: 0 PID: 5193 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 108.438825][ T5193] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 108.448906][ T5193] Call Trace: [ 108.452196][ T5193] [ 108.455122][ T5193] dump_stack_lvl+0x1e7/0x2d0 [ 108.459816][ T5193] ? nf_tcp_handle_invalid+0x650/0x650 [ 108.465280][ T5193] ? panic+0x770/0x770 [ 108.469367][ T5193] ? kobject_uevent_env+0x54e/0x8e0 [ 108.474605][ T5193] gfs2_withdraw+0xf48/0x1550 [ 108.479311][ T5193] ? gfs2_lm+0x240/0x240 [ 108.483577][ T5193] ? gfs2_dirent_scan+0xb2/0x640 [ 108.488539][ T5193] ? panic+0x770/0x770 [ 108.492647][ T5193] ? gfs2_consist_inode_i+0xf5/0x110 [ 108.497960][ T5193] gfs2_dirent_scan+0x512/0x640 [ 108.502835][ T5193] ? gfs2_dirent_scan+0x640/0x640 [ 108.507888][ T5193] gfs2_dir_read+0x82f/0x1af0 [ 108.512593][ T5193] ? inode_dio_wait+0x2ad/0x340 [ 108.517467][ T5193] ? inode_owner_or_capable+0x1c0/0x1c0 [ 108.523037][ T5193] ? gfs2_dir_hash_inval+0x80/0x80 [ 108.528181][ T5193] ? _raw_spin_unlock+0x28/0x40 [ 108.533160][ T5193] ? gfs2_glock_nq+0xcbf/0x16c0 [pid 5195] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5192] exit_group(0 [pid 5195] <... futex resumed>) = ? [pid 5192] <... exit_group resumed>) = ? [pid 5195] +++ exited with 0 +++ [ 108.538045][ T5193] ? inode_go_held+0xea/0x200 [ 108.542748][ T5193] ? gfs2_glock_wait+0x21a/0x2b0 [ 108.547696][ T5193] gfs2_readdir+0x14e/0x1b0 [ 108.552216][ T5193] ? __fdget_pos+0x254/0x2f0 [ 108.556821][ T5193] ? gfs2_fallocate+0x490/0x490 [ 108.561688][ T5193] ? iterate_dir+0x228/0x570 [ 108.566306][ T5193] ? __down_read_common+0x184/0x2c0 [ 108.571540][ T5193] ? iterate_dir+0x10e/0x570 [ 108.576162][ T5193] iterate_dir+0x228/0x570 [ 108.580595][ T5193] ? gfs2_fallocate+0x490/0x490 [ 108.585476][ T5193] __se_sys_getdents64+0x20d/0x4f0 [ 108.590630][ T5193] ? _raw_spin_unlock_irq+0x2e/0x50 [ 108.595850][ T5193] ? __x64_sys_getdents64+0x80/0x80 [ 108.601066][ T5193] ? filldir+0x740/0x740 [ 108.605417][ T5193] ? syscall_enter_from_user_mode+0x32/0x230 [ 108.611401][ T5193] ? syscall_enter_from_user_mode+0x8c/0x230 [ 108.617386][ T5193] do_syscall_64+0x41/0xc0 [ 108.621828][ T5193] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 108.627754][ T5193] RIP: 0033:0x7f281a11eab9 [ 108.632212][ T5193] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 108.651819][ T5193] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 108.660337][ T5193] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 108.668324][ T5193] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 108.676484][ T5193] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5193] <... getdents64 resumed> ) = ? [pid 5193] +++ exited with 0 +++ [pid 5192] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5192, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./47", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./47", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./47/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./47/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./47/binderfs") = 0 [ 108.684475][ T5193] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 108.692449][ T5193] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 108.700448][ T5193] umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./47/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./47/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./47/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./47/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./47") = 0 mkdir("./48", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5196 ./strace-static-x86_64: Process 5196 attached [pid 5196] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5196] chdir("./48") = 0 [pid 5196] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5196] setpgid(0, 0) = 0 [pid 5196] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5196] write(3, "1000", 4) = 4 [pid 5196] close(3) = 0 [pid 5196] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5196] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5196] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5196] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5196] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5197 attached , parent_tid=[5197], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5197 [pid 5197] set_robust_list(0x7f281a0ca9e0, 24 [pid 5196] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5197] <... set_robust_list resumed>) = 0 [pid 5196] <... futex resumed>) = 0 [pid 5196] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5197] memfd_create("syzkaller", 0) = 3 [pid 5197] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5197] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5197] munmap(0x7f2811caa000, 16777216) = 0 [pid 5197] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5197] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5197] close(3) = 0 [pid 5197] mkdir("./file0", 0777) = 0 [ 109.068805][ T5197] loop0: detected capacity change from 0 to 32768 [ 109.081150][ T5197] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 109.089761][ T5197] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 109.100266][ T5197] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 109.109348][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 109.116413][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5197] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5197] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5197] chdir("./file0") = 0 [pid 5197] ioctl(4, LOOP_CLR_FD) = 0 [pid 5197] close(4) = 0 [pid 5197] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5196] <... futex resumed>) = 0 [pid 5196] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5196] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5197] <... futex resumed>) = 1 [pid 5197] open(".", O_RDONLY) = 4 [pid 5197] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5196] <... futex resumed>) = 0 [pid 5196] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5196] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5197] <... futex resumed>) = 1 [ 109.163010][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 109.170811][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 109.176520][ T5197] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 109.200573][ T5197] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5197] getdents64(4, [pid 5196] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5196] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5196] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5196] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5196] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5199 attached , parent_tid=[5199], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5199 [pid 5196] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5196] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5199] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 109.209583][ T5197] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 109.209583][ T5197] inode = 12 2341 [ 109.209583][ T5197] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 109.228986][ T5197] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 109.238526][ T5197] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5197 [syz-executor171] iterate_dir+0x228/0x570 [ 109.250886][ T5197] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5199] open("./file0", O_RDONLY [pid 5196] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 109.255600][ T5199] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 109.259905][ T5197] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 109.274997][ T5197] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 109.283853][ T5197] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 109.284483][ T5199] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 109.292288][ T5197] gfs2: fsid=syz:syz.0: File system withdrawn [ 109.305692][ T5197] CPU: 1 PID: 5197 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 109.315771][ T5197] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 109.325832][ T5197] Call Trace: [ 109.329149][ T5197] [ 109.332100][ T5197] dump_stack_lvl+0x1e7/0x2d0 [ 109.336801][ T5197] ? nf_tcp_handle_invalid+0x650/0x650 [ 109.342277][ T5197] ? panic+0x770/0x770 [ 109.346372][ T5197] ? kobject_uevent_env+0x54e/0x8e0 [ 109.351589][ T5197] gfs2_withdraw+0xf48/0x1550 [ 109.356295][ T5197] ? gfs2_lm+0x240/0x240 [ 109.360569][ T5197] ? gfs2_dirent_scan+0xb2/0x640 [ 109.365516][ T5197] ? panic+0x770/0x770 [ 109.369600][ T5197] ? gfs2_consist_inode_i+0xf5/0x110 [ 109.374911][ T5197] gfs2_dirent_scan+0x512/0x640 [ 109.379769][ T5197] ? gfs2_dirent_scan+0x640/0x640 [ 109.384801][ T5197] gfs2_dir_read+0x82f/0x1af0 [ 109.389491][ T5197] ? inode_dio_wait+0x2ad/0x340 [ 109.394351][ T5197] ? inode_owner_or_capable+0x1c0/0x1c0 [ 109.399904][ T5197] ? gfs2_dir_hash_inval+0x80/0x80 [ 109.405019][ T5197] ? _raw_spin_unlock+0x28/0x40 [ 109.409879][ T5197] ? gfs2_glock_nq+0xcbf/0x16c0 [ 109.414741][ T5197] ? inode_go_held+0xea/0x200 [ 109.419418][ T5197] ? gfs2_glock_wait+0x21a/0x2b0 [ 109.424370][ T5197] gfs2_readdir+0x14e/0x1b0 [ 109.428964][ T5197] ? __fdget_pos+0x254/0x2f0 [ 109.433556][ T5197] ? gfs2_fallocate+0x490/0x490 [ 109.438418][ T5197] ? iterate_dir+0x228/0x570 [ 109.443030][ T5197] ? __down_read_common+0x184/0x2c0 [ 109.448237][ T5197] ? iterate_dir+0x10e/0x570 [ 109.452931][ T5197] iterate_dir+0x228/0x570 [ 109.457538][ T5197] ? gfs2_fallocate+0x490/0x490 [ 109.462406][ T5197] __se_sys_getdents64+0x20d/0x4f0 [ 109.467551][ T5197] ? _raw_spin_unlock_irq+0x2e/0x50 [ 109.472765][ T5197] ? __x64_sys_getdents64+0x80/0x80 [ 109.477975][ T5197] ? filldir+0x740/0x740 [ 109.482343][ T5197] ? syscall_enter_from_user_mode+0x32/0x230 [ 109.488354][ T5197] ? syscall_enter_from_user_mode+0x8c/0x230 [ 109.494347][ T5197] do_syscall_64+0x41/0xc0 [ 109.498776][ T5197] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 109.504693][ T5197] RIP: 0033:0x7f281a11eab9 [ 109.509113][ T5197] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 109.528726][ T5197] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 109.537197][ T5197] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 109.545174][ T5197] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 109.553143][ T5197] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5197] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5197] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5197] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5199] <... open resumed>) = -1 EIO (Input/output error) [pid 5199] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5199] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5196] exit_group(0 [pid 5199] <... futex resumed>) = ? [pid 5197] <... futex resumed>) = ? [pid 5196] <... exit_group resumed>) = ? [pid 5197] +++ exited with 0 +++ [pid 5199] +++ exited with 0 +++ [pid 5196] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5196, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=37 /* 0.37 s */} --- umount2("./48", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./48/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./48/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./48/binderfs") = 0 [ 109.561119][ T5197] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 109.569099][ T5197] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 109.577087][ T5197] [ 109.581556][ T5199] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5199 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 109.591691][ T5199] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./48/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./48/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./48/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./48/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./48") = 0 mkdir("./49", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5200 ./strace-static-x86_64: Process 5200 attached [pid 5200] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5200] chdir("./49") = 0 [pid 5200] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5200] setpgid(0, 0) = 0 [pid 5200] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5200] write(3, "1000", 4) = 4 [pid 5200] close(3) = 0 [pid 5200] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5200] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5200] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5200] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5200] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5201], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5201 ./strace-static-x86_64: Process 5201 attached [pid 5201] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5201] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5200] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5201] <... futex resumed>) = 0 [pid 5200] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5201] memfd_create("syzkaller", 0) = 3 [pid 5201] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5201] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5201] munmap(0x7f2811caa000, 16777216) = 0 [pid 5201] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5201] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5201] close(3) = 0 [pid 5201] mkdir("./file0", 0777) = 0 [ 109.982783][ T5201] loop0: detected capacity change from 0 to 32768 [ 109.994149][ T5201] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 110.002410][ T5201] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 110.012232][ T5201] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 110.020700][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 110.027545][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5201] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5201] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5201] chdir("./file0") = 0 [pid 5201] ioctl(4, LOOP_CLR_FD) = 0 [pid 5201] close(4) = 0 [pid 5201] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5200] <... futex resumed>) = 0 [pid 5200] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5200] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5201] <... futex resumed>) = 1 [pid 5201] open(".", O_RDONLY) = 4 [pid 5201] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5200] <... futex resumed>) = 0 [pid 5200] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5200] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5201] <... futex resumed>) = 1 [ 110.069289][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 110.076824][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 110.082202][ T5201] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 110.096981][ T5201] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 110.105796][ T5201] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 110.105796][ T5201] inode = 12 2341 [pid 5201] getdents64(4, [pid 5200] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5200] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 110.105796][ T5201] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 110.125374][ T5201] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 110.134818][ T5201] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5201 [syz-executor171] iterate_dir+0x228/0x570 [ 110.145068][ T5201] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 110.153835][ T5201] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5200] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5200] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5200] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5203], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5203 [pid 5200] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5200] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5203 attached [pid 5203] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5203] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5203] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5200] <... futex resumed>) = 0 [pid 5203] <... futex resumed>) = 1 [ 110.161261][ T5201] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 110.170458][ T5201] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 110.177993][ T5201] gfs2: fsid=syz:syz.0: File system withdrawn [ 110.184523][ T5201] CPU: 0 PID: 5201 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 110.194623][ T5201] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 110.204677][ T5201] Call Trace: [ 110.207968][ T5201] [ 110.210925][ T5201] dump_stack_lvl+0x1e7/0x2d0 [ 110.215634][ T5201] ? nf_tcp_handle_invalid+0x650/0x650 [ 110.221106][ T5201] ? panic+0x770/0x770 [ 110.225188][ T5201] ? kobject_uevent_env+0x54e/0x8e0 [ 110.230415][ T5201] gfs2_withdraw+0xf48/0x1550 [ 110.235128][ T5201] ? gfs2_lm+0x240/0x240 [ 110.239404][ T5201] ? gfs2_dirent_scan+0xb2/0x640 [ 110.244374][ T5201] ? panic+0x770/0x770 [ 110.248452][ T5201] ? gfs2_consist_inode_i+0xf5/0x110 [ 110.253752][ T5201] gfs2_dirent_scan+0x512/0x640 [ 110.258617][ T5201] ? gfs2_dirent_scan+0x640/0x640 [ 110.263670][ T5201] gfs2_dir_read+0x82f/0x1af0 [ 110.268363][ T5201] ? inode_dio_wait+0x2ad/0x340 [ 110.273230][ T5201] ? inode_owner_or_capable+0x1c0/0x1c0 [ 110.278796][ T5201] ? gfs2_dir_hash_inval+0x80/0x80 [ 110.283920][ T5201] ? _raw_spin_unlock+0x28/0x40 [ 110.288777][ T5201] ? gfs2_glock_nq+0xcbf/0x16c0 [ 110.293652][ T5201] ? inode_go_held+0xea/0x200 [ 110.298342][ T5201] ? gfs2_glock_wait+0x21a/0x2b0 [ 110.303304][ T5201] gfs2_readdir+0x14e/0x1b0 [ 110.307824][ T5201] ? __fdget_pos+0x254/0x2f0 [ 110.312425][ T5201] ? gfs2_fallocate+0x490/0x490 [ 110.317296][ T5201] ? iterate_dir+0x228/0x570 [ 110.321917][ T5201] ? __down_read_common+0x184/0x2c0 [ 110.327218][ T5201] ? iterate_dir+0x10e/0x570 [ 110.331832][ T5201] iterate_dir+0x228/0x570 [ 110.336292][ T5201] ? gfs2_fallocate+0x490/0x490 [ 110.341183][ T5201] __se_sys_getdents64+0x20d/0x4f0 [ 110.346434][ T5201] ? _raw_spin_unlock_irq+0x2e/0x50 [ 110.351707][ T5201] ? __x64_sys_getdents64+0x80/0x80 [ 110.357014][ T5201] ? filldir+0x740/0x740 [ 110.361295][ T5201] ? syscall_enter_from_user_mode+0x32/0x230 [ 110.367862][ T5201] ? syscall_enter_from_user_mode+0x8c/0x230 [ 110.373865][ T5201] do_syscall_64+0x41/0xc0 [ 110.378307][ T5201] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 110.384214][ T5201] RIP: 0033:0x7f281a11eab9 [ 110.388642][ T5201] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 110.408279][ T5201] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5203] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5201] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5201] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5201] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5200] exit_group(0 [pid 5203] <... futex resumed>) = ? [pid 5201] <... futex resumed>) = ? [pid 5200] <... exit_group resumed>) = ? [pid 5201] +++ exited with 0 +++ [pid 5203] +++ exited with 0 +++ [pid 5200] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5200, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=34 /* 0.34 s */} --- umount2("./49", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./49/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./49/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./49/binderfs") = 0 [ 110.416708][ T5201] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 110.424690][ T5201] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 110.432708][ T5201] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 110.440703][ T5201] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 110.448772][ T5201] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 110.456766][ T5201] umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./49/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./49/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./49/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./49/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./49") = 0 mkdir("./50", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5204 ./strace-static-x86_64: Process 5204 attached [pid 5204] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5204] chdir("./50") = 0 [pid 5204] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5204] setpgid(0, 0) = 0 [pid 5204] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5204] write(3, "1000", 4) = 4 [pid 5204] close(3) = 0 [pid 5204] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5204] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5204] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5204] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5204] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5205 attached [pid 5205] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5205] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5204] <... clone resumed>, parent_tid=[5205], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5205 [pid 5204] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5205] <... futex resumed>) = 0 [pid 5204] <... futex resumed>) = 1 [pid 5204] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5205] memfd_create("syzkaller", 0) = 3 [pid 5205] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5205] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5205] munmap(0x7f2811caa000, 16777216) = 0 [pid 5205] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5205] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5205] close(3) = 0 [pid 5205] mkdir("./file0", 0777) = 0 [ 110.848161][ T5205] loop0: detected capacity change from 0 to 32768 [ 110.859854][ T5205] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 110.868152][ T5205] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 110.878028][ T5205] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 110.886874][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 110.893729][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5205] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5205] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5205] chdir("./file0") = 0 [pid 5205] ioctl(4, LOOP_CLR_FD) = 0 [pid 5205] close(4) = 0 [pid 5205] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5204] <... futex resumed>) = 0 [pid 5205] open(".", O_RDONLY [pid 5204] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5205] <... open resumed>) = 4 [pid 5204] <... futex resumed>) = 0 [pid 5205] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5204] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5205] <... futex resumed>) = 0 [pid 5204] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5205] getdents64(4, [ 110.931949][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 110.940345][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 110.945861][ T5205] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5204] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 110.975135][ T5205] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 110.984919][ T5205] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 110.984919][ T5205] inode = 12 2341 [ 110.984919][ T5205] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 111.003959][ T5205] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 111.013071][ T5205] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5205 [syz-executor171] iterate_dir+0x228/0x570 [pid 5204] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5204] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5204] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5204] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5204] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5207], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5207 [pid 5204] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5204] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5207 attached [pid 5207] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5207] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5207] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5204] <... futex resumed>) = 0 [pid 5207] <... futex resumed>) = 1 [ 111.023856][ T5205] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 111.032323][ T5205] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 111.040401][ T5205] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 111.049351][ T5205] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 111.056009][ T5205] gfs2: fsid=syz:syz.0: File system withdrawn [ 111.062748][ T5205] CPU: 0 PID: 5205 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 111.072853][ T5205] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 111.082927][ T5205] Call Trace: [ 111.086223][ T5205] [ 111.089157][ T5205] dump_stack_lvl+0x1e7/0x2d0 [ 111.093884][ T5205] ? nf_tcp_handle_invalid+0x650/0x650 [ 111.099394][ T5205] ? panic+0x770/0x770 [ 111.103466][ T5205] ? kobject_uevent_env+0x54e/0x8e0 [ 111.108698][ T5205] gfs2_withdraw+0xf48/0x1550 [ 111.113429][ T5205] ? gfs2_lm+0x240/0x240 [ 111.117680][ T5205] ? gfs2_dirent_scan+0xb2/0x640 [pid 5207] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5204] exit_group(0 [pid 5207] <... futex resumed>) = ? [pid 5204] <... exit_group resumed>) = ? [pid 5207] +++ exited with 0 +++ [ 111.122636][ T5205] ? panic+0x770/0x770 [ 111.126837][ T5205] ? gfs2_consist_inode_i+0xf5/0x110 [ 111.132174][ T5205] gfs2_dirent_scan+0x512/0x640 [ 111.137052][ T5205] ? gfs2_dirent_scan+0x640/0x640 [ 111.142101][ T5205] gfs2_dir_read+0x82f/0x1af0 [ 111.146806][ T5205] ? inode_dio_wait+0x2ad/0x340 [ 111.151666][ T5205] ? inode_owner_or_capable+0x1c0/0x1c0 [ 111.157232][ T5205] ? gfs2_dir_hash_inval+0x80/0x80 [ 111.162374][ T5205] ? _raw_spin_unlock+0x28/0x40 [ 111.167239][ T5205] ? gfs2_glock_nq+0xcbf/0x16c0 [ 111.172101][ T5205] ? inode_go_held+0xea/0x200 [ 111.176808][ T5205] ? gfs2_glock_wait+0x21a/0x2b0 [ 111.181780][ T5205] gfs2_readdir+0x14e/0x1b0 [ 111.186299][ T5205] ? __fdget_pos+0x254/0x2f0 [ 111.190899][ T5205] ? gfs2_fallocate+0x490/0x490 [ 111.195948][ T5205] ? iterate_dir+0x228/0x570 [ 111.200569][ T5205] ? __down_read_common+0x184/0x2c0 [ 111.205790][ T5205] ? iterate_dir+0x10e/0x570 [ 111.210416][ T5205] iterate_dir+0x228/0x570 [ 111.214873][ T5205] ? gfs2_fallocate+0x490/0x490 [ 111.219749][ T5205] __se_sys_getdents64+0x20d/0x4f0 [ 111.224868][ T5205] ? _raw_spin_unlock_irq+0x2e/0x50 [ 111.230084][ T5205] ? __x64_sys_getdents64+0x80/0x80 [ 111.235296][ T5205] ? filldir+0x740/0x740 [ 111.239578][ T5205] ? syscall_enter_from_user_mode+0x32/0x230 [ 111.245578][ T5205] ? syscall_enter_from_user_mode+0x8c/0x230 [ 111.251574][ T5205] do_syscall_64+0x41/0xc0 [ 111.256021][ T5205] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 111.261966][ T5205] RIP: 0033:0x7f281a11eab9 [ 111.266377][ T5205] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 111.285980][ T5205] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 111.294394][ T5205] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 111.302538][ T5205] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 111.310505][ T5205] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 111.318482][ T5205] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5205] <... getdents64 resumed> ) = ? [pid 5205] +++ exited with 0 +++ [pid 5204] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5204, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=26 /* 0.26 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./50", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./50", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./50/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./50/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./50/binderfs") = 0 [ 111.326468][ T5205] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 111.334475][ T5205] umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./50/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./50/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./50/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./50/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./50") = 0 mkdir("./51", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5208 ./strace-static-x86_64: Process 5208 attached [pid 5208] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5208] chdir("./51") = 0 [pid 5208] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5208] setpgid(0, 0) = 0 [pid 5208] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5208] write(3, "1000", 4) = 4 [pid 5208] close(3) = 0 [pid 5208] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5208] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5208] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5208] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5208] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5209 attached , parent_tid=[5209], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5209 [pid 5209] set_robust_list(0x7f281a0ca9e0, 24 [pid 5208] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5209] <... set_robust_list resumed>) = 0 [pid 5208] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5209] memfd_create("syzkaller", 0) = 3 [pid 5209] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5209] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5209] munmap(0x7f2811caa000, 16777216) = 0 [pid 5209] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5209] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5209] close(3) = 0 [pid 5209] mkdir("./file0", 0777) = 0 [ 111.709677][ T5209] loop0: detected capacity change from 0 to 32768 [ 111.721943][ T5209] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 111.730457][ T5209] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 111.740612][ T5209] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 111.749342][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 111.756245][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5209] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5209] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5209] chdir("./file0") = 0 [pid 5209] ioctl(4, LOOP_CLR_FD) = 0 [pid 5209] close(4) = 0 [pid 5209] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5208] <... futex resumed>) = 0 [pid 5208] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5208] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5209] <... futex resumed>) = 1 [pid 5209] open(".", O_RDONLY) = 4 [pid 5209] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5208] <... futex resumed>) = 0 [pid 5209] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5208] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5209] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5208] <... futex resumed>) = 0 [pid 5209] getdents64(4, [ 111.791328][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 111.799610][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 111.804940][ T5209] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 111.835892][ T5209] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 111.844541][ T5209] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 111.844541][ T5209] inode = 12 2341 [ 111.844541][ T5209] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 111.863352][ T5209] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 111.872432][ T5209] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5209 [syz-executor171] iterate_dir+0x228/0x570 [pid 5208] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5208] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5208] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5208] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5208] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5211], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5211 [pid 5208] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 111.882414][ T5209] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 111.890864][ T5209] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 111.898156][ T5209] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 111.907305][ T5209] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 111.915559][ T5209] gfs2: fsid=syz:syz.0: File system withdrawn [ 111.922375][ T5209] CPU: 0 PID: 5209 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [pid 5208] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 111.932463][ T5209] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 111.942521][ T5209] Call Trace: [ 111.945802][ T5209] [ 111.948740][ T5209] dump_stack_lvl+0x1e7/0x2d0 [ 111.953457][ T5209] ? nf_tcp_handle_invalid+0x650/0x650 [ 111.958955][ T5209] ? panic+0x770/0x770 [ 111.963055][ T5209] ? kobject_uevent_env+0x54e/0x8e0 [ 111.968705][ T5209] gfs2_withdraw+0xf48/0x1550 [ 111.973448][ T5209] ? gfs2_lm+0x240/0x240 [ 111.977736][ T5209] ? gfs2_dirent_scan+0xb2/0x640 [ 111.982685][ T5209] ? panic+0x770/0x770 ./strace-static-x86_64: Process 5211 attached [pid 5211] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5211] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5211] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 111.986766][ T5209] ? gfs2_consist_inode_i+0xf5/0x110 [ 111.992069][ T5209] gfs2_dirent_scan+0x512/0x640 [ 111.996977][ T5209] ? gfs2_dirent_scan+0x640/0x640 [ 112.002032][ T5209] gfs2_dir_read+0x82f/0x1af0 [ 112.006748][ T5209] ? inode_dio_wait+0x2ad/0x340 [ 112.011617][ T5209] ? inode_owner_or_capable+0x1c0/0x1c0 [ 112.017174][ T5209] ? gfs2_dir_hash_inval+0x80/0x80 [ 112.022317][ T5209] ? _raw_spin_unlock+0x28/0x40 [ 112.027189][ T5209] ? gfs2_glock_nq+0xcbf/0x16c0 [ 112.032075][ T5209] ? inode_go_held+0xea/0x200 [ 112.036774][ T5209] ? gfs2_glock_wait+0x21a/0x2b0 [ 112.041721][ T5209] gfs2_readdir+0x14e/0x1b0 [ 112.046271][ T5209] ? __fdget_pos+0x254/0x2f0 [ 112.050893][ T5209] ? gfs2_fallocate+0x490/0x490 [ 112.055807][ T5209] ? iterate_dir+0x228/0x570 [ 112.060431][ T5209] ? __down_read_common+0x184/0x2c0 [ 112.065652][ T5209] ? iterate_dir+0x10e/0x570 [ 112.070282][ T5209] iterate_dir+0x228/0x570 [ 112.074721][ T5209] ? gfs2_fallocate+0x490/0x490 [ 112.079593][ T5209] __se_sys_getdents64+0x20d/0x4f0 [pid 5211] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5208] exit_group(0 [pid 5211] <... futex resumed>) = ? [pid 5208] <... exit_group resumed>) = ? [pid 5211] +++ exited with 0 +++ [ 112.084726][ T5209] ? _raw_spin_unlock_irq+0x2e/0x50 [ 112.089953][ T5209] ? __x64_sys_getdents64+0x80/0x80 [ 112.095167][ T5209] ? filldir+0x740/0x740 [ 112.099434][ T5209] ? syscall_enter_from_user_mode+0x32/0x230 [ 112.105517][ T5209] ? syscall_enter_from_user_mode+0x8c/0x230 [ 112.111500][ T5209] do_syscall_64+0x41/0xc0 [ 112.115923][ T5209] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 112.121839][ T5209] RIP: 0033:0x7f281a11eab9 [ 112.126289][ T5209] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 112.145901][ T5209] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 112.154358][ T5209] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 112.162422][ T5209] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 112.170395][ T5209] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 112.178384][ T5209] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5209] <... getdents64 resumed> ) = ? [pid 5209] +++ exited with 0 +++ [pid 5208] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5208, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- umount2("./51", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./51/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./51/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./51/binderfs") = 0 [ 112.186369][ T5209] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 112.194375][ T5209] umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./51/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./51/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./51/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./51/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./51") = 0 mkdir("./52", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5212 ./strace-static-x86_64: Process 5212 attached [pid 5212] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5212] chdir("./52") = 0 [pid 5212] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5212] setpgid(0, 0) = 0 [pid 5212] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5212] write(3, "1000", 4) = 4 [pid 5212] close(3) = 0 [pid 5212] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5212] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5212] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5212] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5212] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5213], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5213 [pid 5212] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5212] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5213 attached [pid 5213] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5213] memfd_create("syzkaller", 0) = 3 [pid 5213] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5213] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5213] munmap(0x7f2811caa000, 16777216) = 0 [pid 5213] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5213] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5213] close(3) = 0 [pid 5213] mkdir("./file0", 0777) = 0 [ 112.589454][ T5213] loop0: detected capacity change from 0 to 32768 [ 112.601175][ T5213] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 112.609467][ T5213] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 112.619766][ T5213] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 112.628719][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 112.635661][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5213] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5213] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5213] chdir("./file0") = 0 [pid 5213] ioctl(4, LOOP_CLR_FD) = 0 [pid 5213] close(4) = 0 [pid 5213] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5213] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5212] <... futex resumed>) = 0 [pid 5212] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5212] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5213] <... futex resumed>) = 0 [pid 5213] open(".", O_RDONLY) = 4 [pid 5213] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5212] <... futex resumed>) = 0 [pid 5212] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5212] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5213] <... futex resumed>) = 1 [ 112.676782][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 112.684326][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 112.689573][ T5213] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 112.714238][ T5213] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5213] getdents64(4, [pid 5212] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5212] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5212] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5212] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5212] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5215], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5215 [pid 5212] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5212] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5215 attached [pid 5215] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5215] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5215] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5212] <... futex resumed>) = 0 [pid 5215] <... futex resumed>) = 1 [ 112.723943][ T5213] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 112.723943][ T5213] inode = 12 2341 [ 112.723943][ T5213] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 112.743146][ T5213] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 112.752665][ T5213] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5213 [syz-executor171] iterate_dir+0x228/0x570 [ 112.762706][ T5213] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 112.771352][ T5213] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 112.778871][ T5213] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 112.787904][ T5213] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 112.796339][ T5213] gfs2: fsid=syz:syz.0: File system withdrawn [ 112.802747][ T5213] CPU: 0 PID: 5213 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 112.812804][ T5213] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 112.822853][ T5213] Call Trace: [ 112.826129][ T5213] [ 112.829063][ T5213] dump_stack_lvl+0x1e7/0x2d0 [ 112.833753][ T5213] ? nf_tcp_handle_invalid+0x650/0x650 [ 112.839210][ T5213] ? panic+0x770/0x770 [ 112.843278][ T5213] ? kobject_uevent_env+0x54e/0x8e0 [ 112.848485][ T5213] gfs2_withdraw+0xf48/0x1550 [ 112.853210][ T5213] ? gfs2_lm+0x240/0x240 [ 112.857465][ T5213] ? gfs2_dirent_scan+0xb2/0x640 [ 112.862401][ T5213] ? panic+0x770/0x770 [ 112.866473][ T5213] ? gfs2_consist_inode_i+0xf5/0x110 [ 112.871760][ T5213] gfs2_dirent_scan+0x512/0x640 [ 112.876618][ T5213] ? gfs2_dirent_scan+0x640/0x640 [ 112.881657][ T5213] gfs2_dir_read+0x82f/0x1af0 [ 112.886352][ T5213] ? inode_dio_wait+0x2ad/0x340 [ 112.891209][ T5213] ? inode_owner_or_capable+0x1c0/0x1c0 [ 112.896763][ T5213] ? gfs2_dir_hash_inval+0x80/0x80 [ 112.901885][ T5213] ? _raw_spin_unlock+0x28/0x40 [ 112.906744][ T5213] ? gfs2_glock_nq+0xcbf/0x16c0 [ 112.911610][ T5213] ? inode_go_held+0xea/0x200 [ 112.916314][ T5213] ? gfs2_glock_wait+0x21a/0x2b0 [ 112.921265][ T5213] gfs2_readdir+0x14e/0x1b0 [ 112.925780][ T5213] ? __fdget_pos+0x254/0x2f0 [ 112.930374][ T5213] ? gfs2_fallocate+0x490/0x490 [ 112.935239][ T5213] ? iterate_dir+0x228/0x570 [ 112.939860][ T5213] ? __down_read_common+0x184/0x2c0 [ 112.945073][ T5213] ? iterate_dir+0x10e/0x570 [ 112.949683][ T5213] iterate_dir+0x228/0x570 [ 112.954111][ T5213] ? gfs2_fallocate+0x490/0x490 [ 112.958995][ T5213] __se_sys_getdents64+0x20d/0x4f0 [ 112.964122][ T5213] ? _raw_spin_unlock_irq+0x2e/0x50 [ 112.969334][ T5213] ? __x64_sys_getdents64+0x80/0x80 [ 112.974545][ T5213] ? filldir+0x740/0x740 [ 112.978814][ T5213] ? syscall_enter_from_user_mode+0x32/0x230 [ 112.984802][ T5213] ? syscall_enter_from_user_mode+0x8c/0x230 [ 112.990821][ T5213] do_syscall_64+0x41/0xc0 [ 112.995243][ T5213] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 113.001137][ T5213] RIP: 0033:0x7f281a11eab9 [ 113.005555][ T5213] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5215] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5213] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5213] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5212] exit_group(0 [pid 5215] <... futex resumed>) = ? [pid 5212] <... exit_group resumed>) = ? [pid 5215] +++ exited with 0 +++ [pid 5213] <... futex resumed>) = ? [pid 5213] +++ exited with 0 +++ [pid 5212] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5212, si_uid=0, si_status=0, si_utime=0, si_stime=37 /* 0.37 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./52", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./52", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./52/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./52/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./52/binderfs") = 0 [ 113.025164][ T5213] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 113.033583][ T5213] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 113.041650][ T5213] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 113.049667][ T5213] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 113.057647][ T5213] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 113.065630][ T5213] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 113.073624][ T5213] umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./52/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./52/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./52/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./52/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./52") = 0 mkdir("./53", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5216 ./strace-static-x86_64: Process 5216 attached [pid 5216] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5216] chdir("./53") = 0 [pid 5216] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5216] setpgid(0, 0) = 0 [pid 5216] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5216] write(3, "1000", 4) = 4 [pid 5216] close(3) = 0 [pid 5216] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5216] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5216] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5216] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5216] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5217 attached , parent_tid=[5217], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5217 [pid 5217] set_robust_list(0x7f281a0ca9e0, 24 [pid 5216] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5216] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5217] <... set_robust_list resumed>) = 0 [pid 5217] memfd_create("syzkaller", 0) = 3 [pid 5217] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5217] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5217] munmap(0x7f2811caa000, 16777216) = 0 [pid 5217] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5217] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5217] close(3) = 0 [pid 5217] mkdir("./file0", 0777) = 0 [ 113.431109][ T5217] loop0: detected capacity change from 0 to 32768 [ 113.444598][ T5217] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 113.452833][ T5217] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 113.462478][ T5217] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 113.471228][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 113.478137][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5217] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5217] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5217] chdir("./file0") = 0 [pid 5217] ioctl(4, LOOP_CLR_FD) = 0 [pid 5217] close(4) = 0 [pid 5217] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5217] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5216] <... futex resumed>) = 0 [pid 5216] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5217] <... futex resumed>) = 0 [pid 5216] <... futex resumed>) = 1 [pid 5217] open(".", O_RDONLY) = 4 [pid 5217] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5217] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5216] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 EAGAIN (Resource temporarily unavailable) [pid 5216] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5216] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5217] <... futex resumed>) = 0 [ 113.518830][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 113.527916][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 113.533150][ T5217] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 113.557063][ T5217] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5217] getdents64(4, [pid 5216] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5216] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5216] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5216] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5216] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5219], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5219 [pid 5216] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5216] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5219 attached [pid 5219] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5219] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5219] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5216] <... futex resumed>) = 0 [pid 5219] <... futex resumed>) = 1 [ 113.573901][ T5217] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 113.573901][ T5217] inode = 12 2341 [ 113.573901][ T5217] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 113.592974][ T5217] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 113.602121][ T5217] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5217 [syz-executor171] iterate_dir+0x228/0x570 [ 113.613297][ T5217] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 113.621749][ T5217] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 113.629141][ T5217] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 113.638480][ T5217] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 113.645479][ T5217] gfs2: fsid=syz:syz.0: File system withdrawn [ 113.651565][ T5217] CPU: 1 PID: 5217 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 113.661717][ T5217] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 113.671822][ T5217] Call Trace: [ 113.675142][ T5217] [ 113.678082][ T5217] dump_stack_lvl+0x1e7/0x2d0 [ 113.682806][ T5217] ? nf_tcp_handle_invalid+0x650/0x650 [ 113.688278][ T5217] ? panic+0x770/0x770 [ 113.692365][ T5217] ? kobject_uevent_env+0x54e/0x8e0 [ 113.697637][ T5217] gfs2_withdraw+0xf48/0x1550 [ 113.702355][ T5217] ? gfs2_lm+0x240/0x240 [ 113.706651][ T5217] ? gfs2_dirent_scan+0xb2/0x640 [ 113.711611][ T5217] ? panic+0x770/0x770 [ 113.715687][ T5217] ? gfs2_consist_inode_i+0xf5/0x110 [pid 5219] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5216] exit_group(0 [pid 5219] <... futex resumed>) = ? [pid 5216] <... exit_group resumed>) = ? [pid 5219] +++ exited with 0 +++ [ 113.720999][ T5217] gfs2_dirent_scan+0x512/0x640 [ 113.725869][ T5217] ? gfs2_dirent_scan+0x640/0x640 [ 113.730916][ T5217] gfs2_dir_read+0x82f/0x1af0 [ 113.735626][ T5217] ? inode_dio_wait+0x2ad/0x340 [ 113.740497][ T5217] ? inode_owner_or_capable+0x1c0/0x1c0 [ 113.746068][ T5217] ? gfs2_dir_hash_inval+0x80/0x80 [ 113.751280][ T5217] ? _raw_spin_unlock+0x28/0x40 [ 113.756138][ T5217] ? gfs2_glock_nq+0xcbf/0x16c0 [ 113.761017][ T5217] ? inode_go_held+0xea/0x200 [ 113.765717][ T5217] ? gfs2_glock_wait+0x21a/0x2b0 [ 113.770683][ T5217] gfs2_readdir+0x14e/0x1b0 [ 113.775230][ T5217] ? __fdget_pos+0x254/0x2f0 [ 113.779841][ T5217] ? gfs2_fallocate+0x490/0x490 [ 113.784698][ T5217] ? iterate_dir+0x228/0x570 [ 113.789320][ T5217] ? __down_read_common+0x184/0x2c0 [ 113.794530][ T5217] ? iterate_dir+0x10e/0x570 [ 113.799142][ T5217] iterate_dir+0x228/0x570 [ 113.803587][ T5217] ? gfs2_fallocate+0x490/0x490 [ 113.808450][ T5217] __se_sys_getdents64+0x20d/0x4f0 [ 113.813572][ T5217] ? _raw_spin_unlock_irq+0x2e/0x50 [ 113.818818][ T5217] ? __x64_sys_getdents64+0x80/0x80 [ 113.824044][ T5217] ? filldir+0x740/0x740 [ 113.828313][ T5217] ? syscall_enter_from_user_mode+0x32/0x230 [ 113.834318][ T5217] ? syscall_enter_from_user_mode+0x8c/0x230 [ 113.840298][ T5217] do_syscall_64+0x41/0xc0 [ 113.844723][ T5217] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 113.850626][ T5217] RIP: 0033:0x7f281a11eab9 [ 113.855065][ T5217] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 113.874718][ T5217] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 113.883131][ T5217] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 113.891109][ T5217] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 113.899105][ T5217] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 113.907091][ T5217] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 113.915139][ T5217] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [pid 5217] <... getdents64 resumed> ) = ? [pid 5217] +++ exited with 0 +++ [pid 5216] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5216, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./53", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./53/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./53/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./53/binderfs") = 0 [ 113.923147][ T5217] umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./53/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./53/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./53/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./53/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./53") = 0 mkdir("./54", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5220 ./strace-static-x86_64: Process 5220 attached [pid 5220] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5220] chdir("./54") = 0 [pid 5220] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5220] setpgid(0, 0) = 0 [pid 5220] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5220] write(3, "1000", 4) = 4 [pid 5220] close(3) = 0 [pid 5220] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5220] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5220] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5220] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5220] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5221], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5221 [pid 5220] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5220] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5221 attached [pid 5221] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5221] memfd_create("syzkaller", 0) = 3 [pid 5221] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5221] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5221] munmap(0x7f2811caa000, 16777216) = 0 [pid 5221] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5221] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5221] close(3) = 0 [pid 5221] mkdir("./file0", 0777) = 0 [ 114.334762][ T5221] loop0: detected capacity change from 0 to 32768 [ 114.346607][ T5221] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 114.355737][ T5221] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 114.365600][ T5221] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 114.374170][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 114.381002][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5221] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5221] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5221] chdir("./file0") = 0 [pid 5221] ioctl(4, LOOP_CLR_FD) = 0 [pid 5221] close(4) = 0 [pid 5221] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5221] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5220] <... futex resumed>) = 0 [pid 5220] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5220] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5221] <... futex resumed>) = 0 [pid 5221] open(".", O_RDONLY) = 4 [pid 5221] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5220] <... futex resumed>) = 0 [pid 5220] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5220] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 114.420121][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 114.429254][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 114.434604][ T5221] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 114.456732][ T5221] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5221] getdents64(4, [pid 5220] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 114.465609][ T5221] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 114.465609][ T5221] inode = 12 2341 [ 114.465609][ T5221] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 114.484583][ T5221] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 114.494401][ T5221] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5221 [syz-executor171] iterate_dir+0x228/0x570 [ 114.504381][ T5221] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 114.512903][ T5221] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5220] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5220] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5220] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5220] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5223], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5223 [pid 5220] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5220] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5223 attached [pid 5223] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5223] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5223] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5220] <... futex resumed>) = 0 [ 114.520477][ T5221] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 114.532237][ T5221] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 114.540634][ T5221] gfs2: fsid=syz:syz.0: File system withdrawn [ 114.546766][ T5221] CPU: 0 PID: 5221 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 114.556864][ T5221] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 114.566937][ T5221] Call Trace: [ 114.570224][ T5221] [ 114.573162][ T5221] dump_stack_lvl+0x1e7/0x2d0 [ 114.577871][ T5221] ? nf_tcp_handle_invalid+0x650/0x650 [ 114.583342][ T5221] ? panic+0x770/0x770 [ 114.587425][ T5221] ? kobject_uevent_env+0x54e/0x8e0 [ 114.592669][ T5221] gfs2_withdraw+0xf48/0x1550 [ 114.597407][ T5221] ? gfs2_lm+0x240/0x240 [ 114.601657][ T5221] ? gfs2_dirent_scan+0xb2/0x640 [ 114.606609][ T5221] ? panic+0x770/0x770 [ 114.610744][ T5221] ? gfs2_consist_inode_i+0xf5/0x110 [ 114.616091][ T5221] gfs2_dirent_scan+0x512/0x640 [ 114.620971][ T5221] ? gfs2_dirent_scan+0x640/0x640 [ 114.626003][ T5221] gfs2_dir_read+0x82f/0x1af0 [ 114.630701][ T5221] ? inode_dio_wait+0x2ad/0x340 [ 114.635567][ T5221] ? inode_owner_or_capable+0x1c0/0x1c0 [ 114.641130][ T5221] ? gfs2_dir_hash_inval+0x80/0x80 [ 114.646247][ T5221] ? _raw_spin_unlock+0x28/0x40 [ 114.651101][ T5221] ? gfs2_glock_nq+0xcbf/0x16c0 [ 114.655974][ T5221] ? inode_go_held+0xea/0x200 [ 114.660663][ T5221] ? gfs2_glock_wait+0x21a/0x2b0 [ 114.665620][ T5221] gfs2_readdir+0x14e/0x1b0 [ 114.670152][ T5221] ? __fdget_pos+0x254/0x2f0 [ 114.674750][ T5221] ? gfs2_fallocate+0x490/0x490 [ 114.679619][ T5221] ? iterate_dir+0x228/0x570 [ 114.684227][ T5221] ? __down_read_common+0x184/0x2c0 [ 114.689452][ T5221] ? iterate_dir+0x10e/0x570 [ 114.694107][ T5221] iterate_dir+0x228/0x570 [ 114.698539][ T5221] ? gfs2_fallocate+0x490/0x490 [ 114.703421][ T5221] __se_sys_getdents64+0x20d/0x4f0 [ 114.708564][ T5221] ? _raw_spin_unlock_irq+0x2e/0x50 [ 114.713798][ T5221] ? __x64_sys_getdents64+0x80/0x80 [ 114.719007][ T5221] ? filldir+0x740/0x740 [ 114.723269][ T5221] ? syscall_enter_from_user_mode+0x32/0x230 [ 114.729258][ T5221] ? syscall_enter_from_user_mode+0x8c/0x230 [ 114.735261][ T5221] do_syscall_64+0x41/0xc0 [ 114.739700][ T5221] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 114.745632][ T5221] RIP: 0033:0x7f281a11eab9 [ 114.750046][ T5221] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5223] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5221] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5221] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5220] exit_group(0 [pid 5221] <... futex resumed>) = ? [pid 5220] <... exit_group resumed>) = ? [pid 5223] <... futex resumed>) = ? [pid 5221] +++ exited with 0 +++ [pid 5223] +++ exited with 0 +++ [pid 5220] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5220, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=33 /* 0.33 s */} --- umount2("./54", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./54/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./54/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./54/binderfs") = 0 [ 114.769650][ T5221] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 114.778076][ T5221] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 114.786057][ T5221] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 114.794028][ T5221] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 114.802002][ T5221] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 114.809975][ T5221] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 114.817984][ T5221] umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./54/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./54/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./54/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./54/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./54") = 0 mkdir("./55", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5224 ./strace-static-x86_64: Process 5224 attached [pid 5224] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5224] chdir("./55") = 0 [pid 5224] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5224] setpgid(0, 0) = 0 [pid 5224] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5224] write(3, "1000", 4) = 4 [pid 5224] close(3) = 0 [pid 5224] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5224] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5224] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5224] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5224] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5225], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5225 [pid 5224] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5224] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5225 attached [pid 5225] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5225] memfd_create("syzkaller", 0) = 3 [pid 5225] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5225] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5225] munmap(0x7f2811caa000, 16777216) = 0 [pid 5225] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5225] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5225] close(3) = 0 [pid 5225] mkdir("./file0", 0777) = 0 [ 115.179764][ T5225] loop0: detected capacity change from 0 to 32768 [ 115.191982][ T5225] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 115.200707][ T5225] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 115.210833][ T5225] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 115.219897][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 115.226915][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5225] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5225] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5225] chdir("./file0") = 0 [pid 5225] ioctl(4, LOOP_CLR_FD) = 0 [pid 5225] close(4) = 0 [pid 5225] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5224] <... futex resumed>) = 0 [pid 5224] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5224] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5225] <... futex resumed>) = 1 [pid 5225] open(".", O_RDONLY) = 4 [pid 5225] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5224] <... futex resumed>) = 0 [pid 5224] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5224] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5225] <... futex resumed>) = 1 [ 115.260999][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 115.268568][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 115.273884][ T5225] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 115.302869][ T5225] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 115.311982][ T5225] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 115.311982][ T5225] inode = 12 2341 [ 115.311982][ T5225] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 115.331219][ T5225] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 115.340392][ T5225] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5225 [syz-executor171] iterate_dir+0x228/0x570 [pid 5225] getdents64(4, [pid 5224] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5224] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5224] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5224] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5224] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5227], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5227 [pid 5224] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5224] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5227 attached [ 115.350358][ T5225] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 115.358917][ T5225] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 115.366414][ T5225] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 115.375597][ T5225] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 115.382477][ T5225] gfs2: fsid=syz:syz.0: File system withdrawn [ 115.388675][ T5225] CPU: 0 PID: 5225 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 115.398804][ T5225] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 115.408862][ T5225] Call Trace: [ 115.412142][ T5225] [ 115.415073][ T5225] dump_stack_lvl+0x1e7/0x2d0 [ 115.419764][ T5225] ? nf_tcp_handle_invalid+0x650/0x650 [ 115.425234][ T5225] ? panic+0x770/0x770 [ 115.429308][ T5225] ? kobject_uevent_env+0x54e/0x8e0 [ 115.434517][ T5225] gfs2_withdraw+0xf48/0x1550 [ 115.439213][ T5225] ? gfs2_lm+0x240/0x240 [ 115.443457][ T5225] ? gfs2_dirent_scan+0xb2/0x640 [ 115.448397][ T5225] ? panic+0x770/0x770 [ 115.452479][ T5225] ? gfs2_consist_inode_i+0xf5/0x110 [ 115.457866][ T5225] gfs2_dirent_scan+0x512/0x640 [ 115.462748][ T5225] ? gfs2_dirent_scan+0x640/0x640 [ 115.467791][ T5225] gfs2_dir_read+0x82f/0x1af0 [ 115.472481][ T5225] ? inode_dio_wait+0x2ad/0x340 [ 115.477342][ T5225] ? inode_owner_or_capable+0x1c0/0x1c0 [ 115.482904][ T5225] ? gfs2_dir_hash_inval+0x80/0x80 [ 115.488023][ T5225] ? _raw_spin_unlock+0x28/0x40 [ 115.492897][ T5225] ? gfs2_glock_nq+0xcbf/0x16c0 [ 115.497764][ T5225] ? inode_go_held+0xea/0x200 [ 115.502540][ T5225] ? gfs2_glock_wait+0x21a/0x2b0 [ 115.507489][ T5225] gfs2_readdir+0x14e/0x1b0 [ 115.512014][ T5225] ? __fdget_pos+0x254/0x2f0 [ 115.516619][ T5225] ? gfs2_fallocate+0x490/0x490 [ 115.521481][ T5225] ? iterate_dir+0x228/0x570 [ 115.526083][ T5225] ? __down_read_common+0x184/0x2c0 [ 115.531299][ T5225] ? iterate_dir+0x10e/0x570 [ 115.535905][ T5225] iterate_dir+0x228/0x570 [ 115.540334][ T5225] ? gfs2_fallocate+0x490/0x490 [ 115.545190][ T5225] __se_sys_getdents64+0x20d/0x4f0 [ 115.550305][ T5225] ? _raw_spin_unlock_irq+0x2e/0x50 [ 115.555510][ T5225] ? __x64_sys_getdents64+0x80/0x80 [ 115.560714][ T5225] ? filldir+0x740/0x740 [ 115.564973][ T5225] ? syscall_enter_from_user_mode+0x32/0x230 [ 115.570959][ T5225] ? syscall_enter_from_user_mode+0x8c/0x230 [ 115.576953][ T5225] do_syscall_64+0x41/0xc0 [ 115.581383][ T5225] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 115.587276][ T5225] RIP: 0033:0x7f281a11eab9 [ 115.591687][ T5225] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 115.611382][ T5225] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 115.619810][ T5225] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 115.627793][ T5225] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 115.635785][ T5225] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 115.643782][ T5225] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5227] set_robust_list(0x7f2812ca99e0, 24 [pid 5224] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5227] <... set_robust_list resumed>) = 0 [pid 5227] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5227] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5227] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5225] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5225] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5224] exit_group(0 [pid 5227] <... futex resumed>) = ? [pid 5224] <... exit_group resumed>) = ? [pid 5227] +++ exited with 0 +++ [pid 5225] <... futex resumed>) = ? [pid 5225] +++ exited with 0 +++ [pid 5224] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5224, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./55", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./55/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./55/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./55/binderfs") = 0 [ 115.651757][ T5225] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 115.659776][ T5225] umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./55/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./55/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./55/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./55/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./55") = 0 mkdir("./56", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5228 ./strace-static-x86_64: Process 5228 attached [pid 5228] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5228] chdir("./56") = 0 [pid 5228] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5228] setpgid(0, 0) = 0 [pid 5228] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5228] write(3, "1000", 4) = 4 [pid 5228] close(3) = 0 [pid 5228] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5228] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5228] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5228] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5228] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5229], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5229 [pid 5228] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5228] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5229 attached [pid 5229] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5229] memfd_create("syzkaller", 0) = 3 [pid 5229] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5229] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5229] munmap(0x7f2811caa000, 16777216) = 0 [pid 5229] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5229] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5229] close(3) = 0 [pid 5229] mkdir("./file0", 0777) = 0 [ 116.048103][ T5229] loop0: detected capacity change from 0 to 32768 [ 116.059157][ T5229] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 116.067658][ T5229] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 116.077035][ T5229] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 116.085658][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 116.092425][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5229] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5229] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5229] chdir("./file0") = 0 [pid 5229] ioctl(4, LOOP_CLR_FD) = 0 [pid 5229] close(4) = 0 [pid 5229] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5228] <... futex resumed>) = 0 [pid 5228] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5228] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5229] <... futex resumed>) = 1 [pid 5229] open(".", O_RDONLY) = 4 [pid 5229] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5228] <... futex resumed>) = 0 [pid 5228] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5228] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5229] <... futex resumed>) = 1 [ 116.127944][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 116.135578][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 116.140878][ T5229] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 116.158564][ T5229] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 116.170941][ T5229] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5229] getdents64(4, [pid 5228] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5228] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5228] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5228] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5228] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5228] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5231], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5231 [pid 5228] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5228] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5231 attached [pid 5231] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5231] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5231] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5228] <... futex resumed>) = 0 [pid 5231] <... futex resumed>) = 1 [ 116.170941][ T5229] inode = 12 2341 [ 116.170941][ T5229] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 116.190453][ T5229] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 116.199764][ T5229] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5229 [syz-executor171] iterate_dir+0x228/0x570 [ 116.210018][ T5229] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 116.218752][ T5229] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 116.226234][ T5229] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 116.235585][ T5229] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 116.242897][ T5229] gfs2: fsid=syz:syz.0: File system withdrawn [ 116.249346][ T5229] CPU: 0 PID: 5229 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 116.259405][ T5229] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 116.269462][ T5229] Call Trace: [ 116.272745][ T5229] [ 116.275685][ T5229] dump_stack_lvl+0x1e7/0x2d0 [ 116.280373][ T5229] ? nf_tcp_handle_invalid+0x650/0x650 [ 116.285839][ T5229] ? panic+0x770/0x770 [ 116.289908][ T5229] ? kobject_uevent_env+0x54e/0x8e0 [ 116.295112][ T5229] gfs2_withdraw+0xf48/0x1550 [ 116.299804][ T5229] ? gfs2_lm+0x240/0x240 [ 116.304136][ T5229] ? gfs2_dirent_scan+0xb2/0x640 [ 116.309077][ T5229] ? panic+0x770/0x770 [ 116.313187][ T5229] ? gfs2_consist_inode_i+0xf5/0x110 [ 116.318491][ T5229] gfs2_dirent_scan+0x512/0x640 [ 116.323355][ T5229] ? gfs2_dirent_scan+0x640/0x640 [ 116.328389][ T5229] gfs2_dir_read+0x82f/0x1af0 [ 116.333078][ T5229] ? inode_dio_wait+0x2ad/0x340 [ 116.337942][ T5229] ? inode_owner_or_capable+0x1c0/0x1c0 [ 116.343503][ T5229] ? gfs2_dir_hash_inval+0x80/0x80 [ 116.348628][ T5229] ? _raw_spin_unlock+0x28/0x40 [ 116.353488][ T5229] ? gfs2_glock_nq+0xcbf/0x16c0 [ 116.358360][ T5229] ? inode_go_held+0xea/0x200 [ 116.363051][ T5229] ? gfs2_glock_wait+0x21a/0x2b0 [ 116.368015][ T5229] gfs2_readdir+0x14e/0x1b0 [ 116.372529][ T5229] ? __fdget_pos+0x254/0x2f0 [ 116.377143][ T5229] ? gfs2_fallocate+0x490/0x490 [ 116.382011][ T5229] ? iterate_dir+0x228/0x570 [ 116.386625][ T5229] ? __down_read_common+0x184/0x2c0 [ 116.391835][ T5229] ? iterate_dir+0x10e/0x570 [ 116.396440][ T5229] iterate_dir+0x228/0x570 [ 116.400868][ T5229] ? gfs2_fallocate+0x490/0x490 [ 116.405730][ T5229] __se_sys_getdents64+0x20d/0x4f0 [ 116.410863][ T5229] ? _raw_spin_unlock_irq+0x2e/0x50 [ 116.416087][ T5229] ? __x64_sys_getdents64+0x80/0x80 [ 116.421304][ T5229] ? filldir+0x740/0x740 [ 116.425563][ T5229] ? syscall_enter_from_user_mode+0x32/0x230 [ 116.431548][ T5229] ? syscall_enter_from_user_mode+0x8c/0x230 [ 116.437555][ T5229] do_syscall_64+0x41/0xc0 [ 116.441987][ T5229] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 116.447887][ T5229] RIP: 0033:0x7f281a11eab9 [ 116.452311][ T5229] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5231] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5229] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5229] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5229] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5228] exit_group(0) = ? [pid 5229] <... futex resumed>) = ? [pid 5229] +++ exited with 0 +++ [pid 5231] <... futex resumed>) = ? [pid 5231] +++ exited with 0 +++ [pid 5228] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5228, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./56", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./56/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./56/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./56/binderfs") = 0 [ 116.471921][ T5229] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 116.480339][ T5229] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 116.488316][ T5229] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 116.496292][ T5229] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 116.504276][ T5229] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 116.512249][ T5229] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 116.520237][ T5229] umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./56/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./56/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./56/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./56/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./56") = 0 mkdir("./57", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5232 ./strace-static-x86_64: Process 5232 attached [pid 5232] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5232] chdir("./57") = 0 [pid 5232] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5232] setpgid(0, 0) = 0 [pid 5232] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5232] write(3, "1000", 4) = 4 [pid 5232] close(3) = 0 [pid 5232] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5232] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5232] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5232] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5232] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5233], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5233 [pid 5232] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5232] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5233 attached [pid 5233] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5233] memfd_create("syzkaller", 0) = 3 [pid 5233] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5233] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5233] munmap(0x7f2811caa000, 16777216) = 0 [pid 5233] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5233] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5233] close(3) = 0 [pid 5233] mkdir("./file0", 0777) = 0 [ 116.880235][ T5233] loop0: detected capacity change from 0 to 32768 [ 116.892181][ T5233] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 116.900662][ T5233] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 116.911047][ T5233] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 116.919993][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 116.927026][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5233] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5233] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5233] chdir("./file0") = 0 [pid 5233] ioctl(4, LOOP_CLR_FD) = 0 [pid 5233] close(4) = 0 [pid 5233] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5232] <... futex resumed>) = 0 [pid 5232] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5232] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5233] <... futex resumed>) = 1 [pid 5233] open(".", O_RDONLY) = 4 [pid 5233] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5232] <... futex resumed>) = 0 [pid 5232] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5232] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5233] <... futex resumed>) = 1 [ 116.961556][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 116.969705][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 116.974989][ T5233] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 117.002160][ T5233] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 117.011182][ T5233] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 117.011182][ T5233] inode = 12 2341 [ 117.011182][ T5233] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 117.030063][ T5233] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 117.039520][ T5233] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5233 [syz-executor171] iterate_dir+0x228/0x570 [pid 5233] getdents64(4, [pid 5232] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5232] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5232] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5232] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5232] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5235 attached , parent_tid=[5235], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5235 [pid 5232] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5232] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5235] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5235] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5235] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5232] <... futex resumed>) = 0 [pid 5235] <... futex resumed>) = 1 [ 117.050088][ T5233] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 117.061499][ T5233] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 117.068877][ T5233] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 117.077866][ T5233] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 117.085027][ T5233] gfs2: fsid=syz:syz.0: File system withdrawn [ 117.091206][ T5233] CPU: 1 PID: 5233 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 117.101385][ T5233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 117.111440][ T5233] Call Trace: [ 117.114727][ T5233] [ 117.117682][ T5233] dump_stack_lvl+0x1e7/0x2d0 [ 117.122399][ T5233] ? nf_tcp_handle_invalid+0x650/0x650 [ 117.127965][ T5233] ? panic+0x770/0x770 [ 117.132075][ T5233] ? kobject_uevent_env+0x54e/0x8e0 [ 117.137316][ T5233] gfs2_withdraw+0xf48/0x1550 [ 117.142104][ T5233] ? gfs2_lm+0x240/0x240 [ 117.146392][ T5233] ? gfs2_dirent_scan+0xb2/0x640 [ 117.151531][ T5233] ? panic+0x770/0x770 [ 117.155650][ T5233] ? gfs2_consist_inode_i+0xf5/0x110 [ 117.160964][ T5233] gfs2_dirent_scan+0x512/0x640 [ 117.165859][ T5233] ? gfs2_dirent_scan+0x640/0x640 [ 117.170911][ T5233] gfs2_dir_read+0x82f/0x1af0 [ 117.175627][ T5233] ? inode_dio_wait+0x2ad/0x340 [ 117.180521][ T5233] ? inode_owner_or_capable+0x1c0/0x1c0 [ 117.186118][ T5233] ? gfs2_dir_hash_inval+0x80/0x80 [ 117.191234][ T5233] ? _raw_spin_unlock+0x28/0x40 [ 117.196099][ T5233] ? gfs2_glock_nq+0xcbf/0x16c0 [pid 5235] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5232] exit_group(0 [pid 5235] <... futex resumed>) = ? [pid 5232] <... exit_group resumed>) = ? [pid 5235] +++ exited with 0 +++ [ 117.200975][ T5233] ? inode_go_held+0xea/0x200 [ 117.205677][ T5233] ? gfs2_glock_wait+0x21a/0x2b0 [ 117.210626][ T5233] gfs2_readdir+0x14e/0x1b0 [ 117.215184][ T5233] ? __fdget_pos+0x254/0x2f0 [ 117.219779][ T5233] ? gfs2_fallocate+0x490/0x490 [ 117.224652][ T5233] ? iterate_dir+0x228/0x570 [ 117.229264][ T5233] ? __down_read_common+0x184/0x2c0 [ 117.234473][ T5233] ? iterate_dir+0x10e/0x570 [ 117.239089][ T5233] iterate_dir+0x228/0x570 [ 117.243514][ T5233] ? gfs2_fallocate+0x490/0x490 [ 117.248398][ T5233] __se_sys_getdents64+0x20d/0x4f0 [ 117.253542][ T5233] ? _raw_spin_unlock_irq+0x2e/0x50 [ 117.258769][ T5233] ? __x64_sys_getdents64+0x80/0x80 [ 117.263986][ T5233] ? filldir+0x740/0x740 [ 117.268279][ T5233] ? syscall_enter_from_user_mode+0x32/0x230 [ 117.274286][ T5233] ? syscall_enter_from_user_mode+0x8c/0x230 [ 117.280270][ T5233] do_syscall_64+0x41/0xc0 [ 117.284709][ T5233] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 117.290613][ T5233] RIP: 0033:0x7f281a11eab9 [ 117.295046][ T5233] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 117.314668][ T5233] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 117.323083][ T5233] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 117.331051][ T5233] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 117.339028][ T5233] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5233] <... getdents64 resumed> ) = ? [pid 5233] +++ exited with 0 +++ [pid 5232] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5232, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./57", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./57/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./57/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./57/binderfs") = 0 [ 117.347015][ T5233] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 117.354993][ T5233] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 117.362996][ T5233] umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./57/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./57/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./57/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./57/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./57") = 0 mkdir("./58", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5236 ./strace-static-x86_64: Process 5236 attached [pid 5236] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5236] chdir("./58") = 0 [pid 5236] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5236] setpgid(0, 0) = 0 [pid 5236] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5236] write(3, "1000", 4) = 4 [pid 5236] close(3) = 0 [pid 5236] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5236] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5236] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5236] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5236] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5237 attached , parent_tid=[5237], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5237 [pid 5236] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5236] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5237] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5237] memfd_create("syzkaller", 0) = 3 [pid 5237] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5237] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5237] munmap(0x7f2811caa000, 16777216) = 0 [pid 5237] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5237] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5237] close(3) = 0 [pid 5237] mkdir("./file0", 0777) = 0 [ 117.721224][ T5237] loop0: detected capacity change from 0 to 32768 [ 117.733842][ T5237] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 117.742310][ T5237] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 117.751579][ T5237] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 117.760107][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 117.767146][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5237] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5237] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5237] chdir("./file0") = 0 [pid 5237] ioctl(4, LOOP_CLR_FD) = 0 [pid 5237] close(4) = 0 [pid 5237] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5236] <... futex resumed>) = 0 [pid 5236] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5236] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5237] <... futex resumed>) = 1 [pid 5237] open(".", O_RDONLY) = 4 [pid 5237] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5236] <... futex resumed>) = 0 [pid 5236] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5236] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 117.805459][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 117.813126][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 117.818571][ T5237] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 117.840422][ T5237] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5237] getdents64(4, [pid 5236] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5236] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5236] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5236] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5236] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5236] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5236] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5239], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5239 [pid 5236] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5236] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5239 attached [pid 5239] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 117.853409][ T5237] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 117.853409][ T5237] inode = 12 2341 [ 117.853409][ T5237] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 117.872301][ T5237] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 117.881498][ T5237] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5237 [syz-executor171] iterate_dir+0x228/0x570 [ 117.891840][ T5237] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 117.893694][ T5239] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 117.900898][ T5237] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 117.909590][ T5239] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 117.915973][ T5237] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 117.915990][ T5237] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 117.916137][ T5237] gfs2: fsid=syz:syz.0: File system withdrawn [pid 5239] open("./file0", O_RDONLY [pid 5236] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 117.916150][ T5237] CPU: 0 PID: 5237 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 117.916174][ T5237] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 117.928142][ T5239] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5237 [syz-executor171] iterate_dir+0x228/0x570 [ 117.933927][ T5237] Call Trace: [ 117.933936][ T5237] [ 117.933944][ T5237] dump_stack_lvl+0x1e7/0x2d0 [ 117.933977][ T5237] ? nf_tcp_handle_invalid+0x650/0x650 [ 117.940914][ T5239] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5239 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 117.946437][ T5237] ? panic+0x770/0x770 [ 117.946464][ T5237] ? kobject_uevent_env+0x54e/0x8e0 [ 117.946501][ T5237] gfs2_withdraw+0xf48/0x1550 [ 117.946544][ T5237] ? gfs2_lm+0x240/0x240 [ 117.957891][ T5239] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 117.966633][ T5237] ? gfs2_dirent_scan+0xb2/0x640 [ 117.966663][ T5237] ? panic+0x770/0x770 [ 117.966693][ T5237] ? gfs2_consist_inode_i+0xf5/0x110 [ 117.966726][ T5237] gfs2_dirent_scan+0x512/0x640 [ 118.048993][ T5237] ? gfs2_dirent_scan+0x640/0x640 [pid 5236] exit_group(0) = ? [ 118.054035][ T5237] gfs2_dir_read+0x82f/0x1af0 [ 118.058740][ T5237] ? inode_dio_wait+0x2ad/0x340 [ 118.063609][ T5237] ? inode_owner_or_capable+0x1c0/0x1c0 [ 118.069196][ T5237] ? gfs2_dir_hash_inval+0x80/0x80 [ 118.074342][ T5237] ? _raw_spin_unlock+0x28/0x40 [ 118.079201][ T5237] ? gfs2_glock_nq+0xcbf/0x16c0 [ 118.084078][ T5237] ? inode_go_held+0xea/0x200 [ 118.088774][ T5237] ? gfs2_glock_wait+0x21a/0x2b0 [ 118.093721][ T5237] gfs2_readdir+0x14e/0x1b0 [ 118.098241][ T5237] ? __fdget_pos+0x254/0x2f0 [ 118.102834][ T5237] ? gfs2_fallocate+0x490/0x490 [ 118.107700][ T5237] ? iterate_dir+0x228/0x570 [ 118.112307][ T5237] ? __down_read_common+0x184/0x2c0 [ 118.117514][ T5237] ? iterate_dir+0x10e/0x570 [ 118.122133][ T5237] iterate_dir+0x228/0x570 [ 118.126579][ T5237] ? gfs2_fallocate+0x490/0x490 [ 118.131489][ T5237] __se_sys_getdents64+0x20d/0x4f0 [ 118.136632][ T5237] ? _raw_spin_unlock_irq+0x2e/0x50 [ 118.141861][ T5237] ? __x64_sys_getdents64+0x80/0x80 [ 118.147077][ T5237] ? filldir+0x740/0x740 [ 118.151342][ T5237] ? syscall_enter_from_user_mode+0x32/0x230 [ 118.157339][ T5237] ? syscall_enter_from_user_mode+0x8c/0x230 [ 118.163338][ T5237] do_syscall_64+0x41/0xc0 [ 118.167781][ T5237] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 118.173880][ T5237] RIP: 0033:0x7f281a11eab9 [ 118.178312][ T5237] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 118.198025][ T5237] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5239] <... open resumed>) = ? [pid 5237] <... getdents64 resumed> ) = ? [pid 5239] +++ exited with 0 +++ [pid 5237] +++ exited with 0 +++ [pid 5236] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5236, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=37 /* 0.37 s */} --- umount2("./58", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./58/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./58/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./58/binderfs") = 0 [ 118.206455][ T5237] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 118.214526][ T5237] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 118.222497][ T5237] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 118.230469][ T5237] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 118.238456][ T5237] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 118.246459][ T5237] umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./58/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./58/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./58/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./58/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./58") = 0 mkdir("./59", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5240 ./strace-static-x86_64: Process 5240 attached [pid 5240] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5240] chdir("./59") = 0 [pid 5240] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5240] setpgid(0, 0) = 0 [pid 5240] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5240] write(3, "1000", 4) = 4 [pid 5240] close(3) = 0 [pid 5240] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5240] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5240] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5240] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5240] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5241 attached , parent_tid=[5241], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5241 [pid 5240] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5241] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5240] <... futex resumed>) = 0 [pid 5240] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5241] memfd_create("syzkaller", 0) = 3 [pid 5241] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5241] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5241] munmap(0x7f2811caa000, 16777216) = 0 [pid 5241] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5241] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5241] close(3) = 0 [pid 5241] mkdir("./file0", 0777) = 0 [ 118.619347][ T5241] loop0: detected capacity change from 0 to 32768 [ 118.631844][ T5241] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 118.640168][ T5241] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 118.650260][ T5241] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 118.659203][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 118.666154][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5241] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5241] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5241] chdir("./file0") = 0 [pid 5241] ioctl(4, LOOP_CLR_FD) = 0 [pid 5241] close(4) = 0 [pid 5241] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5240] <... futex resumed>) = 0 [pid 5240] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5240] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5241] <... futex resumed>) = 1 [pid 5241] open(".", O_RDONLY) = 4 [pid 5241] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5240] <... futex resumed>) = 0 [pid 5240] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5240] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5241] <... futex resumed>) = 1 [ 118.702562][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 118.710234][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 118.715583][ T5241] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 118.743869][ T5241] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 118.752656][ T5241] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 118.752656][ T5241] inode = 12 2341 [ 118.752656][ T5241] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 118.771783][ T5241] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 118.780945][ T5241] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5241 [syz-executor171] iterate_dir+0x228/0x570 [pid 5241] getdents64(4, [pid 5240] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5240] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5240] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5240] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5240] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5243 attached [pid 5243] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5240] <... clone resumed>, parent_tid=[5243], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5243 [pid 5243] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5240] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5243] open("./file0", O_RDONLY [pid 5240] <... futex resumed>) = 0 [pid 5240] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5243] <... open resumed>) = -1 EIO (Input/output error) [pid 5243] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5240] <... futex resumed>) = 0 [ 118.790919][ T5241] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 118.799470][ T5241] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 118.806729][ T5241] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 118.815961][ T5241] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 118.825849][ T5241] gfs2: fsid=syz:syz.0: File system withdrawn [ 118.832164][ T5241] CPU: 0 PID: 5241 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 118.842244][ T5241] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 118.852305][ T5241] Call Trace: [ 118.855596][ T5241] [ 118.858529][ T5241] dump_stack_lvl+0x1e7/0x2d0 [ 118.863239][ T5241] ? nf_tcp_handle_invalid+0x650/0x650 [ 118.868752][ T5241] ? panic+0x770/0x770 [ 118.872847][ T5241] ? kobject_uevent_env+0x54e/0x8e0 [ 118.878077][ T5241] gfs2_withdraw+0xf48/0x1550 [ 118.882792][ T5241] ? gfs2_lm+0x240/0x240 [ 118.887065][ T5241] ? gfs2_dirent_scan+0xb2/0x640 [ 118.892033][ T5241] ? panic+0x770/0x770 [ 118.896126][ T5241] ? gfs2_consist_inode_i+0xf5/0x110 [ 118.901430][ T5241] gfs2_dirent_scan+0x512/0x640 [ 118.906345][ T5241] ? gfs2_dirent_scan+0x640/0x640 [ 118.911429][ T5241] gfs2_dir_read+0x82f/0x1af0 [ 118.916131][ T5241] ? inode_dio_wait+0x2ad/0x340 [ 118.921002][ T5241] ? inode_owner_or_capable+0x1c0/0x1c0 [ 118.926559][ T5241] ? gfs2_dir_hash_inval+0x80/0x80 [ 118.931707][ T5241] ? _raw_spin_unlock+0x28/0x40 [ 118.936567][ T5241] ? gfs2_glock_nq+0xcbf/0x16c0 [ 118.941460][ T5241] ? inode_go_held+0xea/0x200 [ 118.946146][ T5241] ? gfs2_glock_wait+0x21a/0x2b0 [ 118.951093][ T5241] gfs2_readdir+0x14e/0x1b0 [ 118.955617][ T5241] ? __fdget_pos+0x254/0x2f0 [ 118.960215][ T5241] ? gfs2_fallocate+0x490/0x490 [ 118.965077][ T5241] ? iterate_dir+0x228/0x570 [ 118.969673][ T5241] ? __down_read_common+0x184/0x2c0 [ 118.974875][ T5241] ? iterate_dir+0x10e/0x570 [ 118.979477][ T5241] iterate_dir+0x228/0x570 [ 118.983910][ T5241] ? gfs2_fallocate+0x490/0x490 [ 118.988782][ T5241] __se_sys_getdents64+0x20d/0x4f0 [ 118.993900][ T5241] ? _raw_spin_unlock_irq+0x2e/0x50 [ 118.999192][ T5241] ? __x64_sys_getdents64+0x80/0x80 [ 119.004415][ T5241] ? filldir+0x740/0x740 [ 119.008673][ T5241] ? syscall_enter_from_user_mode+0x32/0x230 [ 119.014683][ T5241] ? syscall_enter_from_user_mode+0x8c/0x230 [ 119.020666][ T5241] do_syscall_64+0x41/0xc0 [ 119.025094][ T5241] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 119.030996][ T5241] RIP: 0033:0x7f281a11eab9 [ 119.035426][ T5241] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 119.055050][ T5241] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 119.063469][ T5241] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 119.071456][ T5241] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 119.079442][ T5241] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 119.087435][ T5241] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5243] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5241] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5241] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5241] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5240] exit_group(0 [pid 5241] <... futex resumed>) = ? [pid 5240] <... exit_group resumed>) = ? [pid 5243] <... futex resumed>) = ? [pid 5241] +++ exited with 0 +++ [pid 5243] +++ exited with 0 +++ [pid 5240] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5240, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=28 /* 0.28 s */} --- umount2("./59", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./59/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./59/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./59/binderfs") = 0 [ 119.095428][ T5241] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 119.103437][ T5241] umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./59/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./59/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./59/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./59/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./59") = 0 mkdir("./60", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5244 ./strace-static-x86_64: Process 5244 attached [pid 5244] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5244] chdir("./60") = 0 [pid 5244] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5244] setpgid(0, 0) = 0 [pid 5244] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5244] write(3, "1000", 4) = 4 [pid 5244] close(3) = 0 [pid 5244] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5244] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5244] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5244] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5245], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5245 [pid 5244] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5245 attached [pid 5245] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5245] memfd_create("syzkaller", 0) = 3 [pid 5245] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5245] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5245] munmap(0x7f2811caa000, 16777216) = 0 [pid 5245] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5245] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5245] close(3) = 0 [pid 5245] mkdir("./file0", 0777) = 0 [ 119.494577][ T5245] loop0: detected capacity change from 0 to 32768 [ 119.505980][ T5245] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 119.514207][ T5245] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 119.524483][ T5245] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 119.533093][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 119.540195][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5245] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5245] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5245] chdir("./file0") = 0 [pid 5245] ioctl(4, LOOP_CLR_FD) = 0 [pid 5245] close(4) = 0 [pid 5245] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5244] <... futex resumed>) = 0 [pid 5244] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5245] <... futex resumed>) = 1 [pid 5245] open(".", O_RDONLY) = 4 [pid 5245] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5244] <... futex resumed>) = 0 [pid 5244] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5245] <... futex resumed>) = 1 [ 119.581548][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 119.590346][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 119.595909][ T5245] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 119.625439][ T5245] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 119.634815][ T5245] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 119.634815][ T5245] inode = 12 2341 [ 119.634815][ T5245] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 119.654239][ T5245] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 119.663886][ T5245] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5245 [syz-executor171] iterate_dir+0x228/0x570 [pid 5245] getdents64(4, [pid 5244] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5244] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5244] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5244] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5247], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5247 [pid 5244] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5244] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5247 attached [pid 5247] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5247] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5247] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5244] <... futex resumed>) = 0 [pid 5247] <... futex resumed>) = 1 [ 119.674155][ T5245] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 119.682683][ T5245] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 119.690336][ T5245] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 119.699409][ T5245] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 119.706225][ T5245] gfs2: fsid=syz:syz.0: File system withdrawn [ 119.712320][ T5245] CPU: 1 PID: 5245 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 119.722416][ T5245] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 119.732488][ T5245] Call Trace: [ 119.735790][ T5245] [ 119.738749][ T5245] dump_stack_lvl+0x1e7/0x2d0 [ 119.743461][ T5245] ? nf_tcp_handle_invalid+0x650/0x650 [ 119.748937][ T5245] ? panic+0x770/0x770 [ 119.753030][ T5245] ? kobject_uevent_env+0x54e/0x8e0 [ 119.758261][ T5245] gfs2_withdraw+0xf48/0x1550 [ 119.762986][ T5245] ? gfs2_lm+0x240/0x240 [ 119.767250][ T5245] ? gfs2_dirent_scan+0xb2/0x640 [ 119.772192][ T5245] ? panic+0x770/0x770 [ 119.776285][ T5245] ? gfs2_consist_inode_i+0xf5/0x110 [ 119.781604][ T5245] gfs2_dirent_scan+0x512/0x640 [ 119.786462][ T5245] ? gfs2_dirent_scan+0x640/0x640 [ 119.791494][ T5245] gfs2_dir_read+0x82f/0x1af0 [ 119.796185][ T5245] ? inode_dio_wait+0x2ad/0x340 [ 119.801054][ T5245] ? inode_owner_or_capable+0x1c0/0x1c0 [ 119.806616][ T5245] ? gfs2_dir_hash_inval+0x80/0x80 [ 119.811732][ T5245] ? _raw_spin_unlock+0x28/0x40 [ 119.816615][ T5245] ? gfs2_glock_nq+0xcbf/0x16c0 [ 119.821496][ T5245] ? inode_go_held+0xea/0x200 [pid 5247] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5244] exit_group(0 [pid 5247] <... futex resumed>) = ? [pid 5244] <... exit_group resumed>) = ? [pid 5247] +++ exited with 0 +++ [ 119.826201][ T5245] ? gfs2_glock_wait+0x21a/0x2b0 [ 119.831177][ T5245] gfs2_readdir+0x14e/0x1b0 [ 119.835732][ T5245] ? __fdget_pos+0x254/0x2f0 [ 119.840364][ T5245] ? gfs2_fallocate+0x490/0x490 [ 119.845223][ T5245] ? iterate_dir+0x228/0x570 [ 119.849813][ T5245] ? __down_read_common+0x184/0x2c0 [ 119.855013][ T5245] ? iterate_dir+0x10e/0x570 [ 119.859608][ T5245] iterate_dir+0x228/0x570 [ 119.864034][ T5245] ? gfs2_fallocate+0x490/0x490 [ 119.868902][ T5245] __se_sys_getdents64+0x20d/0x4f0 [ 119.874012][ T5245] ? _raw_spin_unlock_irq+0x2e/0x50 [ 119.879227][ T5245] ? __x64_sys_getdents64+0x80/0x80 [ 119.884451][ T5245] ? filldir+0x740/0x740 [ 119.888751][ T5245] ? syscall_enter_from_user_mode+0x32/0x230 [ 119.894761][ T5245] ? syscall_enter_from_user_mode+0x8c/0x230 [ 119.900754][ T5245] do_syscall_64+0x41/0xc0 [ 119.905185][ T5245] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 119.911117][ T5245] RIP: 0033:0x7f281a11eab9 [ 119.915544][ T5245] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 119.935164][ T5245] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 119.943577][ T5245] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 119.951550][ T5245] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 119.959528][ T5245] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 119.967517][ T5245] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5245] <... getdents64 resumed> ) = ? [pid 5245] +++ exited with 0 +++ [pid 5244] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5244, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=28 /* 0.28 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./60", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./60/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./60/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./60/binderfs") = 0 [ 119.975508][ T5245] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 119.983493][ T5245] umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./60/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./60/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./60/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./60/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./60") = 0 mkdir("./61", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5248 ./strace-static-x86_64: Process 5248 attached [pid 5248] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5248] chdir("./61") = 0 [pid 5248] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5248] setpgid(0, 0) = 0 [pid 5248] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5248] write(3, "1000", 4) = 4 [pid 5248] close(3) = 0 [pid 5248] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5248] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5248] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5248] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5249], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5249 [pid 5248] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5249 attached [pid 5249] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5249] memfd_create("syzkaller", 0) = 3 [pid 5249] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5249] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5249] munmap(0x7f2811caa000, 16777216) = 0 [pid 5249] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5249] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5249] close(3) = 0 [pid 5249] mkdir("./file0", 0777) = 0 [ 120.344174][ T5249] loop0: detected capacity change from 0 to 32768 [ 120.354987][ T5249] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 120.363390][ T5249] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 120.372395][ T5249] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 120.381333][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 120.388431][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5249] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5249] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5249] chdir("./file0") = 0 [pid 5249] ioctl(4, LOOP_CLR_FD) = 0 [pid 5249] close(4) = 0 [pid 5249] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5249] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5248] <... futex resumed>) = 0 [pid 5248] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5248] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5249] <... futex resumed>) = 0 [pid 5249] open(".", O_RDONLY) = 4 [pid 5249] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5248] <... futex resumed>) = 0 [pid 5248] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5249] <... futex resumed>) = 1 [ 120.429982][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 120.439488][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 120.444997][ T5249] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 120.462728][ T5249] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 120.471476][ T5249] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5249] getdents64(4, [pid 5248] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 120.471476][ T5249] inode = 12 2341 [ 120.471476][ T5249] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 120.490334][ T5249] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 120.499494][ T5249] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5249 [syz-executor171] iterate_dir+0x228/0x570 [ 120.509679][ T5249] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 120.518321][ T5249] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5248] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [ 120.525837][ T5249] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 120.534928][ T5249] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 120.541841][ T5249] gfs2: fsid=syz:syz.0: File system withdrawn [ 120.548575][ T5249] CPU: 0 PID: 5249 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 120.558677][ T5249] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 120.568747][ T5249] Call Trace: [ 120.572039][ T5249] [ 120.574973][ T5249] dump_stack_lvl+0x1e7/0x2d0 [pid 5248] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5248] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5251], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5251 [pid 5248] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5248] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5251 attached [pid 5251] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5251] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5251] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5248] <... futex resumed>) = 0 [ 120.579665][ T5249] ? nf_tcp_handle_invalid+0x650/0x650 [ 120.585149][ T5249] ? panic+0x770/0x770 [ 120.589277][ T5249] ? kobject_uevent_env+0x54e/0x8e0 [ 120.594514][ T5249] gfs2_withdraw+0xf48/0x1550 [ 120.599243][ T5249] ? gfs2_lm+0x240/0x240 [ 120.603506][ T5249] ? gfs2_dirent_scan+0xb2/0x640 [ 120.608485][ T5249] ? panic+0x770/0x770 [ 120.612585][ T5249] ? gfs2_consist_inode_i+0xf5/0x110 [ 120.617897][ T5249] gfs2_dirent_scan+0x512/0x640 [ 120.622791][ T5249] ? gfs2_dirent_scan+0x640/0x640 [ 120.627850][ T5249] gfs2_dir_read+0x82f/0x1af0 [ 120.632542][ T5249] ? inode_dio_wait+0x2ad/0x340 [ 120.637412][ T5249] ? inode_owner_or_capable+0x1c0/0x1c0 [ 120.642974][ T5249] ? gfs2_dir_hash_inval+0x80/0x80 [ 120.648104][ T5249] ? _raw_spin_unlock+0x28/0x40 [ 120.652983][ T5249] ? gfs2_glock_nq+0xcbf/0x16c0 [ 120.657858][ T5249] ? inode_go_held+0xea/0x200 [ 120.662565][ T5249] ? gfs2_glock_wait+0x21a/0x2b0 [ 120.667528][ T5249] gfs2_readdir+0x14e/0x1b0 [ 120.672074][ T5249] ? __fdget_pos+0x254/0x2f0 [ 120.676689][ T5249] ? gfs2_fallocate+0x490/0x490 [ 120.681558][ T5249] ? iterate_dir+0x228/0x570 [ 120.686165][ T5249] ? __down_read_common+0x184/0x2c0 [ 120.691373][ T5249] ? iterate_dir+0x10e/0x570 [ 120.695986][ T5249] iterate_dir+0x228/0x570 [ 120.700419][ T5249] ? gfs2_fallocate+0x490/0x490 [ 120.705288][ T5249] __se_sys_getdents64+0x20d/0x4f0 [ 120.710414][ T5249] ? _raw_spin_unlock_irq+0x2e/0x50 [ 120.715628][ T5249] ? __x64_sys_getdents64+0x80/0x80 [ 120.720842][ T5249] ? filldir+0x740/0x740 [ 120.725105][ T5249] ? syscall_enter_from_user_mode+0x32/0x230 [ 120.731097][ T5249] ? syscall_enter_from_user_mode+0x8c/0x230 [ 120.737090][ T5249] do_syscall_64+0x41/0xc0 [ 120.741528][ T5249] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 120.747551][ T5249] RIP: 0033:0x7f281a11eab9 [ 120.751973][ T5249] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 120.771605][ T5249] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5251] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5249] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5249] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5249] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5248] exit_group(0 [pid 5249] <... futex resumed>) = ? [pid 5248] <... exit_group resumed>) = ? [pid 5251] <... futex resumed>) = ? [pid 5249] +++ exited with 0 +++ [pid 5251] +++ exited with 0 +++ [pid 5248] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5248, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./61", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./61/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./61/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./61/binderfs") = 0 [ 120.780046][ T5249] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 120.788022][ T5249] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 120.795999][ T5249] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 120.803990][ T5249] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 120.811970][ T5249] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 120.819971][ T5249] umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./61/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./61/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./61/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./61/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./61") = 0 mkdir("./62", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5252 ./strace-static-x86_64: Process 5252 attached [pid 5252] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5252] chdir("./62") = 0 [pid 5252] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5252] setpgid(0, 0) = 0 [pid 5252] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5252] write(3, "1000", 4) = 4 [pid 5252] close(3) = 0 [pid 5252] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5252] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5252] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5252] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5252] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5253 attached [pid 5253] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5253] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5252] <... clone resumed>, parent_tid=[5253], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5253 [pid 5252] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5253] <... futex resumed>) = 0 [pid 5252] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5253] memfd_create("syzkaller", 0) = 3 [pid 5253] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5253] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5253] munmap(0x7f2811caa000, 16777216) = 0 [pid 5253] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5253] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5253] close(3) = 0 [pid 5253] mkdir("./file0", 0777) = 0 [ 121.181764][ T5253] loop0: detected capacity change from 0 to 32768 [ 121.192367][ T5253] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 121.200601][ T5253] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 121.210781][ T5253] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 121.219719][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 121.226846][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5253] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5253] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5253] chdir("./file0") = 0 [pid 5253] ioctl(4, LOOP_CLR_FD) = 0 [pid 5253] close(4) = 0 [pid 5253] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5252] <... futex resumed>) = 0 [pid 5252] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5252] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5253] <... futex resumed>) = 1 [pid 5253] open(".", O_RDONLY) = 4 [pid 5253] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5252] <... futex resumed>) = 0 [pid 5252] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5252] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5253] <... futex resumed>) = 1 [ 121.263373][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 121.271803][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 121.277381][ T5253] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 121.300139][ T5253] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5253] getdents64(4, [pid 5252] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 121.309239][ T5253] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 121.309239][ T5253] inode = 12 2341 [ 121.309239][ T5253] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 121.328964][ T5253] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 121.338402][ T5253] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5253 [syz-executor171] iterate_dir+0x228/0x570 [ 121.348581][ T5253] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5252] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5252] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5252] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5252] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5255], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5255 [pid 5252] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5252] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5255 attached [pid 5255] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5255] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5255] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5252] <... futex resumed>) = 0 [ 121.357610][ T5253] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 121.365271][ T5253] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 121.374582][ T5253] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 121.381426][ T5253] gfs2: fsid=syz:syz.0: File system withdrawn [ 121.387879][ T5253] CPU: 0 PID: 5253 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 121.397974][ T5253] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 121.408047][ T5253] Call Trace: [ 121.411359][ T5253] [ 121.414298][ T5253] dump_stack_lvl+0x1e7/0x2d0 [ 121.418988][ T5253] ? nf_tcp_handle_invalid+0x650/0x650 [ 121.424464][ T5253] ? panic+0x770/0x770 [ 121.428538][ T5253] ? kobject_uevent_env+0x54e/0x8e0 [ 121.433763][ T5253] gfs2_withdraw+0xf48/0x1550 [ 121.438478][ T5253] ? gfs2_lm+0x240/0x240 [ 121.442736][ T5253] ? gfs2_dirent_scan+0xb2/0x640 [ 121.447700][ T5253] ? panic+0x770/0x770 [ 121.451785][ T5253] ? gfs2_consist_inode_i+0xf5/0x110 [ 121.457085][ T5253] gfs2_dirent_scan+0x512/0x640 [ 121.461962][ T5253] ? gfs2_dirent_scan+0x640/0x640 [ 121.466997][ T5253] gfs2_dir_read+0x82f/0x1af0 [ 121.471702][ T5253] ? inode_dio_wait+0x2ad/0x340 [ 121.476582][ T5253] ? inode_owner_or_capable+0x1c0/0x1c0 [ 121.482145][ T5253] ? gfs2_dir_hash_inval+0x80/0x80 [ 121.487265][ T5253] ? _raw_spin_unlock+0x28/0x40 [ 121.492119][ T5253] ? gfs2_glock_nq+0xcbf/0x16c0 [ 121.497006][ T5253] ? inode_go_held+0xea/0x200 [ 121.501696][ T5253] ? gfs2_glock_wait+0x21a/0x2b0 [ 121.506644][ T5253] gfs2_readdir+0x14e/0x1b0 [ 121.511169][ T5253] ? __fdget_pos+0x254/0x2f0 [ 121.515766][ T5253] ? gfs2_fallocate+0x490/0x490 [ 121.520635][ T5253] ? iterate_dir+0x228/0x570 [ 121.525234][ T5253] ? __down_read_common+0x184/0x2c0 [ 121.530438][ T5253] ? iterate_dir+0x10e/0x570 [ 121.535045][ T5253] iterate_dir+0x228/0x570 [ 121.539478][ T5253] ? gfs2_fallocate+0x490/0x490 [ 121.544364][ T5253] __se_sys_getdents64+0x20d/0x4f0 [ 121.549494][ T5253] ? _raw_spin_unlock_irq+0x2e/0x50 [ 121.554712][ T5253] ? __x64_sys_getdents64+0x80/0x80 [ 121.559924][ T5253] ? filldir+0x740/0x740 [ 121.564190][ T5253] ? syscall_enter_from_user_mode+0x32/0x230 [ 121.570186][ T5253] ? syscall_enter_from_user_mode+0x8c/0x230 [ 121.576179][ T5253] do_syscall_64+0x41/0xc0 [ 121.580626][ T5253] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 121.586526][ T5253] RIP: 0033:0x7f281a11eab9 [ 121.590948][ T5253] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5255] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5253] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5253] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5252] exit_group(0 [pid 5255] <... futex resumed>) = ? [pid 5252] <... exit_group resumed>) = ? [pid 5255] +++ exited with 0 +++ [pid 5253] +++ exited with 0 +++ [pid 5252] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5252, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=36 /* 0.36 s */} --- umount2("./62", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./62/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./62/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./62/binderfs") = 0 [ 121.610565][ T5253] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 121.619019][ T5253] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 121.626993][ T5253] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 121.634966][ T5253] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 121.642943][ T5253] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 121.650917][ T5253] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 121.658906][ T5253] umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./62/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./62/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./62/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./62/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./62") = 0 mkdir("./63", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5256 ./strace-static-x86_64: Process 5256 attached [pid 5256] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5256] chdir("./63") = 0 [pid 5256] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5256] setpgid(0, 0) = 0 [pid 5256] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5256] write(3, "1000", 4) = 4 [pid 5256] close(3) = 0 [pid 5256] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5256] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5256] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5256] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5256] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5257], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5257 ./strace-static-x86_64: Process 5257 attached [pid 5256] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5256] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5257] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5257] memfd_create("syzkaller", 0) = 3 [pid 5257] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5257] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5257] munmap(0x7f2811caa000, 16777216) = 0 [pid 5257] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5257] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5257] close(3) = 0 [pid 5257] mkdir("./file0", 0777) = 0 [ 122.028579][ T5257] loop0: detected capacity change from 0 to 32768 [ 122.040162][ T5257] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 122.048672][ T5257] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 122.058112][ T5257] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 122.066860][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 122.073865][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5257] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5257] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5257] chdir("./file0") = 0 [pid 5257] ioctl(4, LOOP_CLR_FD) = 0 [pid 5257] close(4) = 0 [pid 5257] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5256] <... futex resumed>) = 0 [pid 5257] open(".", O_RDONLY [pid 5256] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5257] <... open resumed>) = 4 [pid 5256] <... futex resumed>) = 0 [pid 5257] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5256] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5257] <... futex resumed>) = 0 [pid 5256] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5257] getdents64(4, [pid 5256] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 122.113758][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 122.121939][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 122.127245][ T5257] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 122.142152][ T5257] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 122.150942][ T5257] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 122.150942][ T5257] inode = 12 2341 [pid 5256] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 122.150942][ T5257] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 122.170076][ T5257] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 122.179361][ T5257] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5257 [syz-executor171] iterate_dir+0x228/0x570 [ 122.189374][ T5257] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 122.197883][ T5257] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 122.205210][ T5257] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5256] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5256] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5256] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5256] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5259], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5259 [pid 5256] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5256] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5259 attached [pid 5259] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5259] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5259] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5256] <... futex resumed>) = 0 [ 122.214251][ T5257] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 122.221078][ T5257] gfs2: fsid=syz:syz.0: File system withdrawn [ 122.227494][ T5257] CPU: 0 PID: 5257 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 122.237792][ T5257] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 122.247855][ T5257] Call Trace: [ 122.251146][ T5257] [ 122.254081][ T5257] dump_stack_lvl+0x1e7/0x2d0 [ 122.258783][ T5257] ? nf_tcp_handle_invalid+0x650/0x650 [ 122.264343][ T5257] ? panic+0x770/0x770 [ 122.268435][ T5257] ? kobject_uevent_env+0x54e/0x8e0 [ 122.273655][ T5257] gfs2_withdraw+0xf48/0x1550 [ 122.278358][ T5257] ? gfs2_lm+0x240/0x240 [ 122.282619][ T5257] ? gfs2_dirent_scan+0xb2/0x640 [ 122.287589][ T5257] ? panic+0x770/0x770 [ 122.291698][ T5257] ? gfs2_consist_inode_i+0xf5/0x110 [ 122.296999][ T5257] gfs2_dirent_scan+0x512/0x640 [ 122.301862][ T5257] ? gfs2_dirent_scan+0x640/0x640 [ 122.306895][ T5257] gfs2_dir_read+0x82f/0x1af0 [ 122.311596][ T5257] ? inode_dio_wait+0x2ad/0x340 [ 122.316571][ T5257] ? inode_owner_or_capable+0x1c0/0x1c0 [ 122.322168][ T5257] ? gfs2_dir_hash_inval+0x80/0x80 [ 122.327311][ T5257] ? _raw_spin_unlock+0x28/0x40 [ 122.332175][ T5257] ? gfs2_glock_nq+0xcbf/0x16c0 [ 122.337143][ T5257] ? inode_go_held+0xea/0x200 [ 122.342183][ T5257] ? gfs2_glock_wait+0x21a/0x2b0 [ 122.347144][ T5257] gfs2_readdir+0x14e/0x1b0 [ 122.351668][ T5257] ? __fdget_pos+0x254/0x2f0 [ 122.356270][ T5257] ? gfs2_fallocate+0x490/0x490 [ 122.361135][ T5257] ? iterate_dir+0x228/0x570 [ 122.365738][ T5257] ? __down_read_common+0x184/0x2c0 [ 122.370947][ T5257] ? iterate_dir+0x10e/0x570 [ 122.375578][ T5257] iterate_dir+0x228/0x570 [ 122.380013][ T5257] ? gfs2_fallocate+0x490/0x490 [ 122.384880][ T5257] __se_sys_getdents64+0x20d/0x4f0 [ 122.390012][ T5257] ? _raw_spin_unlock_irq+0x2e/0x50 [ 122.395233][ T5257] ? __x64_sys_getdents64+0x80/0x80 [ 122.400458][ T5257] ? filldir+0x740/0x740 [ 122.404714][ T5257] ? syscall_enter_from_user_mode+0x32/0x230 [ 122.410704][ T5257] ? syscall_enter_from_user_mode+0x8c/0x230 [ 122.416700][ T5257] do_syscall_64+0x41/0xc0 [ 122.421126][ T5257] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 122.427119][ T5257] RIP: 0033:0x7f281a11eab9 [ 122.431536][ T5257] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 122.451178][ T5257] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5259] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5257] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5257] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5256] exit_group(0 [pid 5257] <... futex resumed>) = ? [pid 5256] <... exit_group resumed>) = ? [pid 5257] +++ exited with 0 +++ [pid 5259] <... futex resumed>) = ? [pid 5259] +++ exited with 0 +++ [pid 5256] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5256, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=33 /* 0.33 s */} --- umount2("./63", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./63/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./63/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./63/binderfs") = 0 [ 122.459597][ T5257] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 122.467586][ T5257] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 122.475563][ T5257] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 122.483536][ T5257] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 122.491509][ T5257] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 122.499492][ T5257] umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./63/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./63/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./63/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./63/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./63") = 0 mkdir("./64", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5260 ./strace-static-x86_64: Process 5260 attached [pid 5260] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5260] chdir("./64") = 0 [pid 5260] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5260] setpgid(0, 0) = 0 [pid 5260] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5260] write(3, "1000", 4) = 4 [pid 5260] close(3) = 0 [pid 5260] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5260] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5260] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5260] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5260] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5261 attached [pid 5261] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5261] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5260] <... clone resumed>, parent_tid=[5261], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5261 [pid 5260] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5261] <... futex resumed>) = 0 [pid 5260] <... futex resumed>) = 1 [pid 5260] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5261] memfd_create("syzkaller", 0) = 3 [pid 5261] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5261] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5261] munmap(0x7f2811caa000, 16777216) = 0 [pid 5261] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5261] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5261] close(3) = 0 [pid 5261] mkdir("./file0", 0777) = 0 [ 122.891725][ T5261] loop0: detected capacity change from 0 to 32768 [ 122.902364][ T5261] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 122.910920][ T5261] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 122.921117][ T5261] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 122.929985][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 122.937025][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5261] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5261] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5261] chdir("./file0") = 0 [pid 5261] ioctl(4, LOOP_CLR_FD) = 0 [pid 5261] close(4) = 0 [pid 5261] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5260] <... futex resumed>) = 0 [pid 5261] open(".", O_RDONLY [pid 5260] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5261] <... open resumed>) = 4 [pid 5260] <... futex resumed>) = 0 [pid 5261] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5260] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5261] <... futex resumed>) = 0 [pid 5260] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5261] getdents64(4, [pid 5260] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 122.976432][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 122.984105][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 122.989348][ T5261] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 123.005621][ T5261] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 123.014432][ T5261] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 123.014432][ T5261] inode = 12 2341 [pid 5260] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5260] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5260] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5260] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5260] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5260] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5263], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5263 [pid 5260] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5260] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5263 attached [pid 5263] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 123.014432][ T5261] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 123.033767][ T5261] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 123.042859][ T5261] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5261 [syz-executor171] iterate_dir+0x228/0x570 [ 123.053399][ T5261] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 123.061864][ T5261] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5263] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5263] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5260] <... futex resumed>) = 0 [pid 5263] <... futex resumed>) = 1 [ 123.069662][ T5261] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 123.079000][ T5261] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 123.087355][ T5261] gfs2: fsid=syz:syz.0: File system withdrawn [ 123.093667][ T5261] CPU: 1 PID: 5261 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 123.103765][ T5261] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 123.113836][ T5261] Call Trace: [ 123.117124][ T5261] [ 123.120073][ T5261] dump_stack_lvl+0x1e7/0x2d0 [ 123.124892][ T5261] ? nf_tcp_handle_invalid+0x650/0x650 [ 123.130369][ T5261] ? panic+0x770/0x770 [ 123.134454][ T5261] ? kobject_uevent_env+0x54e/0x8e0 [ 123.139682][ T5261] gfs2_withdraw+0xf48/0x1550 [ 123.144428][ T5261] ? gfs2_lm+0x240/0x240 [ 123.148708][ T5261] ? gfs2_dirent_scan+0xb2/0x640 [ 123.153648][ T5261] ? panic+0x770/0x770 [ 123.157723][ T5261] ? gfs2_consist_inode_i+0xf5/0x110 [ 123.163051][ T5261] gfs2_dirent_scan+0x512/0x640 [ 123.167915][ T5261] ? gfs2_dirent_scan+0x640/0x640 [ 123.172959][ T5261] gfs2_dir_read+0x82f/0x1af0 [ 123.177663][ T5261] ? inode_dio_wait+0x2ad/0x340 [ 123.182545][ T5261] ? inode_owner_or_capable+0x1c0/0x1c0 [ 123.188129][ T5261] ? gfs2_dir_hash_inval+0x80/0x80 [ 123.193273][ T5261] ? _raw_spin_unlock+0x28/0x40 [ 123.198138][ T5261] ? gfs2_glock_nq+0xcbf/0x16c0 [ 123.203007][ T5261] ? inode_go_held+0xea/0x200 [ 123.207689][ T5261] ? gfs2_glock_wait+0x21a/0x2b0 [ 123.212641][ T5261] gfs2_readdir+0x14e/0x1b0 [ 123.217165][ T5261] ? __fdget_pos+0x254/0x2f0 [ 123.221777][ T5261] ? gfs2_fallocate+0x490/0x490 [ 123.226642][ T5261] ? iterate_dir+0x228/0x570 [ 123.231274][ T5261] ? __down_read_common+0x184/0x2c0 [ 123.236482][ T5261] ? iterate_dir+0x10e/0x570 [ 123.241084][ T5261] iterate_dir+0x228/0x570 [ 123.245509][ T5261] ? gfs2_fallocate+0x490/0x490 [ 123.250371][ T5261] __se_sys_getdents64+0x20d/0x4f0 [ 123.255499][ T5261] ? _raw_spin_unlock_irq+0x2e/0x50 [ 123.260706][ T5261] ? __x64_sys_getdents64+0x80/0x80 [ 123.265915][ T5261] ? filldir+0x740/0x740 [ 123.270176][ T5261] ? syscall_enter_from_user_mode+0x32/0x230 [ 123.276175][ T5261] ? syscall_enter_from_user_mode+0x8c/0x230 [ 123.282172][ T5261] do_syscall_64+0x41/0xc0 [ 123.286605][ T5261] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 123.292503][ T5261] RIP: 0033:0x7f281a11eab9 [ 123.296935][ T5261] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 123.316545][ T5261] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5263] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5261] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5261] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5261] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5260] exit_group(0 [pid 5263] <... futex resumed>) = ? [pid 5260] <... exit_group resumed>) = ? [pid 5263] +++ exited with 0 +++ [pid 5261] <... futex resumed>) = ? [pid 5261] +++ exited with 0 +++ [pid 5260] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5260, si_uid=0, si_status=0, si_utime=0, si_stime=39 /* 0.39 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./64", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./64", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./64/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./64/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./64/binderfs") = 0 [ 123.324988][ T5261] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 123.332969][ T5261] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 123.340951][ T5261] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 123.348942][ T5261] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 123.356941][ T5261] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 123.364973][ T5261] umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./64/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./64/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./64/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./64/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./64") = 0 mkdir("./65", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5264 ./strace-static-x86_64: Process 5264 attached [pid 5264] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5264] chdir("./65") = 0 [pid 5264] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5264] setpgid(0, 0) = 0 [pid 5264] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5264] write(3, "1000", 4) = 4 [pid 5264] close(3) = 0 [pid 5264] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5264] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5264] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5264] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5264] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5265], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5265 [pid 5264] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 5265 attached [pid 5264] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5265] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5265] memfd_create("syzkaller", 0) = 3 [pid 5265] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5265] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5265] munmap(0x7f2811caa000, 16777216) = 0 [pid 5265] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5265] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5265] close(3) = 0 [pid 5265] mkdir("./file0", 0777) = 0 [ 123.719146][ T5265] loop0: detected capacity change from 0 to 32768 [ 123.732589][ T5265] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 123.740908][ T5265] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 123.750464][ T5265] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 123.758918][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 123.765875][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5265] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5265] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5265] chdir("./file0") = 0 [pid 5265] ioctl(4, LOOP_CLR_FD) = 0 [pid 5265] close(4) = 0 [pid 5265] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5264] <... futex resumed>) = 0 [pid 5265] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5264] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5265] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5264] <... futex resumed>) = 0 [pid 5265] open(".", O_RDONLY [pid 5264] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5265] <... open resumed>) = 4 [pid 5265] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5264] <... futex resumed>) = 0 [pid 5265] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5264] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5265] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5264] <... futex resumed>) = 0 [pid 5265] getdents64(4, [ 123.803940][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 123.811444][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 123.816836][ T5265] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 123.841859][ T5265] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5264] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 123.850401][ T5265] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 123.850401][ T5265] inode = 12 2341 [ 123.850401][ T5265] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 123.869494][ T5265] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 123.879014][ T5265] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5265 [syz-executor171] iterate_dir+0x228/0x570 [ 123.889186][ T5265] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5264] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5264] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5264] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5264] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5267], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5267 [pid 5264] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5264] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5267 attached [pid 5267] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5267] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5267] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5264] <... futex resumed>) = 0 [ 123.898189][ T5265] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 123.906021][ T5265] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 123.915179][ T5265] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 123.922086][ T5265] gfs2: fsid=syz:syz.0: File system withdrawn [ 123.928792][ T5265] CPU: 0 PID: 5265 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 123.938875][ T5265] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 123.948934][ T5265] Call Trace: [ 123.952221][ T5265] [ 123.955194][ T5265] dump_stack_lvl+0x1e7/0x2d0 [ 123.959894][ T5265] ? nf_tcp_handle_invalid+0x650/0x650 [ 123.965383][ T5265] ? panic+0x770/0x770 [ 123.969478][ T5265] ? kobject_uevent_env+0x54e/0x8e0 [ 123.974711][ T5265] gfs2_withdraw+0xf48/0x1550 [ 123.979438][ T5265] ? gfs2_lm+0x240/0x240 [ 123.983707][ T5265] ? gfs2_dirent_scan+0xb2/0x640 [ 123.988669][ T5265] ? panic+0x770/0x770 [ 123.992771][ T5265] ? gfs2_consist_inode_i+0xf5/0x110 [ 123.998072][ T5265] gfs2_dirent_scan+0x512/0x640 [ 124.002930][ T5265] ? gfs2_dirent_scan+0x640/0x640 [ 124.007974][ T5265] gfs2_dir_read+0x82f/0x1af0 [ 124.012679][ T5265] ? inode_dio_wait+0x2ad/0x340 [ 124.017555][ T5265] ? inode_owner_or_capable+0x1c0/0x1c0 [ 124.023131][ T5265] ? gfs2_dir_hash_inval+0x80/0x80 [ 124.028265][ T5265] ? _raw_spin_unlock+0x28/0x40 [ 124.033127][ T5265] ? gfs2_glock_nq+0xcbf/0x16c0 [ 124.038027][ T5265] ? inode_go_held+0xea/0x200 [ 124.042729][ T5265] ? gfs2_glock_wait+0x21a/0x2b0 [ 124.047692][ T5265] gfs2_readdir+0x14e/0x1b0 [pid 5267] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [ 124.052239][ T5265] ? __fdget_pos+0x254/0x2f0 [ 124.056853][ T5265] ? gfs2_fallocate+0x490/0x490 [ 124.061713][ T5265] ? iterate_dir+0x228/0x570 [ 124.066313][ T5265] ? __down_read_common+0x184/0x2c0 [ 124.071535][ T5265] ? iterate_dir+0x10e/0x570 [ 124.076160][ T5265] iterate_dir+0x228/0x570 [ 124.080609][ T5265] ? gfs2_fallocate+0x490/0x490 [ 124.085469][ T5265] __se_sys_getdents64+0x20d/0x4f0 [ 124.090810][ T5265] ? _raw_spin_unlock_irq+0x2e/0x50 [ 124.096018][ T5265] ? __x64_sys_getdents64+0x80/0x80 [ 124.101245][ T5265] ? filldir+0x740/0x740 [ 124.105588][ T5265] ? syscall_enter_from_user_mode+0x32/0x230 [ 124.111573][ T5265] ? syscall_enter_from_user_mode+0x8c/0x230 [ 124.117630][ T5265] do_syscall_64+0x41/0xc0 [ 124.122079][ T5265] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 124.127977][ T5265] RIP: 0033:0x7f281a11eab9 [ 124.132395][ T5265] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5264] exit_group(0 [pid 5267] <... futex resumed>) = ? [pid 5264] <... exit_group resumed>) = ? [pid 5267] +++ exited with 0 +++ [pid 5265] <... getdents64 resumed> ) = ? [pid 5265] +++ exited with 0 +++ [pid 5264] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5264, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./65", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./65/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./65/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./65/binderfs") = 0 [ 124.152018][ T5265] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 124.160457][ T5265] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 124.168433][ T5265] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 124.176437][ T5265] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 124.184421][ T5265] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 124.192415][ T5265] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 124.200436][ T5265] umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./65/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./65/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./65/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./65/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./65") = 0 mkdir("./66", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5268 ./strace-static-x86_64: Process 5268 attached [pid 5268] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5268] chdir("./66") = 0 [pid 5268] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5268] setpgid(0, 0) = 0 [pid 5268] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5268] write(3, "1000", 4) = 4 [pid 5268] close(3) = 0 [pid 5268] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5268] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5268] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5268] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5268] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5269], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5269 [pid 5268] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5268] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5269 attached [pid 5269] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5269] memfd_create("syzkaller", 0) = 3 [pid 5269] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5269] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5269] munmap(0x7f2811caa000, 16777216) = 0 [pid 5269] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5269] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5269] close(3) = 0 [pid 5269] mkdir("./file0", 0777) = 0 [ 124.559486][ T5269] loop0: detected capacity change from 0 to 32768 [ 124.572117][ T5269] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 124.580615][ T5269] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 124.591117][ T5269] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 124.600056][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 124.607275][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5269] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5269] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5269] chdir("./file0") = 0 [pid 5269] ioctl(4, LOOP_CLR_FD) = 0 [pid 5269] close(4) = 0 [pid 5269] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5268] <... futex resumed>) = 0 [pid 5268] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5269] open(".", O_RDONLY [pid 5268] <... futex resumed>) = 0 [pid 5268] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5269] <... open resumed>) = 4 [pid 5269] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5268] <... futex resumed>) = 0 [pid 5268] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5268] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 124.653672][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 124.663037][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 124.668737][ T5269] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5269] getdents64(4, [pid 5268] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5268] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 124.707584][ T5269] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 124.716132][ T5269] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 124.716132][ T5269] inode = 12 2341 [ 124.716132][ T5269] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 124.734860][ T5269] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 124.744260][ T5269] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5269 [syz-executor171] iterate_dir+0x228/0x570 [pid 5268] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5268] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5268] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5271], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5271 [pid 5268] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5268] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5271 attached [pid 5271] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 124.754596][ T5269] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 124.762198][ T5271] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 124.763659][ T5269] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 124.771637][ T5271] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 124.787836][ T5269] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 124.788457][ T5271] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5269 [syz-executor171] iterate_dir+0x228/0x570 [pid 5271] open("./file0", O_RDONLY [pid 5268] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 124.806658][ T5269] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 124.806943][ T5271] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5271 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 124.815736][ T5269] gfs2: fsid=syz:syz.0: File system withdrawn [ 124.824132][ T5271] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 124.829361][ T5269] CPU: 0 PID: 5269 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 124.847637][ T5269] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 124.857698][ T5269] Call Trace: [ 124.860977][ T5269] [ 124.863902][ T5269] dump_stack_lvl+0x1e7/0x2d0 [ 124.868611][ T5269] ? nf_tcp_handle_invalid+0x650/0x650 [ 124.874095][ T5269] ? panic+0x770/0x770 [ 124.878168][ T5269] ? kobject_uevent_env+0x54e/0x8e0 [ 124.883382][ T5269] gfs2_withdraw+0xf48/0x1550 [ 124.888111][ T5269] ? gfs2_lm+0x240/0x240 [ 124.892568][ T5269] ? gfs2_dirent_scan+0xb2/0x640 [ 124.897528][ T5269] ? panic+0x770/0x770 [ 124.905255][ T5269] ? gfs2_consist_inode_i+0xf5/0x110 [ 124.910579][ T5269] gfs2_dirent_scan+0x512/0x640 [ 124.915461][ T5269] ? gfs2_dirent_scan+0x640/0x640 [ 124.920490][ T5269] gfs2_dir_read+0x82f/0x1af0 [ 124.925177][ T5269] ? inode_dio_wait+0x2ad/0x340 [ 124.930036][ T5269] ? inode_owner_or_capable+0x1c0/0x1c0 [ 124.935593][ T5269] ? gfs2_dir_hash_inval+0x80/0x80 [ 124.940717][ T5269] ? _raw_spin_unlock+0x28/0x40 [ 124.945564][ T5269] ? gfs2_glock_nq+0xcbf/0x16c0 [ 124.950443][ T5269] ? inode_go_held+0xea/0x200 [pid 5268] exit_group(0) = ? [ 124.955151][ T5269] ? gfs2_glock_wait+0x21a/0x2b0 [ 124.960129][ T5269] gfs2_readdir+0x14e/0x1b0 [ 124.964660][ T5269] ? __fdget_pos+0x254/0x2f0 [ 124.969263][ T5269] ? gfs2_fallocate+0x490/0x490 [ 124.974117][ T5269] ? iterate_dir+0x228/0x570 [ 124.978730][ T5269] ? __down_read_common+0x184/0x2c0 [ 124.983926][ T5269] ? iterate_dir+0x10e/0x570 [ 124.988516][ T5269] iterate_dir+0x228/0x570 [ 124.992937][ T5269] ? gfs2_fallocate+0x490/0x490 [ 124.997790][ T5269] __se_sys_getdents64+0x20d/0x4f0 [ 125.002906][ T5269] ? _raw_spin_unlock_irq+0x2e/0x50 [ 125.008112][ T5269] ? __x64_sys_getdents64+0x80/0x80 [ 125.013323][ T5269] ? filldir+0x740/0x740 [ 125.017590][ T5269] ? syscall_enter_from_user_mode+0x32/0x230 [ 125.023575][ T5269] ? syscall_enter_from_user_mode+0x8c/0x230 [ 125.029576][ T5269] do_syscall_64+0x41/0xc0 [ 125.033999][ T5269] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 125.039887][ T5269] RIP: 0033:0x7f281a11eab9 [ 125.044296][ T5269] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 125.063923][ T5269] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 125.072345][ T5269] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 125.080330][ T5269] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 125.088312][ T5269] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 125.096304][ T5269] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5269] <... getdents64 resumed> ) = ? [pid 5269] +++ exited with 0 +++ [pid 5271] <... open resumed>) = ? [pid 5271] +++ exited with 0 +++ [pid 5268] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5268, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=38 /* 0.38 s */} --- umount2("./66", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./66/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./66/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./66/binderfs") = 0 [ 125.104270][ T5269] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 125.112250][ T5269] umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./66/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./66/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./66/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./66/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./66") = 0 mkdir("./67", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5272 ./strace-static-x86_64: Process 5272 attached [pid 5272] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5272] chdir("./67") = 0 [pid 5272] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5272] setpgid(0, 0) = 0 [pid 5272] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5272] write(3, "1000", 4) = 4 [pid 5272] close(3) = 0 [pid 5272] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5272] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5272] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5272] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5272] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5273], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5273 [pid 5272] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5272] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5273 attached [pid 5273] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5273] memfd_create("syzkaller", 0) = 3 [pid 5273] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5273] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5273] munmap(0x7f2811caa000, 16777216) = 0 [pid 5273] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5273] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5273] close(3) = 0 [pid 5273] mkdir("./file0", 0777) = 0 [ 125.458568][ T5273] loop0: detected capacity change from 0 to 32768 [ 125.469229][ T5273] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 125.477950][ T5273] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 125.487449][ T5273] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 125.495968][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 125.502743][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5273] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5273] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5273] chdir("./file0") = 0 [pid 5273] ioctl(4, LOOP_CLR_FD) = 0 [pid 5273] close(4) = 0 [pid 5273] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5272] <... futex resumed>) = 0 [pid 5273] open(".", O_RDONLY [pid 5272] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5273] <... open resumed>) = 4 [pid 5272] <... futex resumed>) = 0 [pid 5273] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5272] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5273] <... futex resumed>) = 0 [pid 5272] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5273] getdents64(4, [pid 5272] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 125.542036][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 125.549576][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 125.554865][ T5273] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 125.568806][ T5273] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 125.577671][ T5273] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 125.577671][ T5273] inode = 12 2341 [pid 5272] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5272] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5272] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5272] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5272] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5275], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5275 [pid 5272] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 125.577671][ T5273] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 125.596707][ T5273] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 125.605877][ T5273] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5273 [syz-executor171] iterate_dir+0x228/0x570 [ 125.615946][ T5273] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 125.624500][ T5273] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 125.631778][ T5273] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5272] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5275 attached [pid 5275] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5275] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5275] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5272] <... futex resumed>) = 0 [pid 5275] <... futex resumed>) = 1 [ 125.641270][ T5273] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 125.648836][ T5273] gfs2: fsid=syz:syz.0: File system withdrawn [ 125.655123][ T5273] CPU: 0 PID: 5273 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 125.665209][ T5273] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 125.675274][ T5273] Call Trace: [ 125.678571][ T5273] [ 125.681525][ T5273] dump_stack_lvl+0x1e7/0x2d0 [ 125.686242][ T5273] ? nf_tcp_handle_invalid+0x650/0x650 [ 125.691728][ T5273] ? panic+0x770/0x770 [ 125.695825][ T5273] ? kobject_uevent_env+0x54e/0x8e0 [ 125.701048][ T5273] gfs2_withdraw+0xf48/0x1550 [ 125.705760][ T5273] ? gfs2_lm+0x240/0x240 [ 125.710027][ T5273] ? gfs2_dirent_scan+0xb2/0x640 [ 125.714999][ T5273] ? panic+0x770/0x770 [ 125.719100][ T5273] ? gfs2_consist_inode_i+0xf5/0x110 [ 125.724402][ T5273] gfs2_dirent_scan+0x512/0x640 [ 125.729277][ T5273] ? gfs2_dirent_scan+0x640/0x640 [ 125.734332][ T5273] gfs2_dir_read+0x82f/0x1af0 [pid 5275] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5272] exit_group(0 [pid 5275] <... futex resumed>) = ? [pid 5272] <... exit_group resumed>) = ? [pid 5275] +++ exited with 0 +++ [ 125.739024][ T5273] ? inode_dio_wait+0x2ad/0x340 [ 125.743893][ T5273] ? inode_owner_or_capable+0x1c0/0x1c0 [ 125.749477][ T5273] ? gfs2_dir_hash_inval+0x80/0x80 [ 125.754608][ T5273] ? _raw_spin_unlock+0x28/0x40 [ 125.759475][ T5273] ? gfs2_glock_nq+0xcbf/0x16c0 [ 125.764361][ T5273] ? inode_go_held+0xea/0x200 [ 125.769074][ T5273] ? gfs2_glock_wait+0x21a/0x2b0 [ 125.774038][ T5273] gfs2_readdir+0x14e/0x1b0 [ 125.778580][ T5273] ? __fdget_pos+0x254/0x2f0 [ 125.783199][ T5273] ? gfs2_fallocate+0x490/0x490 [ 125.788084][ T5273] ? iterate_dir+0x228/0x570 [ 125.792699][ T5273] ? __down_read_common+0x184/0x2c0 [ 125.797927][ T5273] ? iterate_dir+0x10e/0x570 [ 125.802540][ T5273] iterate_dir+0x228/0x570 [ 125.806984][ T5273] ? gfs2_fallocate+0x490/0x490 [ 125.811839][ T5273] __se_sys_getdents64+0x20d/0x4f0 [ 125.816955][ T5273] ? _raw_spin_unlock_irq+0x2e/0x50 [ 125.822157][ T5273] ? __x64_sys_getdents64+0x80/0x80 [ 125.827366][ T5273] ? filldir+0x740/0x740 [ 125.831643][ T5273] ? syscall_enter_from_user_mode+0x32/0x230 [ 125.837647][ T5273] ? syscall_enter_from_user_mode+0x8c/0x230 [ 125.843634][ T5273] do_syscall_64+0x41/0xc0 [ 125.848080][ T5273] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 125.853990][ T5273] RIP: 0033:0x7f281a11eab9 [ 125.858433][ T5273] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 125.878066][ T5273] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5273] <... getdents64 resumed> ) = ? [pid 5273] +++ exited with 0 +++ [pid 5272] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5272, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=31 /* 0.31 s */} --- umount2("./67", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./67/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./67/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./67/binderfs") = 0 [ 125.886484][ T5273] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 125.894453][ T5273] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 125.902429][ T5273] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 125.910415][ T5273] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 125.918395][ T5273] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 125.926403][ T5273] umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./67/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./67/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./67/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./67/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./67") = 0 mkdir("./68", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5276 ./strace-static-x86_64: Process 5276 attached [pid 5276] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5276] chdir("./68") = 0 [pid 5276] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5276] setpgid(0, 0) = 0 [pid 5276] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5276] write(3, "1000", 4) = 4 [pid 5276] close(3) = 0 [pid 5276] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5276] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5276] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5276] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5276] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5277 attached , parent_tid=[5277], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5277 [pid 5277] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5277] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5276] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5277] <... futex resumed>) = 0 [pid 5276] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5277] memfd_create("syzkaller", 0) = 3 [pid 5277] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5277] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5277] munmap(0x7f2811caa000, 16777216) = 0 [pid 5277] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5277] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5277] close(3) = 0 [pid 5277] mkdir("./file0", 0777) = 0 [ 126.303439][ T5277] loop0: detected capacity change from 0 to 32768 [ 126.316190][ T5277] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 126.324800][ T5277] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 126.334728][ T5277] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 126.344178][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 126.351200][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5277] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5277] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5277] chdir("./file0") = 0 [pid 5277] ioctl(4, LOOP_CLR_FD) = 0 [pid 5277] close(4) = 0 [pid 5277] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5276] <... futex resumed>) = 0 [pid 5277] <... futex resumed>) = 1 [pid 5276] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5277] open(".", O_RDONLY [pid 5276] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5277] <... open resumed>) = 4 [pid 5277] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5276] <... futex resumed>) = 0 [pid 5277] getdents64(4, [pid 5276] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 126.388038][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 126.396292][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 126.401763][ T5277] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 126.422927][ T5277] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5276] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 126.434565][ T5277] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 126.434565][ T5277] inode = 12 2341 [ 126.434565][ T5277] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 126.453566][ T5277] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 126.462658][ T5277] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5277 [syz-executor171] iterate_dir+0x228/0x570 [ 126.472635][ T5277] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 126.481134][ T5277] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5276] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 126.488437][ T5277] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 126.497447][ T5277] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 126.504237][ T5277] gfs2: fsid=syz:syz.0: File system withdrawn [ 126.510503][ T5277] CPU: 0 PID: 5277 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 126.520583][ T5277] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 126.530637][ T5277] Call Trace: [ 126.533915][ T5277] [ 126.536855][ T5277] dump_stack_lvl+0x1e7/0x2d0 [ 126.541548][ T5277] ? nf_tcp_handle_invalid+0x650/0x650 [ 126.547023][ T5277] ? panic+0x770/0x770 [ 126.551104][ T5277] ? kobject_uevent_env+0x54e/0x8e0 [ 126.556325][ T5277] gfs2_withdraw+0xf48/0x1550 [ 126.561024][ T5277] ? gfs2_lm+0x240/0x240 [ 126.565272][ T5277] ? gfs2_dirent_scan+0xb2/0x640 [ 126.570217][ T5277] ? panic+0x770/0x770 [ 126.574294][ T5277] ? gfs2_consist_inode_i+0xf5/0x110 [ 126.579593][ T5277] gfs2_dirent_scan+0x512/0x640 [ 126.584451][ T5277] ? gfs2_dirent_scan+0x640/0x640 [ 126.589480][ T5277] gfs2_dir_read+0x82f/0x1af0 [ 126.594178][ T5277] ? inode_dio_wait+0x2ad/0x340 [ 126.599042][ T5277] ? inode_owner_or_capable+0x1c0/0x1c0 [ 126.604681][ T5277] ? gfs2_dir_hash_inval+0x80/0x80 [ 126.609813][ T5277] ? _raw_spin_unlock+0x28/0x40 [ 126.614664][ T5277] ? gfs2_glock_nq+0xcbf/0x16c0 [ 126.619528][ T5277] ? inode_go_held+0xea/0x200 [ 126.624223][ T5277] ? gfs2_glock_wait+0x21a/0x2b0 [ 126.629168][ T5277] gfs2_readdir+0x14e/0x1b0 [ 126.633684][ T5277] ? __fdget_pos+0x254/0x2f0 [ 126.638285][ T5277] ? gfs2_fallocate+0x490/0x490 [ 126.643152][ T5277] ? iterate_dir+0x228/0x570 [ 126.647759][ T5277] ? __down_read_common+0x184/0x2c0 [ 126.652967][ T5277] ? iterate_dir+0x10e/0x570 [ 126.657586][ T5277] iterate_dir+0x228/0x570 [ 126.662016][ T5277] ? gfs2_fallocate+0x490/0x490 [ 126.666877][ T5277] __se_sys_getdents64+0x20d/0x4f0 [ 126.672003][ T5277] ? _raw_spin_unlock_irq+0x2e/0x50 [ 126.677219][ T5277] ? __x64_sys_getdents64+0x80/0x80 [ 126.682432][ T5277] ? filldir+0x740/0x740 [ 126.686703][ T5277] ? syscall_enter_from_user_mode+0x32/0x230 [ 126.692694][ T5277] ? syscall_enter_from_user_mode+0x8c/0x230 [ 126.698689][ T5277] do_syscall_64+0x41/0xc0 [ 126.703120][ T5277] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 126.709018][ T5277] RIP: 0033:0x7f281a11eab9 [ 126.713438][ T5277] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5276] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0 [pid 5277] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5276] <... mmap resumed>) = 0x7f2812c89000 [pid 5277] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5276] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE [pid 5277] <... futex resumed>) = 0 [pid 5276] <... mprotect resumed>) = 0 [pid 5277] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5276] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5279], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5279 [pid 5276] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5276] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5279 attached [pid 5279] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5279] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5279] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5276] <... futex resumed>) = 0 [pid 5276] exit_group(0 [pid 5277] <... futex resumed>) = ? [pid 5276] <... exit_group resumed>) = ? [pid 5277] +++ exited with 0 +++ [pid 5279] <... futex resumed>) = ? [pid 5279] +++ exited with 0 +++ [pid 5276] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5276, si_uid=0, si_status=0, si_utime=7 /* 0.07 s */, si_stime=27 /* 0.27 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./68", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./68", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./68/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./68/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./68/binderfs") = 0 [ 126.733044][ T5277] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 126.741459][ T5277] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 126.749523][ T5277] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 126.757496][ T5277] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 126.765468][ T5277] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 126.773441][ T5277] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 126.781421][ T5277] umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./68/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./68/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./68/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./68/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./68") = 0 mkdir("./69", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5280 ./strace-static-x86_64: Process 5280 attached [pid 5280] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5280] chdir("./69") = 0 [pid 5280] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5280] setpgid(0, 0) = 0 [pid 5280] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5280] write(3, "1000", 4) = 4 [pid 5280] close(3) = 0 [pid 5280] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5280] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5280] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5280] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5280] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5281], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5281 [pid 5280] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5280] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5281 attached [pid 5281] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5281] memfd_create("syzkaller", 0) = 3 [pid 5281] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5281] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5281] munmap(0x7f2811caa000, 16777216) = 0 [pid 5281] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5281] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5281] close(3) = 0 [pid 5281] mkdir("./file0", 0777) = 0 [ 127.132904][ T5281] loop0: detected capacity change from 0 to 32768 [ 127.144639][ T5281] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 127.153189][ T5281] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 127.162657][ T5281] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 127.171385][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 127.178518][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5281] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5281] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5281] chdir("./file0") = 0 [pid 5281] ioctl(4, LOOP_CLR_FD) = 0 [pid 5281] close(4) = 0 [pid 5281] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5280] <... futex resumed>) = 0 [pid 5281] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5280] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5281] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5280] <... futex resumed>) = 0 [pid 5281] open(".", O_RDONLY [pid 5280] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5281] <... open resumed>) = 4 [pid 5281] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5280] <... futex resumed>) = 0 [pid 5281] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5280] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5281] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5280] <... futex resumed>) = 0 [pid 5281] getdents64(4, [ 127.223035][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 127.230652][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 127.236235][ T5281] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 127.262560][ T5281] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 127.272447][ T5281] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 127.272447][ T5281] inode = 12 2341 [ 127.272447][ T5281] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 127.291518][ T5281] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 127.300770][ T5281] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5281 [syz-executor171] iterate_dir+0x228/0x570 [ 127.310814][ T5281] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5280] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5280] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 127.319279][ T5281] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 127.326599][ T5281] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 127.335720][ T5281] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 127.342444][ T5281] gfs2: fsid=syz:syz.0: File system withdrawn [ 127.348851][ T5281] CPU: 0 PID: 5281 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 127.358938][ T5281] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 127.368995][ T5281] Call Trace: [ 127.372291][ T5281] [ 127.375228][ T5281] dump_stack_lvl+0x1e7/0x2d0 [ 127.379935][ T5281] ? nf_tcp_handle_invalid+0x650/0x650 [ 127.385409][ T5281] ? panic+0x770/0x770 [ 127.389509][ T5281] ? kobject_uevent_env+0x54e/0x8e0 [ 127.394720][ T5281] gfs2_withdraw+0xf48/0x1550 [ 127.399416][ T5281] ? gfs2_lm+0x240/0x240 [ 127.403666][ T5281] ? gfs2_dirent_scan+0xb2/0x640 [ 127.408617][ T5281] ? panic+0x770/0x770 [ 127.412697][ T5281] ? gfs2_consist_inode_i+0xf5/0x110 [ 127.417997][ T5281] gfs2_dirent_scan+0x512/0x640 [ 127.422858][ T5281] ? gfs2_dirent_scan+0x640/0x640 [ 127.427891][ T5281] gfs2_dir_read+0x82f/0x1af0 [ 127.432592][ T5281] ? inode_dio_wait+0x2ad/0x340 [ 127.437453][ T5281] ? inode_owner_or_capable+0x1c0/0x1c0 [ 127.443008][ T5281] ? gfs2_dir_hash_inval+0x80/0x80 [ 127.448130][ T5281] ? _raw_spin_unlock+0x28/0x40 [ 127.452997][ T5281] ? gfs2_glock_nq+0xcbf/0x16c0 [ 127.457889][ T5281] ? inode_go_held+0xea/0x200 [ 127.462754][ T5281] ? gfs2_glock_wait+0x21a/0x2b0 [ 127.467730][ T5281] gfs2_readdir+0x14e/0x1b0 [ 127.472249][ T5281] ? __fdget_pos+0x254/0x2f0 [ 127.476849][ T5281] ? gfs2_fallocate+0x490/0x490 [ 127.481720][ T5281] ? iterate_dir+0x228/0x570 [ 127.486320][ T5281] ? __down_read_common+0x184/0x2c0 [ 127.491528][ T5281] ? iterate_dir+0x10e/0x570 [ 127.496144][ T5281] iterate_dir+0x228/0x570 [ 127.500568][ T5281] ? gfs2_fallocate+0x490/0x490 [ 127.505462][ T5281] __se_sys_getdents64+0x20d/0x4f0 [ 127.510584][ T5281] ? _raw_spin_unlock_irq+0x2e/0x50 [ 127.515797][ T5281] ? __x64_sys_getdents64+0x80/0x80 [ 127.521011][ T5281] ? filldir+0x740/0x740 [ 127.525269][ T5281] ? syscall_enter_from_user_mode+0x32/0x230 [ 127.531346][ T5281] ? syscall_enter_from_user_mode+0x8c/0x230 [ 127.537340][ T5281] do_syscall_64+0x41/0xc0 [ 127.541776][ T5281] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 127.547679][ T5281] RIP: 0033:0x7f281a11eab9 [ 127.552099][ T5281] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5280] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5280] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5280] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5283], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5283 [pid 5280] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5280] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5281] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5281] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5281] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 5283 attached [pid 5283] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5283] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5283] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5280] <... futex resumed>) = 0 [pid 5280] exit_group(0 [pid 5281] <... futex resumed>) = ? [pid 5280] <... exit_group resumed>) = ? [pid 5281] +++ exited with 0 +++ [pid 5283] <... futex resumed>) = ? [pid 5283] +++ exited with 0 +++ [pid 5280] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5280, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./69", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./69", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./69/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./69/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./69/binderfs") = 0 [ 127.571714][ T5281] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 127.580137][ T5281] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 127.588113][ T5281] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 127.596102][ T5281] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 127.604083][ T5281] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 127.612059][ T5281] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 127.620049][ T5281] umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./69/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./69/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./69/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./69/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./69") = 0 mkdir("./70", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5284 ./strace-static-x86_64: Process 5284 attached [pid 5284] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5284] chdir("./70") = 0 [pid 5284] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5284] setpgid(0, 0) = 0 [pid 5284] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5284] write(3, "1000", 4) = 4 [pid 5284] close(3) = 0 [pid 5284] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5284] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5284] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5284] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5285 attached [pid 5285] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5285] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5284] <... clone resumed>, parent_tid=[5285], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5285 [pid 5284] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5285] <... futex resumed>) = 0 [pid 5284] <... futex resumed>) = 1 [pid 5284] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5285] memfd_create("syzkaller", 0) = 3 [pid 5285] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5285] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5285] munmap(0x7f2811caa000, 16777216) = 0 [pid 5285] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5285] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5285] close(3) = 0 [pid 5285] mkdir("./file0", 0777) = 0 [ 128.011985][ T5285] loop0: detected capacity change from 0 to 32768 [ 128.022941][ T5285] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 128.031338][ T5285] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 128.041430][ T5285] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 128.050427][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 128.057343][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5285] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5285] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5285] chdir("./file0") = 0 [pid 5285] ioctl(4, LOOP_CLR_FD) = 0 [ 128.093163][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 128.100698][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 128.105991][ T5285] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5285] close(4) = 0 [pid 5285] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5284] <... futex resumed>) = 0 [pid 5284] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5285] <... futex resumed>) = 1 [pid 5285] open(".", O_RDONLY) = 4 [pid 5285] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5284] <... futex resumed>) = 0 [pid 5284] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5285] <... futex resumed>) = 1 [pid 5285] getdents64(4, [pid 5284] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 128.135822][ T5285] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 128.153468][ T5285] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 128.153468][ T5285] inode = 12 2341 [ 128.153468][ T5285] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 128.172700][ T5285] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [pid 5284] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5284] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5284] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5284] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5287], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5287 [pid 5284] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5284] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5287 attached [pid 5287] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 128.182055][ T5285] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5285 [syz-executor171] iterate_dir+0x228/0x570 [ 128.192577][ T5285] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 128.196202][ T5287] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 128.201385][ T5285] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 128.209785][ T5287] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 128.216931][ T5285] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5287] open("./file0", O_RDONLY [pid 5284] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 128.226133][ T5287] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5285 [syz-executor171] iterate_dir+0x228/0x570 [ 128.234834][ T5285] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 128.245655][ T5287] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5287 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 128.251198][ T5285] gfs2: fsid=syz:syz.0: File system withdrawn [ 128.263309][ T5287] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 128.267441][ T5285] CPU: 1 PID: 5285 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 128.285529][ T5285] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 128.295586][ T5285] Call Trace: [ 128.298871][ T5285] [ 128.301801][ T5285] dump_stack_lvl+0x1e7/0x2d0 [ 128.306497][ T5285] ? nf_tcp_handle_invalid+0x650/0x650 [ 128.312073][ T5285] ? panic+0x770/0x770 [ 128.316237][ T5285] ? kobject_uevent_env+0x54e/0x8e0 [ 128.321565][ T5285] gfs2_withdraw+0xf48/0x1550 [ 128.326356][ T5285] ? gfs2_lm+0x240/0x240 [ 128.330611][ T5285] ? gfs2_dirent_scan+0xb2/0x640 [ 128.335557][ T5285] ? panic+0x770/0x770 [ 128.339640][ T5285] ? gfs2_consist_inode_i+0xf5/0x110 [ 128.344977][ T5285] gfs2_dirent_scan+0x512/0x640 [ 128.349842][ T5285] ? gfs2_dirent_scan+0x640/0x640 [ 128.354881][ T5285] gfs2_dir_read+0x82f/0x1af0 [ 128.359578][ T5285] ? inode_dio_wait+0x2ad/0x340 [ 128.364446][ T5285] ? inode_owner_or_capable+0x1c0/0x1c0 [ 128.370004][ T5285] ? gfs2_dir_hash_inval+0x80/0x80 [ 128.375118][ T5285] ? _raw_spin_unlock+0x28/0x40 [ 128.379972][ T5285] ? gfs2_glock_nq+0xcbf/0x16c0 [ 128.384843][ T5285] ? inode_go_held+0xea/0x200 [ 128.389525][ T5285] ? gfs2_glock_wait+0x21a/0x2b0 [ 128.394480][ T5285] gfs2_readdir+0x14e/0x1b0 [ 128.398988][ T5285] ? __fdget_pos+0x254/0x2f0 [ 128.403580][ T5285] ? gfs2_fallocate+0x490/0x490 [ 128.408446][ T5285] ? iterate_dir+0x228/0x570 [ 128.413047][ T5285] ? __down_read_common+0x184/0x2c0 [ 128.418253][ T5285] ? iterate_dir+0x10e/0x570 [ 128.422859][ T5285] iterate_dir+0x228/0x570 [ 128.427289][ T5285] ? gfs2_fallocate+0x490/0x490 [ 128.432150][ T5285] __se_sys_getdents64+0x20d/0x4f0 [ 128.437267][ T5285] ? _raw_spin_unlock_irq+0x2e/0x50 [ 128.442475][ T5285] ? __x64_sys_getdents64+0x80/0x80 [ 128.447686][ T5285] ? filldir+0x740/0x740 [ 128.451949][ T5285] ? syscall_enter_from_user_mode+0x32/0x230 [ 128.457937][ T5285] ? syscall_enter_from_user_mode+0x8c/0x230 [ 128.463934][ T5285] do_syscall_64+0x41/0xc0 [ 128.468362][ T5285] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 128.474265][ T5285] RIP: 0033:0x7f281a11eab9 [ 128.478701][ T5285] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 128.498313][ T5285] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 128.506736][ T5285] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 128.514715][ T5285] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 128.522688][ T5285] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5285] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5285] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5285] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5287] <... open resumed>) = -1 EIO (Input/output error) [pid 5287] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5287] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5284] exit_group(0 [pid 5285] <... futex resumed>) = ? [pid 5284] <... exit_group resumed>) = ? [pid 5285] +++ exited with 0 +++ [pid 5287] <... futex resumed>) = ? [pid 5287] +++ exited with 0 +++ [pid 5284] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5284, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=44 /* 0.44 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./70", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./70", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./70/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./70/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./70/binderfs") = 0 [ 128.530665][ T5285] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 128.538639][ T5285] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 128.546645][ T5285] umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./70/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./70/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./70/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./70/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./70") = 0 mkdir("./71", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5288 ./strace-static-x86_64: Process 5288 attached [pid 5288] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5288] chdir("./71") = 0 [pid 5288] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5288] setpgid(0, 0) = 0 [pid 5288] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5288] write(3, "1000", 4) = 4 [pid 5288] close(3) = 0 [pid 5288] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5288] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5288] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5288] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5289 attached , parent_tid=[5289], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5289 [pid 5289] set_robust_list(0x7f281a0ca9e0, 24 [pid 5288] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5289] <... set_robust_list resumed>) = 0 [pid 5288] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5289] memfd_create("syzkaller", 0) = 3 [pid 5289] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5289] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5289] munmap(0x7f2811caa000, 16777216) = 0 [pid 5289] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5289] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5289] close(3) = 0 [pid 5289] mkdir("./file0", 0777) = 0 [ 128.936127][ T5289] loop0: detected capacity change from 0 to 32768 [ 128.948654][ T5289] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 128.957146][ T5289] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 128.967134][ T5289] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 128.975648][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 128.982419][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5289] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5289] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5289] chdir("./file0") = 0 [pid 5289] ioctl(4, LOOP_CLR_FD) = 0 [pid 5289] close(4) = 0 [pid 5289] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5288] <... futex resumed>) = 0 [pid 5289] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5288] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5289] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5288] <... futex resumed>) = 0 [pid 5289] open(".", O_RDONLY) = 4 [pid 5288] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5289] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5289] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5288] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [ 129.023871][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 129.031454][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 129.036852][ T5289] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5289] getdents64(4, [pid 5288] <... futex resumed>) = 0 [ 129.072205][ T5289] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 129.080705][ T5289] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 129.080705][ T5289] inode = 12 2341 [ 129.080705][ T5289] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 129.099752][ T5289] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 129.109007][ T5289] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5289 [syz-executor171] iterate_dir+0x228/0x570 [pid 5288] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5288] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5288] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5288] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5291], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5291 [pid 5288] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5291 attached [pid 5291] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5291] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5291] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5288] <... futex resumed>) = 0 [pid 5291] <... futex resumed>) = 1 [ 129.119227][ T5289] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 129.127848][ T5289] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 129.135257][ T5289] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 129.144334][ T5289] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 129.150941][ T5289] gfs2: fsid=syz:syz.0: File system withdrawn [ 129.157339][ T5289] CPU: 1 PID: 5289 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 129.167432][ T5289] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 129.177496][ T5289] Call Trace: [ 129.180790][ T5289] [ 129.183737][ T5289] dump_stack_lvl+0x1e7/0x2d0 [ 129.188462][ T5289] ? nf_tcp_handle_invalid+0x650/0x650 [ 129.193968][ T5289] ? panic+0x770/0x770 [ 129.198064][ T5289] ? kobject_uevent_env+0x54e/0x8e0 [ 129.203286][ T5289] gfs2_withdraw+0xf48/0x1550 [ 129.207986][ T5289] ? gfs2_lm+0x240/0x240 [ 129.212241][ T5289] ? gfs2_dirent_scan+0xb2/0x640 [ 129.217198][ T5289] ? panic+0x770/0x770 [ 129.221325][ T5289] ? gfs2_consist_inode_i+0xf5/0x110 [ 129.226651][ T5289] gfs2_dirent_scan+0x512/0x640 [ 129.231526][ T5289] ? gfs2_dirent_scan+0x640/0x640 [ 129.236578][ T5289] gfs2_dir_read+0x82f/0x1af0 [ 129.241279][ T5289] ? inode_dio_wait+0x2ad/0x340 [ 129.246160][ T5289] ? inode_owner_or_capable+0x1c0/0x1c0 [ 129.251717][ T5289] ? gfs2_dir_hash_inval+0x80/0x80 [ 129.256831][ T5289] ? _raw_spin_unlock+0x28/0x40 [ 129.261682][ T5289] ? gfs2_glock_nq+0xcbf/0x16c0 [ 129.266544][ T5289] ? inode_go_held+0xea/0x200 [ 129.271221][ T5289] ? gfs2_glock_wait+0x21a/0x2b0 [ 129.276173][ T5289] gfs2_readdir+0x14e/0x1b0 [ 129.280687][ T5289] ? __fdget_pos+0x254/0x2f0 [ 129.285276][ T5289] ? gfs2_fallocate+0x490/0x490 [ 129.290132][ T5289] ? iterate_dir+0x228/0x570 [ 129.294731][ T5289] ? __down_read_common+0x184/0x2c0 [ 129.299948][ T5289] ? iterate_dir+0x10e/0x570 [ 129.304545][ T5289] iterate_dir+0x228/0x570 [ 129.308971][ T5289] ? gfs2_fallocate+0x490/0x490 [ 129.313852][ T5289] __se_sys_getdents64+0x20d/0x4f0 [ 129.318976][ T5289] ? _raw_spin_unlock_irq+0x2e/0x50 [ 129.324187][ T5289] ? __x64_sys_getdents64+0x80/0x80 [ 129.329395][ T5289] ? filldir+0x740/0x740 [ 129.333654][ T5289] ? syscall_enter_from_user_mode+0x32/0x230 [ 129.339647][ T5289] ? syscall_enter_from_user_mode+0x8c/0x230 [ 129.345644][ T5289] do_syscall_64+0x41/0xc0 [ 129.350076][ T5289] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 129.355992][ T5289] RIP: 0033:0x7f281a11eab9 [ 129.360412][ T5289] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 129.380027][ T5289] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 129.388450][ T5289] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 129.396427][ T5289] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 129.404401][ T5289] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 129.412374][ T5289] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5291] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5289] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5289] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5288] exit_group(0 [pid 5291] <... futex resumed>) = ? [pid 5288] <... exit_group resumed>) = ? [pid 5291] +++ exited with 0 +++ [pid 5289] +++ exited with 0 +++ [pid 5288] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5288, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./71", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./71/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./71/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./71/binderfs") = 0 [ 129.420362][ T5289] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 129.428354][ T5289] umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./71/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./71/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./71/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./71/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./71") = 0 mkdir("./72", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5292 attached , child_tidptr=0x5555571fa5d0) = 5292 [pid 5292] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5292] chdir("./72") = 0 [pid 5292] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5292] setpgid(0, 0) = 0 [pid 5292] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5292] write(3, "1000", 4) = 4 [pid 5292] close(3) = 0 [pid 5292] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5292] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5292] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5292] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5292] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5293], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5293 [pid 5292] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5292] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5293 attached [pid 5293] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5293] memfd_create("syzkaller", 0) = 3 [pid 5293] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5293] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5293] munmap(0x7f2811caa000, 16777216) = 0 [pid 5293] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5293] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5293] close(3) = 0 [pid 5293] mkdir("./file0", 0777) = 0 [ 129.857737][ T5293] loop0: detected capacity change from 0 to 32768 [ 129.869190][ T5293] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 129.877422][ T5293] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 129.886738][ T5293] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 129.895611][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 129.902405][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5293] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5293] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5293] chdir("./file0") = 0 [pid 5293] ioctl(4, LOOP_CLR_FD) = 0 [pid 5293] close(4) = 0 [pid 5293] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5292] <... futex resumed>) = 0 [pid 5292] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5292] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5293] <... futex resumed>) = 1 [pid 5293] open(".", O_RDONLY) = 4 [pid 5293] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5292] <... futex resumed>) = 0 [pid 5292] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5292] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5293] <... futex resumed>) = 1 [ 129.943359][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 129.951691][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 129.957027][ T5293] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5293] getdents64(4, [pid 5292] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5292] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 129.991315][ T5293] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 130.000224][ T5293] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 130.000224][ T5293] inode = 12 2341 [ 130.000224][ T5293] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 130.019227][ T5293] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 130.028685][ T5293] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5293 [syz-executor171] iterate_dir+0x228/0x570 [pid 5292] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5292] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5292] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5295], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5295 [pid 5292] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5292] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5295 attached [pid 5295] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5295] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5295] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5292] <... futex resumed>) = 0 [pid 5295] <... futex resumed>) = 1 [ 130.039012][ T5293] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 130.048020][ T5293] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 130.055324][ T5293] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 130.064160][ T5293] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 130.070699][ T5293] gfs2: fsid=syz:syz.0: File system withdrawn [ 130.076925][ T5293] CPU: 1 PID: 5293 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 130.087105][ T5293] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 130.097172][ T5293] Call Trace: [ 130.100470][ T5293] [ 130.103425][ T5293] dump_stack_lvl+0x1e7/0x2d0 [ 130.108164][ T5293] ? nf_tcp_handle_invalid+0x650/0x650 [ 130.113664][ T5293] ? panic+0x770/0x770 [ 130.117755][ T5293] ? kobject_uevent_env+0x54e/0x8e0 [ 130.122966][ T5293] gfs2_withdraw+0xf48/0x1550 [ 130.127661][ T5293] ? gfs2_lm+0x240/0x240 [ 130.131918][ T5293] ? gfs2_dirent_scan+0xb2/0x640 [ 130.136871][ T5293] ? panic+0x770/0x770 [pid 5295] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5292] exit_group(0 [pid 5295] <... futex resumed>) = ? [pid 5292] <... exit_group resumed>) = ? [pid 5295] +++ exited with 0 +++ [ 130.141161][ T5293] ? gfs2_consist_inode_i+0xf5/0x110 [ 130.146460][ T5293] gfs2_dirent_scan+0x512/0x640 [ 130.151324][ T5293] ? gfs2_dirent_scan+0x640/0x640 [ 130.156351][ T5293] gfs2_dir_read+0x82f/0x1af0 [ 130.161044][ T5293] ? inode_dio_wait+0x2ad/0x340 [ 130.165927][ T5293] ? inode_owner_or_capable+0x1c0/0x1c0 [ 130.171521][ T5293] ? gfs2_dir_hash_inval+0x80/0x80 [ 130.176658][ T5293] ? _raw_spin_unlock+0x28/0x40 [ 130.181518][ T5293] ? gfs2_glock_nq+0xcbf/0x16c0 [ 130.186499][ T5293] ? inode_go_held+0xea/0x200 [ 130.191221][ T5293] ? gfs2_glock_wait+0x21a/0x2b0 [ 130.196168][ T5293] gfs2_readdir+0x14e/0x1b0 [ 130.200675][ T5293] ? __fdget_pos+0x254/0x2f0 [ 130.205267][ T5293] ? gfs2_fallocate+0x490/0x490 [ 130.210209][ T5293] ? iterate_dir+0x228/0x570 [ 130.214829][ T5293] ? __down_read_common+0x184/0x2c0 [ 130.220037][ T5293] ? iterate_dir+0x10e/0x570 [ 130.224632][ T5293] iterate_dir+0x228/0x570 [ 130.229059][ T5293] ? gfs2_fallocate+0x490/0x490 [ 130.233934][ T5293] __se_sys_getdents64+0x20d/0x4f0 [ 130.239064][ T5293] ? _raw_spin_unlock_irq+0x2e/0x50 [ 130.244283][ T5293] ? __x64_sys_getdents64+0x80/0x80 [ 130.249503][ T5293] ? filldir+0x740/0x740 [ 130.253772][ T5293] ? syscall_enter_from_user_mode+0x32/0x230 [ 130.259757][ T5293] ? syscall_enter_from_user_mode+0x8c/0x230 [ 130.265749][ T5293] do_syscall_64+0x41/0xc0 [ 130.270201][ T5293] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 130.276118][ T5293] RIP: 0033:0x7f281a11eab9 [ 130.280535][ T5293] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 130.300145][ T5293] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 130.308563][ T5293] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 130.316551][ T5293] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 130.324537][ T5293] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 130.332511][ T5293] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5293] <... getdents64 resumed> ) = ? [pid 5293] +++ exited with 0 +++ [pid 5292] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5292, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=37 /* 0.37 s */} --- umount2("./72", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./72/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./72/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./72/binderfs") = 0 [ 130.340492][ T5293] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 130.348486][ T5293] umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./72/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./72/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./72/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./72/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./72") = 0 mkdir("./73", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5296 ./strace-static-x86_64: Process 5296 attached [pid 5296] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5296] chdir("./73") = 0 [pid 5296] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5296] setpgid(0, 0) = 0 [pid 5296] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5296] write(3, "1000", 4) = 4 [pid 5296] close(3) = 0 [pid 5296] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5296] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5296] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5296] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5297 attached , parent_tid=[5297], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5297 [pid 5296] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5297] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5297] memfd_create("syzkaller", 0) = 3 [pid 5297] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5297] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5297] munmap(0x7f2811caa000, 16777216) = 0 [pid 5297] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5297] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5297] close(3) = 0 [pid 5297] mkdir("./file0", 0777) = 0 [ 130.709569][ T5297] loop0: detected capacity change from 0 to 32768 [ 130.719985][ T5297] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 130.729106][ T5297] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 130.738857][ T5297] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 130.747518][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 130.754672][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5297] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5297] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5297] chdir("./file0") = 0 [pid 5297] ioctl(4, LOOP_CLR_FD) = 0 [pid 5297] close(4) = 0 [pid 5297] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5296] <... futex resumed>) = 0 [pid 5296] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5297] <... futex resumed>) = 1 [pid 5297] open(".", O_RDONLY) = 4 [pid 5297] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5296] <... futex resumed>) = 0 [pid 5296] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5297] <... futex resumed>) = 1 [ 130.794902][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 130.802457][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 130.808662][ T5297] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5297] getdents64(4, [pid 5296] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5296] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5296] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5296] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5299], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5299 [pid 5296] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5296] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5299 attached [pid 5299] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 130.840548][ T5297] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 130.849304][ T5297] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 130.849304][ T5297] inode = 12 2341 [ 130.849304][ T5297] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 130.868307][ T5297] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 130.877462][ T5297] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5297 [syz-executor171] iterate_dir+0x228/0x570 [ 130.887845][ T5297] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 130.891310][ T5299] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 130.896346][ T5297] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 130.896361][ T5297] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 130.920843][ T5297] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 130.921282][ T5299] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [pid 5299] open("./file0", O_RDONLY [pid 5296] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 130.929340][ T5297] gfs2: fsid=syz:syz.0: File system withdrawn [ 130.942562][ T5297] CPU: 1 PID: 5297 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 130.952639][ T5297] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 130.962699][ T5297] Call Trace: [ 130.965980][ T5297] [ 130.968925][ T5297] dump_stack_lvl+0x1e7/0x2d0 [ 130.973637][ T5297] ? nf_tcp_handle_invalid+0x650/0x650 [ 130.979104][ T5297] ? panic+0x770/0x770 [ 130.983175][ T5297] ? kobject_uevent_env+0x54e/0x8e0 [ 130.988410][ T5297] gfs2_withdraw+0xf48/0x1550 [ 130.993114][ T5297] ? gfs2_lm+0x240/0x240 [ 130.997361][ T5297] ? gfs2_dirent_scan+0xb2/0x640 [ 131.002301][ T5297] ? panic+0x770/0x770 [ 131.006374][ T5297] ? gfs2_consist_inode_i+0xf5/0x110 [ 131.011671][ T5297] gfs2_dirent_scan+0x512/0x640 [ 131.016526][ T5297] ? gfs2_dirent_scan+0x640/0x640 [ 131.021552][ T5297] gfs2_dir_read+0x82f/0x1af0 [ 131.026240][ T5297] ? inode_dio_wait+0x2ad/0x340 [ 131.031119][ T5297] ? inode_owner_or_capable+0x1c0/0x1c0 [ 131.036677][ T5297] ? gfs2_dir_hash_inval+0x80/0x80 [ 131.041813][ T5297] ? _raw_spin_unlock+0x28/0x40 [ 131.046669][ T5297] ? gfs2_glock_nq+0xcbf/0x16c0 [ 131.051538][ T5297] ? inode_go_held+0xea/0x200 [ 131.056235][ T5297] ? gfs2_glock_wait+0x21a/0x2b0 [ 131.061204][ T5297] gfs2_readdir+0x14e/0x1b0 [ 131.065732][ T5297] ? __fdget_pos+0x254/0x2f0 [ 131.070327][ T5297] ? gfs2_fallocate+0x490/0x490 [ 131.075189][ T5297] ? iterate_dir+0x228/0x570 [ 131.079794][ T5297] ? __down_read_common+0x184/0x2c0 [ 131.085002][ T5297] ? iterate_dir+0x10e/0x570 [ 131.089596][ T5297] iterate_dir+0x228/0x570 [ 131.094024][ T5297] ? gfs2_fallocate+0x490/0x490 [ 131.098914][ T5297] __se_sys_getdents64+0x20d/0x4f0 [ 131.104058][ T5297] ? _raw_spin_unlock_irq+0x2e/0x50 [ 131.109275][ T5297] ? __x64_sys_getdents64+0x80/0x80 [ 131.114488][ T5297] ? filldir+0x740/0x740 [ 131.118777][ T5297] ? syscall_enter_from_user_mode+0x32/0x230 [ 131.124788][ T5297] ? syscall_enter_from_user_mode+0x8c/0x230 [ 131.130799][ T5297] do_syscall_64+0x41/0xc0 [ 131.135241][ T5297] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 131.141139][ T5297] RIP: 0033:0x7f281a11eab9 [ 131.145642][ T5297] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 131.165266][ T5297] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 131.173698][ T5297] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 131.181690][ T5297] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [pid 5297] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5297] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5297] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5299] <... open resumed>) = -1 EIO (Input/output error) [pid 5299] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5299] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5296] exit_group(0 [pid 5297] <... futex resumed>) = ? [pid 5296] <... exit_group resumed>) = ? [pid 5297] +++ exited with 0 +++ [pid 5299] <... futex resumed>) = ? [pid 5299] +++ exited with 0 +++ [pid 5296] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5296, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=37 /* 0.37 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./73", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./73", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./73/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./73/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./73/binderfs") = 0 [ 131.189666][ T5297] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 131.197648][ T5297] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 131.205644][ T5297] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 131.213634][ T5297] [ 131.217944][ T5299] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5299 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 131.228315][ T5299] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./73/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./73/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./73/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./73/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./73") = 0 mkdir("./74", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5300 ./strace-static-x86_64: Process 5300 attached [pid 5300] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5300] chdir("./74") = 0 [pid 5300] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5300] setpgid(0, 0) = 0 [pid 5300] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5300] write(3, "1000", 4) = 4 [pid 5300] close(3) = 0 [pid 5300] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5300] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5300] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5300] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5300] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5301 attached , parent_tid=[5301], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5301 [pid 5301] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5301] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5300] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5301] <... futex resumed>) = 0 [pid 5300] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5301] memfd_create("syzkaller", 0) = 3 [pid 5301] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5301] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5301] munmap(0x7f2811caa000, 16777216) = 0 [pid 5301] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5301] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5301] close(3) = 0 [pid 5301] mkdir("./file0", 0777) = 0 [ 131.630366][ T5301] loop0: detected capacity change from 0 to 32768 [ 131.641388][ T5301] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 131.651140][ T5301] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 131.660576][ T5301] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 131.669345][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 131.676386][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5301] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5301] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5301] chdir("./file0") = 0 [pid 5301] ioctl(4, LOOP_CLR_FD) = 0 [pid 5301] close(4) = 0 [pid 5301] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5300] <... futex resumed>) = 0 [pid 5300] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5300] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5301] <... futex resumed>) = 1 [pid 5301] open(".", O_RDONLY) = 4 [pid 5301] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5300] <... futex resumed>) = 0 [pid 5300] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5301] <... futex resumed>) = 1 [pid 5300] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 131.720723][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 131.729917][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 131.735534][ T5301] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 131.751420][ T5301] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 131.760567][ T5301] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5301] getdents64(4, [pid 5300] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5300] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5300] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5300] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5300] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5303], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5303 [pid 5300] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5300] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5303 attached [pid 5303] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 131.760567][ T5301] inode = 12 2341 [ 131.760567][ T5301] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 131.779367][ T5301] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 131.788853][ T5301] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5301 [syz-executor171] iterate_dir+0x228/0x570 [ 131.799386][ T5301] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 131.805061][ T5303] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5303] open("./file0", O_RDONLY [pid 5300] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 131.816213][ T5301] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 131.816232][ T5301] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 131.824628][ T5303] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 131.841366][ T5301] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 131.842102][ T5303] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5301 [syz-executor171] iterate_dir+0x228/0x570 [ 131.849880][ T5301] gfs2: fsid=syz:syz.0: File system withdrawn [ 131.858773][ T5303] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5303 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 131.873930][ T5301] CPU: 1 PID: 5301 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 131.873956][ T5301] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 131.884699][ T5303] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 131.894039][ T5301] Call Trace: [ 131.894048][ T5301] [ 131.894056][ T5301] dump_stack_lvl+0x1e7/0x2d0 [ 131.894091][ T5301] ? nf_tcp_handle_invalid+0x650/0x650 [ 131.918952][ T5301] ? panic+0x770/0x770 [ 131.923045][ T5301] ? kobject_uevent_env+0x54e/0x8e0 [ 131.928286][ T5301] gfs2_withdraw+0xf48/0x1550 [ 131.933032][ T5301] ? gfs2_lm+0x240/0x240 [ 131.937304][ T5301] ? gfs2_dirent_scan+0xb2/0x640 [ 131.942284][ T5301] ? panic+0x770/0x770 [ 131.946398][ T5301] ? gfs2_consist_inode_i+0xf5/0x110 [ 131.951723][ T5301] gfs2_dirent_scan+0x512/0x640 [ 131.956587][ T5301] ? gfs2_dirent_scan+0x640/0x640 [ 131.961637][ T5301] gfs2_dir_read+0x82f/0x1af0 [ 131.966362][ T5301] ? inode_dio_wait+0x2ad/0x340 [ 131.971231][ T5301] ? inode_owner_or_capable+0x1c0/0x1c0 [ 131.976800][ T5301] ? gfs2_dir_hash_inval+0x80/0x80 [ 131.981929][ T5301] ? _raw_spin_unlock+0x28/0x40 [ 131.986802][ T5301] ? gfs2_glock_nq+0xcbf/0x16c0 [ 131.991693][ T5301] ? inode_go_held+0xea/0x200 [ 131.996395][ T5301] ? gfs2_glock_wait+0x21a/0x2b0 [ 132.001364][ T5301] gfs2_readdir+0x14e/0x1b0 [ 132.005910][ T5301] ? __fdget_pos+0x254/0x2f0 [ 132.010543][ T5301] ? gfs2_fallocate+0x490/0x490 [ 132.015436][ T5301] ? iterate_dir+0x228/0x570 [pid 5300] exit_group(0) = ? [ 132.020038][ T5301] ? __down_read_common+0x184/0x2c0 [ 132.025241][ T5301] ? iterate_dir+0x10e/0x570 [ 132.029847][ T5301] iterate_dir+0x228/0x570 [ 132.034283][ T5301] ? gfs2_fallocate+0x490/0x490 [ 132.039145][ T5301] __se_sys_getdents64+0x20d/0x4f0 [ 132.044266][ T5301] ? _raw_spin_unlock_irq+0x2e/0x50 [ 132.049531][ T5301] ? __x64_sys_getdents64+0x80/0x80 [ 132.054817][ T5301] ? filldir+0x740/0x740 [ 132.059106][ T5301] ? syscall_enter_from_user_mode+0x32/0x230 [ 132.065110][ T5301] ? syscall_enter_from_user_mode+0x8c/0x230 [ 132.071124][ T5301] do_syscall_64+0x41/0xc0 [ 132.075573][ T5301] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 132.081472][ T5301] RIP: 0033:0x7f281a11eab9 [ 132.085886][ T5301] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 132.105512][ T5301] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 132.113965][ T5301] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [pid 5303] <... open resumed>) = ? [pid 5301] <... getdents64 resumed> ) = ? [pid 5301] +++ exited with 0 +++ [pid 5303] +++ exited with 0 +++ [pid 5300] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5300, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=45 /* 0.45 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./74", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./74", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./74/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./74/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./74/binderfs") = 0 [ 132.121963][ T5301] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 132.129934][ T5301] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 132.137916][ T5301] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 132.145905][ T5301] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 132.153886][ T5301] umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./74/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./74/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./74/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./74/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./74") = 0 mkdir("./75", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5304 ./strace-static-x86_64: Process 5304 attached [pid 5304] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5304] chdir("./75") = 0 [pid 5304] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5304] setpgid(0, 0) = 0 [pid 5304] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5304] write(3, "1000", 4) = 4 [pid 5304] close(3) = 0 [pid 5304] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5304] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5304] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5304] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5305 attached [pid 5305] set_robust_list(0x7f281a0ca9e0, 24 [pid 5304] <... clone resumed>, parent_tid=[5305], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5305 [pid 5305] <... set_robust_list resumed>) = 0 [pid 5305] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5304] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5305] <... futex resumed>) = 0 [pid 5304] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5305] memfd_create("syzkaller", 0) = 3 [pid 5305] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5305] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5305] munmap(0x7f2811caa000, 16777216) = 0 [pid 5305] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5305] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5305] close(3) = 0 [pid 5305] mkdir("./file0", 0777) = 0 [ 132.550059][ T5305] loop0: detected capacity change from 0 to 32768 [ 132.562141][ T5305] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 132.570897][ T5305] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 132.581518][ T5305] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 132.590390][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 132.597260][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5305] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5305] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5305] chdir("./file0") = 0 [pid 5305] ioctl(4, LOOP_CLR_FD) = 0 [pid 5305] close(4) = 0 [pid 5305] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5304] <... futex resumed>) = 0 [pid 5305] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5304] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5305] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5304] <... futex resumed>) = 0 [pid 5305] open(".", O_RDONLY [pid 5304] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5305] <... open resumed>) = 4 [pid 5305] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5305] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5304] <... futex resumed>) = 0 [pid 5304] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5305] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 132.633382][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 132.641472][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 132.646884][ T5305] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 132.675308][ T5305] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 132.685830][ T1215] ieee802154 phy0 wpan0: encryption failed: -22 [ 132.692153][ T1215] ieee802154 phy1 wpan1: encryption failed: -22 [ 132.695834][ T5305] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 132.695834][ T5305] inode = 12 2341 [ 132.695834][ T5305] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [pid 5305] getdents64(4, [pid 5304] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5304] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5304] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5304] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5307], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5307 [pid 5304] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5304] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5307 attached [pid 5307] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5307] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5307] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5304] <... futex resumed>) = 0 [ 132.717170][ T5305] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 132.727187][ T5305] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5305 [syz-executor171] iterate_dir+0x228/0x570 [ 132.737727][ T5305] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 132.746665][ T5305] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 132.754307][ T5305] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 132.763587][ T5305] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 132.772250][ T5305] gfs2: fsid=syz:syz.0: File system withdrawn [ 132.778887][ T5305] CPU: 0 PID: 5305 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 132.788991][ T5305] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 132.799073][ T5305] Call Trace: [ 132.802367][ T5305] [ 132.805300][ T5305] dump_stack_lvl+0x1e7/0x2d0 [ 132.810006][ T5305] ? nf_tcp_handle_invalid+0x650/0x650 [ 132.815482][ T5305] ? panic+0x770/0x770 [ 132.819557][ T5305] ? kobject_uevent_env+0x54e/0x8e0 [ 132.824771][ T5305] gfs2_withdraw+0xf48/0x1550 [ 132.829489][ T5305] ? gfs2_lm+0x240/0x240 [ 132.833789][ T5305] ? gfs2_dirent_scan+0xb2/0x640 [ 132.838768][ T5305] ? panic+0x770/0x770 [ 132.842860][ T5305] ? gfs2_consist_inode_i+0xf5/0x110 [ 132.848186][ T5305] gfs2_dirent_scan+0x512/0x640 [ 132.853073][ T5305] ? gfs2_dirent_scan+0x640/0x640 [ 132.858107][ T5305] gfs2_dir_read+0x82f/0x1af0 [ 132.862812][ T5305] ? inode_dio_wait+0x2ad/0x340 [ 132.867699][ T5305] ? inode_owner_or_capable+0x1c0/0x1c0 [pid 5307] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5304] exit_group(0 [pid 5307] <... futex resumed>) = ? [pid 5304] <... exit_group resumed>) = ? [pid 5307] +++ exited with 0 +++ [ 132.873273][ T5305] ? gfs2_dir_hash_inval+0x80/0x80 [ 132.878403][ T5305] ? _raw_spin_unlock+0x28/0x40 [ 132.883299][ T5305] ? gfs2_glock_nq+0xcbf/0x16c0 [ 132.888189][ T5305] ? inode_go_held+0xea/0x200 [ 132.892899][ T5305] ? gfs2_glock_wait+0x21a/0x2b0 [ 132.897897][ T5305] gfs2_readdir+0x14e/0x1b0 [ 132.902441][ T5305] ? __fdget_pos+0x254/0x2f0 [ 132.907073][ T5305] ? gfs2_fallocate+0x490/0x490 [ 132.911969][ T5305] ? iterate_dir+0x228/0x570 [ 132.916578][ T5305] ? __down_read_common+0x184/0x2c0 [ 132.921790][ T5305] ? iterate_dir+0x10e/0x570 [ 132.926502][ T5305] iterate_dir+0x228/0x570 [ 132.930938][ T5305] ? gfs2_fallocate+0x490/0x490 [ 132.935809][ T5305] __se_sys_getdents64+0x20d/0x4f0 [ 132.940949][ T5305] ? _raw_spin_unlock_irq+0x2e/0x50 [ 132.946165][ T5305] ? __x64_sys_getdents64+0x80/0x80 [ 132.951387][ T5305] ? filldir+0x740/0x740 [ 132.955685][ T5305] ? syscall_enter_from_user_mode+0x32/0x230 [ 132.961715][ T5305] ? syscall_enter_from_user_mode+0x8c/0x230 [ 132.967718][ T5305] do_syscall_64+0x41/0xc0 [ 132.972157][ T5305] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 132.978076][ T5305] RIP: 0033:0x7f281a11eab9 [ 132.982533][ T5305] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 133.002199][ T5305] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 133.010686][ T5305] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 133.018738][ T5305] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [pid 5305] <... getdents64 resumed> ) = ? [pid 5305] +++ exited with 0 +++ [pid 5304] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5304, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=33 /* 0.33 s */} --- umount2("./75", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./75/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./75/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./75/binderfs") = 0 [ 133.026738][ T5305] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 133.035177][ T5305] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 133.043172][ T5305] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 133.051157][ T5305] umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./75/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./75/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./75/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./75/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./75") = 0 mkdir("./76", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5308 ./strace-static-x86_64: Process 5308 attached [pid 5308] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5308] chdir("./76") = 0 [pid 5308] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5308] setpgid(0, 0) = 0 [pid 5308] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5308] write(3, "1000", 4) = 4 [pid 5308] close(3) = 0 [pid 5308] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5308] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5308] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5308] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5308] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5309], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5309 ./strace-static-x86_64: Process 5309 attached [pid 5309] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5309] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5308] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5309] <... futex resumed>) = 0 [pid 5308] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5309] memfd_create("syzkaller", 0) = 3 [pid 5309] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5309] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5309] munmap(0x7f2811caa000, 16777216) = 0 [pid 5309] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5309] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5309] close(3) = 0 [pid 5309] mkdir("./file0", 0777) = 0 [ 133.419064][ T5309] loop0: detected capacity change from 0 to 32768 [ 133.431874][ T5309] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 133.440177][ T5309] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 133.450252][ T5309] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 133.458875][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 133.465729][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5309] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5309] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5309] chdir("./file0") = 0 [pid 5309] ioctl(4, LOOP_CLR_FD) = 0 [pid 5309] close(4) = 0 [pid 5309] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5309] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5308] <... futex resumed>) = 0 [pid 5308] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5308] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5309] <... futex resumed>) = 0 [pid 5309] open(".", O_RDONLY) = 4 [pid 5309] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5308] <... futex resumed>) = 0 [pid 5308] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5308] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 133.501795][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 133.509362][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 133.514753][ T5309] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 133.540632][ T5309] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5309] getdents64(4, [pid 5308] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5308] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5308] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5308] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5308] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5311], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5311 [pid 5308] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5308] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5311 attached [pid 5311] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 133.561355][ T5309] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 133.561355][ T5309] inode = 12 2341 [ 133.561355][ T5309] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 133.580255][ T5309] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 133.589562][ T5309] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5309 [syz-executor171] iterate_dir+0x228/0x570 [ 133.599609][ T5309] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 133.601456][ T5311] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 133.608082][ T5309] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 133.608100][ T5309] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 133.608116][ T5309] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 133.609107][ T5309] gfs2: fsid=syz:syz.0: File system withdrawn [ 133.618326][ T5311] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [pid 5311] open("./file0", O_RDONLY [pid 5308] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 133.624140][ T5309] CPU: 1 PID: 5309 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 133.633044][ T5311] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5309 [syz-executor171] iterate_dir+0x228/0x570 [ 133.639014][ T5309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 133.639028][ T5309] Call Trace: [ 133.639035][ T5309] [ 133.639042][ T5309] dump_stack_lvl+0x1e7/0x2d0 [ 133.645864][ T5311] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5311 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 133.654102][ T5309] ? nf_tcp_handle_invalid+0x650/0x650 [ 133.654140][ T5309] ? panic+0x770/0x770 [ 133.654165][ T5309] ? kobject_uevent_env+0x54e/0x8e0 [ 133.665858][ T5311] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 133.674094][ T5309] gfs2_withdraw+0xf48/0x1550 [ 133.674149][ T5309] ? gfs2_lm+0x240/0x240 [ 133.674178][ T5309] ? gfs2_dirent_scan+0xb2/0x640 [ 133.742515][ T5309] ? panic+0x770/0x770 [ 133.746615][ T5309] ? gfs2_consist_inode_i+0xf5/0x110 [ 133.751928][ T5309] gfs2_dirent_scan+0x512/0x640 [ 133.756782][ T5309] ? gfs2_dirent_scan+0x640/0x640 [ 133.761831][ T5309] gfs2_dir_read+0x82f/0x1af0 [ 133.766529][ T5309] ? inode_dio_wait+0x2ad/0x340 [ 133.771386][ T5309] ? inode_owner_or_capable+0x1c0/0x1c0 [ 133.776939][ T5309] ? gfs2_dir_hash_inval+0x80/0x80 [ 133.782062][ T5309] ? _raw_spin_unlock+0x28/0x40 [ 133.786945][ T5309] ? gfs2_glock_nq+0xcbf/0x16c0 [ 133.791815][ T5309] ? inode_go_held+0xea/0x200 [ 133.796521][ T5309] ? gfs2_glock_wait+0x21a/0x2b0 [ 133.801499][ T5309] gfs2_readdir+0x14e/0x1b0 [ 133.806013][ T5309] ? __fdget_pos+0x254/0x2f0 [pid 5308] exit_group(0) = ? [ 133.810623][ T5309] ? gfs2_fallocate+0x490/0x490 [ 133.815505][ T5309] ? iterate_dir+0x228/0x570 [ 133.820122][ T5309] ? __down_read_common+0x184/0x2c0 [ 133.825321][ T5309] ? iterate_dir+0x10e/0x570 [ 133.829919][ T5309] iterate_dir+0x228/0x570 [ 133.834440][ T5309] ? gfs2_fallocate+0x490/0x490 [ 133.839335][ T5309] __se_sys_getdents64+0x20d/0x4f0 [ 133.844463][ T5309] ? _raw_spin_unlock_irq+0x2e/0x50 [ 133.849688][ T5309] ? __x64_sys_getdents64+0x80/0x80 [ 133.854896][ T5309] ? filldir+0x740/0x740 [ 133.859170][ T5309] ? syscall_enter_from_user_mode+0x32/0x230 [ 133.865172][ T5309] ? syscall_enter_from_user_mode+0x8c/0x230 [ 133.871292][ T5309] do_syscall_64+0x41/0xc0 [ 133.875737][ T5309] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 133.881658][ T5309] RIP: 0033:0x7f281a11eab9 [ 133.886077][ T5309] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5311] <... open resumed>) = ? [pid 5309] <... getdents64 resumed> ) = ? [pid 5311] +++ exited with 0 +++ [pid 5309] +++ exited with 0 +++ [pid 5308] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5308, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=39 /* 0.39 s */} --- umount2("./76", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./76", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./76/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./76/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./76/binderfs") = 0 [ 133.905731][ T5309] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 133.914200][ T5309] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 133.922195][ T5309] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 133.930178][ T5309] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 133.938174][ T5309] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 133.946168][ T5309] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 133.954211][ T5309] umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./76/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./76/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./76/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./76/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./76") = 0 mkdir("./77", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5312 ./strace-static-x86_64: Process 5312 attached [pid 5312] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5312] chdir("./77") = 0 [pid 5312] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5312] setpgid(0, 0) = 0 [pid 5312] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5312] write(3, "1000", 4) = 4 [pid 5312] close(3) = 0 [pid 5312] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5312] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5312] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5312] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5312] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5313 attached , parent_tid=[5313], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5313 [pid 5312] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5312] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5313] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5313] memfd_create("syzkaller", 0) = 3 [pid 5313] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5313] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5313] munmap(0x7f2811caa000, 16777216) = 0 [pid 5313] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5313] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5313] close(3) = 0 [pid 5313] mkdir("./file0", 0777) = 0 [ 134.313156][ T5313] loop0: detected capacity change from 0 to 32768 [ 134.324049][ T5313] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 134.332436][ T5313] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 134.341506][ T5313] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 134.350015][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 134.356867][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5313] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5313] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5313] chdir("./file0") = 0 [pid 5313] ioctl(4, LOOP_CLR_FD) = 0 [pid 5313] close(4) = 0 [pid 5313] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5312] <... futex resumed>) = 0 [pid 5312] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5312] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5313] <... futex resumed>) = 1 [pid 5313] open(".", O_RDONLY) = 4 [pid 5313] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5312] <... futex resumed>) = 0 [pid 5312] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5312] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5313] <... futex resumed>) = 1 [ 134.396021][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 134.403947][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 134.409201][ T5313] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 134.434112][ T5313] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5313] getdents64(4, [pid 5312] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5312] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5312] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5312] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5312] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5315], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5315 [pid 5312] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5312] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5315 attached [pid 5315] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 134.443377][ T5313] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 134.443377][ T5313] inode = 12 2341 [ 134.443377][ T5313] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 134.462627][ T5313] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 134.472244][ T5313] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5313 [syz-executor171] iterate_dir+0x228/0x570 [ 134.482495][ T5313] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 134.490795][ T5315] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 134.491410][ T5313] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 134.499831][ T5315] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 134.506821][ T5313] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 134.515813][ T5315] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5313 [syz-executor171] iterate_dir+0x228/0x570 [ 134.534871][ T5313] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [pid 5315] open("./file0", O_RDONLY [pid 5312] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 134.535016][ T5315] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5315 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 134.552200][ T5315] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 134.553651][ T5313] gfs2: fsid=syz:syz.0: File system withdrawn [ 134.566830][ T5313] CPU: 1 PID: 5313 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 134.576914][ T5313] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 134.586978][ T5313] Call Trace: [ 134.590276][ T5313] [ 134.593229][ T5313] dump_stack_lvl+0x1e7/0x2d0 [ 134.597954][ T5313] ? nf_tcp_handle_invalid+0x650/0x650 [ 134.603456][ T5313] ? panic+0x770/0x770 [ 134.607543][ T5313] ? kobject_uevent_env+0x54e/0x8e0 [ 134.612870][ T5313] gfs2_withdraw+0xf48/0x1550 [ 134.617587][ T5313] ? gfs2_lm+0x240/0x240 [ 134.621848][ T5313] ? gfs2_dirent_scan+0xb2/0x640 [ 134.626834][ T5313] ? panic+0x770/0x770 [ 134.630947][ T5313] ? gfs2_consist_inode_i+0xf5/0x110 [ 134.636606][ T5313] gfs2_dirent_scan+0x512/0x640 [ 134.641471][ T5313] ? gfs2_dirent_scan+0x640/0x640 [ 134.646528][ T5313] gfs2_dir_read+0x82f/0x1af0 [ 134.651235][ T5313] ? inode_dio_wait+0x2ad/0x340 [ 134.656128][ T5313] ? inode_owner_or_capable+0x1c0/0x1c0 [ 134.661699][ T5313] ? gfs2_dir_hash_inval+0x80/0x80 [ 134.666931][ T5313] ? _raw_spin_unlock+0x28/0x40 [ 134.671827][ T5313] ? gfs2_glock_nq+0xcbf/0x16c0 [ 134.676702][ T5313] ? inode_go_held+0xea/0x200 [ 134.681392][ T5313] ? gfs2_glock_wait+0x21a/0x2b0 [ 134.686345][ T5313] gfs2_readdir+0x14e/0x1b0 [ 134.690863][ T5313] ? __fdget_pos+0x254/0x2f0 [ 134.695470][ T5313] ? gfs2_fallocate+0x490/0x490 [ 134.700336][ T5313] ? iterate_dir+0x228/0x570 [ 134.705022][ T5313] ? __down_read_common+0x184/0x2c0 [ 134.710246][ T5313] ? iterate_dir+0x10e/0x570 [ 134.714857][ T5313] iterate_dir+0x228/0x570 [ 134.719293][ T5313] ? gfs2_fallocate+0x490/0x490 [ 134.724161][ T5313] __se_sys_getdents64+0x20d/0x4f0 [ 134.729290][ T5313] ? _raw_spin_unlock_irq+0x2e/0x50 [ 134.734508][ T5313] ? __x64_sys_getdents64+0x80/0x80 [ 134.739718][ T5313] ? filldir+0x740/0x740 [ 134.743969][ T5313] ? syscall_enter_from_user_mode+0x32/0x230 [ 134.749965][ T5313] ? syscall_enter_from_user_mode+0x8c/0x230 [ 134.755948][ T5313] do_syscall_64+0x41/0xc0 [ 134.760373][ T5313] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 134.766281][ T5313] RIP: 0033:0x7f281a11eab9 [ 134.770699][ T5313] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5313] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5315] <... open resumed>) = -1 EIO (Input/output error) [pid 5313] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5313] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5315] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5315] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5312] exit_group(0 [pid 5313] <... futex resumed>) = ? [pid 5313] +++ exited with 0 +++ [pid 5312] <... exit_group resumed>) = ? [pid 5315] <... futex resumed>) = ? [pid 5315] +++ exited with 0 +++ [pid 5312] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5312, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=41 /* 0.41 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./77", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./77", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./77/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./77/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./77/binderfs") = 0 [ 134.790321][ T5313] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 134.798757][ T5313] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 134.806731][ T5313] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 134.814725][ T5313] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 134.822700][ T5313] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 134.830674][ T5313] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 134.838667][ T5313] umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./77/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./77/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./77/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./77/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./77") = 0 mkdir("./78", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5316 ./strace-static-x86_64: Process 5316 attached [pid 5316] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5316] chdir("./78") = 0 [pid 5316] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5316] setpgid(0, 0) = 0 [pid 5316] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5316] write(3, "1000", 4) = 4 [pid 5316] close(3) = 0 [pid 5316] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5316] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5316] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5316] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5316] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5317], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5317 ./strace-static-x86_64: Process 5317 attached [pid 5316] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5316] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5317] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5317] memfd_create("syzkaller", 0) = 3 [pid 5317] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5317] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5317] munmap(0x7f2811caa000, 16777216) = 0 [pid 5317] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5317] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5317] close(3) = 0 [pid 5317] mkdir("./file0", 0777) = 0 [ 135.189784][ T5317] loop0: detected capacity change from 0 to 32768 [ 135.201084][ T5317] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 135.210111][ T5317] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 135.219895][ T5317] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 135.228479][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 135.235971][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5317] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5317] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5317] chdir("./file0") = 0 [pid 5317] ioctl(4, LOOP_CLR_FD) = 0 [pid 5317] close(4) = 0 [pid 5317] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5317] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5316] <... futex resumed>) = 0 [pid 5316] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5316] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5317] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5317] open(".", O_RDONLY) = 4 [pid 5317] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5316] <... futex resumed>) = 0 [pid 5316] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5316] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 135.276051][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 135.285046][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 135.290340][ T5317] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 135.323194][ T5317] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 135.331755][ T5317] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 135.331755][ T5317] inode = 12 2341 [ 135.331755][ T5317] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 135.351072][ T5317] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 135.360274][ T5317] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5317 [syz-executor171] iterate_dir+0x228/0x570 [pid 5317] getdents64(4, [pid 5316] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5316] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5316] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5316] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5316] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5319], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5319 [pid 5316] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5316] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5319 attached [pid 5319] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5319] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5319] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5316] <... futex resumed>) = 0 [pid 5319] <... futex resumed>) = 1 [ 135.370483][ T5317] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 135.379170][ T5317] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 135.386646][ T5317] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 135.395668][ T5317] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 135.402225][ T5317] gfs2: fsid=syz:syz.0: File system withdrawn [ 135.408838][ T5317] CPU: 1 PID: 5317 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 135.418951][ T5317] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 135.429018][ T5317] Call Trace: [ 135.432290][ T5317] [ 135.435228][ T5317] dump_stack_lvl+0x1e7/0x2d0 [ 135.439946][ T5317] ? nf_tcp_handle_invalid+0x650/0x650 [ 135.445443][ T5317] ? panic+0x770/0x770 [ 135.449523][ T5317] ? kobject_uevent_env+0x54e/0x8e0 [ 135.454734][ T5317] gfs2_withdraw+0xf48/0x1550 [ 135.459430][ T5317] ? gfs2_lm+0x240/0x240 [ 135.463690][ T5317] ? gfs2_dirent_scan+0xb2/0x640 [ 135.468645][ T5317] ? panic+0x770/0x770 [pid 5319] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5316] exit_group(0 [pid 5319] <... futex resumed>) = ? [pid 5316] <... exit_group resumed>) = ? [pid 5319] +++ exited with 0 +++ [ 135.472753][ T5317] ? gfs2_consist_inode_i+0xf5/0x110 [ 135.478164][ T5317] gfs2_dirent_scan+0x512/0x640 [ 135.483046][ T5317] ? gfs2_dirent_scan+0x640/0x640 [ 135.488089][ T5317] gfs2_dir_read+0x82f/0x1af0 [ 135.492815][ T5317] ? inode_dio_wait+0x2ad/0x340 [ 135.497695][ T5317] ? inode_owner_or_capable+0x1c0/0x1c0 [ 135.503267][ T5317] ? gfs2_dir_hash_inval+0x80/0x80 [ 135.508383][ T5317] ? _raw_spin_unlock+0x28/0x40 [ 135.513248][ T5317] ? gfs2_glock_nq+0xcbf/0x16c0 [ 135.518140][ T5317] ? inode_go_held+0xea/0x200 [ 135.522855][ T5317] ? gfs2_glock_wait+0x21a/0x2b0 [ 135.527825][ T5317] gfs2_readdir+0x14e/0x1b0 [ 135.532355][ T5317] ? __fdget_pos+0x254/0x2f0 [ 135.536963][ T5317] ? gfs2_fallocate+0x490/0x490 [ 135.541836][ T5317] ? iterate_dir+0x228/0x570 [ 135.546452][ T5317] ? __down_read_common+0x184/0x2c0 [ 135.551666][ T5317] ? iterate_dir+0x10e/0x570 [ 135.556301][ T5317] iterate_dir+0x228/0x570 [ 135.560758][ T5317] ? gfs2_fallocate+0x490/0x490 [ 135.565637][ T5317] __se_sys_getdents64+0x20d/0x4f0 [ 135.570773][ T5317] ? _raw_spin_unlock_irq+0x2e/0x50 [ 135.575976][ T5317] ? __x64_sys_getdents64+0x80/0x80 [ 135.581177][ T5317] ? filldir+0x740/0x740 [ 135.585428][ T5317] ? syscall_enter_from_user_mode+0x32/0x230 [ 135.591411][ T5317] ? syscall_enter_from_user_mode+0x8c/0x230 [ 135.597397][ T5317] do_syscall_64+0x41/0xc0 [ 135.601856][ T5317] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 135.607775][ T5317] RIP: 0033:0x7f281a11eab9 [ 135.612192][ T5317] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 135.631799][ T5317] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 135.640212][ T5317] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 135.648190][ T5317] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 135.656178][ T5317] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 135.664173][ T5317] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5317] <... getdents64 resumed> ) = ? [pid 5317] +++ exited with 0 +++ [pid 5316] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5316, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./78", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./78", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./78/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./78/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./78/binderfs") = 0 [ 135.672149][ T5317] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 135.680131][ T5317] umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./78/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./78/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./78/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./78/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./78") = 0 mkdir("./79", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5320 ./strace-static-x86_64: Process 5320 attached [pid 5320] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5320] chdir("./79") = 0 [pid 5320] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5320] setpgid(0, 0) = 0 [pid 5320] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5320] write(3, "1000", 4) = 4 [pid 5320] close(3) = 0 [pid 5320] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5320] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5320] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5320] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5320] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5321], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5321 ./strace-static-x86_64: Process 5321 attached [pid 5320] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5320] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5321] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5321] memfd_create("syzkaller", 0) = 3 [pid 5321] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5321] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5321] munmap(0x7f2811caa000, 16777216) = 0 [pid 5321] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5321] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5321] close(3) = 0 [pid 5321] mkdir("./file0", 0777) = 0 [ 136.066384][ T5321] loop0: detected capacity change from 0 to 32768 [ 136.077966][ T5321] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 136.087912][ T5321] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 136.097317][ T5321] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 136.106062][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 136.112844][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5321] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5321] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5321] chdir("./file0") = 0 [pid 5321] ioctl(4, LOOP_CLR_FD) = 0 [pid 5321] close(4) = 0 [pid 5321] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5320] <... futex resumed>) = 0 [pid 5321] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5320] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5321] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5320] <... futex resumed>) = 0 [pid 5321] open(".", O_RDONLY [pid 5320] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5321] <... open resumed>) = 4 [pid 5321] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5320] <... futex resumed>) = 0 [ 136.154724][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 136.163869][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 136.169130][ T5321] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5321] getdents64(4, [pid 5320] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 136.201660][ T5321] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 136.210151][ T5321] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 136.210151][ T5321] inode = 12 2341 [ 136.210151][ T5321] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 136.229973][ T5321] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 136.239560][ T5321] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5321 [syz-executor171] iterate_dir+0x228/0x570 [pid 5320] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5320] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5320] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5320] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5320] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5323 attached , parent_tid=[5323], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5323 [pid 5320] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5320] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5323] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5323] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5323] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5320] <... futex resumed>) = 0 [pid 5323] <... futex resumed>) = 1 [ 136.250083][ T5321] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 136.261549][ T5321] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 136.268852][ T5321] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 136.277661][ T5321] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 136.284367][ T5321] gfs2: fsid=syz:syz.0: File system withdrawn [ 136.290479][ T5321] CPU: 1 PID: 5321 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 136.300556][ T5321] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 136.310618][ T5321] Call Trace: [ 136.313921][ T5321] [ 136.316887][ T5321] dump_stack_lvl+0x1e7/0x2d0 [ 136.321577][ T5321] ? nf_tcp_handle_invalid+0x650/0x650 [ 136.327045][ T5321] ? panic+0x770/0x770 [ 136.331122][ T5321] ? kobject_uevent_env+0x54e/0x8e0 [ 136.336377][ T5321] gfs2_withdraw+0xf48/0x1550 [ 136.341112][ T5321] ? gfs2_lm+0x240/0x240 [ 136.345395][ T5321] ? gfs2_dirent_scan+0xb2/0x640 [ 136.350361][ T5321] ? panic+0x770/0x770 [ 136.354469][ T5321] ? gfs2_consist_inode_i+0xf5/0x110 [ 136.359768][ T5321] gfs2_dirent_scan+0x512/0x640 [ 136.364629][ T5321] ? gfs2_dirent_scan+0x640/0x640 [ 136.369682][ T5321] gfs2_dir_read+0x82f/0x1af0 [ 136.374374][ T5321] ? inode_dio_wait+0x2ad/0x340 [ 136.379267][ T5321] ? inode_owner_or_capable+0x1c0/0x1c0 [ 136.384842][ T5321] ? gfs2_dir_hash_inval+0x80/0x80 [ 136.389960][ T5321] ? _raw_spin_unlock+0x28/0x40 [ 136.394833][ T5321] ? gfs2_glock_nq+0xcbf/0x16c0 [ 136.399727][ T5321] ? inode_go_held+0xea/0x200 [ 136.404413][ T5321] ? gfs2_glock_wait+0x21a/0x2b0 [ 136.409356][ T5321] gfs2_readdir+0x14e/0x1b0 [ 136.413864][ T5321] ? __fdget_pos+0x254/0x2f0 [ 136.418460][ T5321] ? gfs2_fallocate+0x490/0x490 [ 136.423328][ T5321] ? iterate_dir+0x228/0x570 [ 136.427932][ T5321] ? __down_read_common+0x184/0x2c0 [ 136.433141][ T5321] ? iterate_dir+0x10e/0x570 [ 136.437745][ T5321] iterate_dir+0x228/0x570 [ 136.442174][ T5321] ? gfs2_fallocate+0x490/0x490 [ 136.447034][ T5321] __se_sys_getdents64+0x20d/0x4f0 [ 136.452149][ T5321] ? _raw_spin_unlock_irq+0x2e/0x50 [ 136.457356][ T5321] ? __x64_sys_getdents64+0x80/0x80 [ 136.462560][ T5321] ? filldir+0x740/0x740 [ 136.466812][ T5321] ? syscall_enter_from_user_mode+0x32/0x230 [ 136.472805][ T5321] ? syscall_enter_from_user_mode+0x8c/0x230 [ 136.478793][ T5321] do_syscall_64+0x41/0xc0 [ 136.483232][ T5321] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 136.489142][ T5321] RIP: 0033:0x7f281a11eab9 [ 136.493560][ T5321] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 136.513164][ T5321] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 136.521667][ T5321] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 136.529646][ T5321] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 136.537630][ T5321] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5323] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5321] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5321] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5321] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5320] exit_group(0 [pid 5321] <... futex resumed>) = ? [pid 5320] <... exit_group resumed>) = ? [pid 5321] +++ exited with 0 +++ [pid 5323] <... futex resumed>) = ? [pid 5323] +++ exited with 0 +++ [pid 5320] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5320, si_uid=0, si_status=0, si_utime=0, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./79", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./79", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./79/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./79/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./79/binderfs") = 0 [ 136.545610][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 136.553582][ T5321] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 136.561660][ T5321] umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./79/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./79/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./79/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./79/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./79") = 0 mkdir("./80", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5324 attached , child_tidptr=0x5555571fa5d0) = 5324 [pid 5324] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5324] chdir("./80") = 0 [pid 5324] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5324] setpgid(0, 0) = 0 [pid 5324] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5324] write(3, "1000", 4) = 4 [pid 5324] close(3) = 0 [pid 5324] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5324] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5324] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5324] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5324] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5325 attached [pid 5325] set_robust_list(0x7f281a0ca9e0, 24 [pid 5324] <... clone resumed>, parent_tid=[5325], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5325 [pid 5325] <... set_robust_list resumed>) = 0 [pid 5325] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5324] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5325] <... futex resumed>) = 0 [pid 5324] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5325] memfd_create("syzkaller", 0) = 3 [pid 5325] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5325] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5325] munmap(0x7f2811caa000, 16777216) = 0 [pid 5325] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5325] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5325] close(3) = 0 [pid 5325] mkdir("./file0", 0777) = 0 [ 136.930645][ T5325] loop0: detected capacity change from 0 to 32768 [ 136.941948][ T5325] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 136.950264][ T5325] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 136.960552][ T5325] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 136.969199][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 136.976108][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5325] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5325] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5325] chdir("./file0") = 0 [pid 5325] ioctl(4, LOOP_CLR_FD) = 0 [pid 5325] close(4) = 0 [pid 5325] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5324] <... futex resumed>) = 0 [pid 5325] open(".", O_RDONLY [pid 5324] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5325] <... open resumed>) = 4 [pid 5324] <... futex resumed>) = 0 [pid 5325] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5324] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5325] <... futex resumed>) = 0 [pid 5324] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5325] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL) = -1 EAGAIN (Resource temporarily unavailable) [pid 5324] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5325] getdents64(4, [pid 5324] <... futex resumed>) = 0 [ 137.011203][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 137.020133][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 137.025531][ T5325] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 137.042318][ T5325] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 137.050861][ T5325] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 137.050861][ T5325] inode = 12 2341 [ 137.050861][ T5325] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 137.069881][ T5325] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 137.079267][ T5325] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5325 [syz-executor171] iterate_dir+0x228/0x570 [ 137.089836][ T5325] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 137.098846][ T5325] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5324] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5324] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5324] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5324] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5324] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5327], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5327 [pid 5324] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5324] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5327 attached [pid 5327] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5327] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5327] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5324] <... futex resumed>) = 0 [pid 5327] <... futex resumed>) = 1 [ 137.106340][ T5325] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 137.115563][ T5325] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 137.123657][ T5325] gfs2: fsid=syz:syz.0: File system withdrawn [ 137.129766][ T5325] CPU: 1 PID: 5325 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 137.139887][ T5325] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 137.149992][ T5325] Call Trace: [ 137.153312][ T5325] [ 137.156331][ T5325] dump_stack_lvl+0x1e7/0x2d0 [ 137.161024][ T5325] ? nf_tcp_handle_invalid+0x650/0x650 [ 137.166503][ T5325] ? panic+0x770/0x770 [ 137.170608][ T5325] ? kobject_uevent_env+0x54e/0x8e0 [ 137.175840][ T5325] gfs2_withdraw+0xf48/0x1550 [ 137.180578][ T5325] ? gfs2_lm+0x240/0x240 [ 137.184879][ T5325] ? gfs2_dirent_scan+0xb2/0x640 [ 137.189922][ T5325] ? panic+0x770/0x770 [ 137.194016][ T5325] ? gfs2_consist_inode_i+0xf5/0x110 [ 137.199311][ T5325] gfs2_dirent_scan+0x512/0x640 [ 137.204187][ T5325] ? gfs2_dirent_scan+0x640/0x640 [ 137.209237][ T5325] gfs2_dir_read+0x82f/0x1af0 [ 137.213952][ T5325] ? inode_dio_wait+0x2ad/0x340 [ 137.218844][ T5325] ? inode_owner_or_capable+0x1c0/0x1c0 [ 137.224403][ T5325] ? gfs2_dir_hash_inval+0x80/0x80 [ 137.229538][ T5325] ? _raw_spin_unlock+0x28/0x40 [ 137.234420][ T5325] ? gfs2_glock_nq+0xcbf/0x16c0 [ 137.239300][ T5325] ? inode_go_held+0xea/0x200 [ 137.243990][ T5325] ? gfs2_glock_wait+0x21a/0x2b0 [ 137.248968][ T5325] gfs2_readdir+0x14e/0x1b0 [ 137.253570][ T5325] ? __fdget_pos+0x254/0x2f0 [ 137.258171][ T5325] ? gfs2_fallocate+0x490/0x490 [ 137.263036][ T5325] ? iterate_dir+0x228/0x570 [ 137.267637][ T5325] ? __down_read_common+0x184/0x2c0 [ 137.272843][ T5325] ? iterate_dir+0x10e/0x570 [ 137.277445][ T5325] iterate_dir+0x228/0x570 [ 137.281881][ T5325] ? gfs2_fallocate+0x490/0x490 [ 137.286753][ T5325] __se_sys_getdents64+0x20d/0x4f0 [ 137.291880][ T5325] ? _raw_spin_unlock_irq+0x2e/0x50 [ 137.297097][ T5325] ? __x64_sys_getdents64+0x80/0x80 [ 137.302313][ T5325] ? filldir+0x740/0x740 [ 137.306585][ T5325] ? syscall_enter_from_user_mode+0x32/0x230 [ 137.312606][ T5325] ? syscall_enter_from_user_mode+0x8c/0x230 [ 137.318599][ T5325] do_syscall_64+0x41/0xc0 [ 137.323032][ T5325] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 137.329027][ T5325] RIP: 0033:0x7f281a11eab9 [ 137.333458][ T5325] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 137.353078][ T5325] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5327] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5325] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5325] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5324] exit_group(0 [pid 5327] <... futex resumed>) = ? [pid 5325] <... futex resumed>) = ? [pid 5324] <... exit_group resumed>) = ? [pid 5327] +++ exited with 0 +++ [pid 5325] +++ exited with 0 +++ [pid 5324] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5324, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=31 /* 0.31 s */} --- umount2("./80", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./80", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./80/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./80/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./80/binderfs") = 0 [ 137.361501][ T5325] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 137.369479][ T5325] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 137.377455][ T5325] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 137.385451][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 137.393436][ T5325] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 137.401419][ T5325] umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./80/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./80/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./80/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./80/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./80") = 0 mkdir("./81", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5328 ./strace-static-x86_64: Process 5328 attached [pid 5328] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5328] chdir("./81") = 0 [pid 5328] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5328] setpgid(0, 0) = 0 [pid 5328] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5328] write(3, "1000", 4) = 4 [pid 5328] close(3) = 0 [pid 5328] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5328] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5328] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5328] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5328] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5329], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5329 [pid 5328] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5328] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5329 attached [pid 5329] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5329] memfd_create("syzkaller", 0) = 3 [pid 5329] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5329] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5329] munmap(0x7f2811caa000, 16777216) = 0 [pid 5329] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5329] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5329] close(3) = 0 [pid 5329] mkdir("./file0", 0777) = 0 [ 137.760935][ T5329] loop0: detected capacity change from 0 to 32768 [ 137.771716][ T5329] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 137.780371][ T5329] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 137.790176][ T5329] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 137.798908][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 137.805857][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5329] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5329] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5329] chdir("./file0") = 0 [pid 5329] ioctl(4, LOOP_CLR_FD) = 0 [pid 5329] close(4) = 0 [pid 5329] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5328] <... futex resumed>) = 0 [pid 5328] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5328] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5329] <... futex resumed>) = 1 [pid 5329] open(".", O_RDONLY) = 4 [pid 5329] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5328] <... futex resumed>) = 0 [pid 5328] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5328] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5329] <... futex resumed>) = 1 [ 137.873943][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 68ms [ 137.881615][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 137.886902][ T5329] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 137.903469][ T5329] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5329] getdents64(4, [pid 5328] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5328] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 137.924792][ T5329] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 137.924792][ T5329] inode = 12 2341 [ 137.924792][ T5329] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 137.946851][ T5329] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 137.956510][ T5329] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5329 [syz-executor171] iterate_dir+0x228/0x570 [ 137.967057][ T5329] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5328] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5328] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5328] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5331], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5331 [pid 5328] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5328] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5331 attached [pid 5331] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 137.976308][ T5329] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 137.983824][ T5329] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 137.992920][ T5329] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 137.999659][ T5329] gfs2: fsid=syz:syz.0: File system withdrawn [ 138.007935][ T5329] CPU: 0 PID: 5329 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [pid 5328] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5331] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5331] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 138.018049][ T5329] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 138.028130][ T5329] Call Trace: [ 138.031431][ T5329] [ 138.034637][ T5329] dump_stack_lvl+0x1e7/0x2d0 [ 138.039376][ T5329] ? nf_tcp_handle_invalid+0x650/0x650 [ 138.044894][ T5329] ? panic+0x770/0x770 [ 138.049020][ T5329] ? kobject_uevent_env+0x54e/0x8e0 [ 138.054276][ T5329] gfs2_withdraw+0xf48/0x1550 [ 138.059010][ T5329] ? gfs2_lm+0x240/0x240 [ 138.063281][ T5329] ? gfs2_dirent_scan+0xb2/0x640 [ 138.068251][ T5329] ? panic+0x770/0x770 [ 138.072363][ T5329] ? gfs2_consist_inode_i+0xf5/0x110 [ 138.077694][ T5329] gfs2_dirent_scan+0x512/0x640 [ 138.082669][ T5329] ? gfs2_dirent_scan+0x640/0x640 [ 138.087732][ T5329] gfs2_dir_read+0x82f/0x1af0 [ 138.092475][ T5329] ? inode_dio_wait+0x2ad/0x340 [ 138.097364][ T5329] ? inode_owner_or_capable+0x1c0/0x1c0 [ 138.102948][ T5329] ? gfs2_dir_hash_inval+0x80/0x80 [ 138.108104][ T5329] ? _raw_spin_unlock+0x28/0x40 [ 138.112998][ T5329] ? gfs2_glock_nq+0xcbf/0x16c0 [ 138.117882][ T5329] ? inode_go_held+0xea/0x200 [ 138.122573][ T5329] ? gfs2_glock_wait+0x21a/0x2b0 [ 138.127531][ T5329] gfs2_readdir+0x14e/0x1b0 [ 138.132040][ T5329] ? __fdget_pos+0x254/0x2f0 [ 138.136635][ T5329] ? gfs2_fallocate+0x490/0x490 [ 138.141506][ T5329] ? iterate_dir+0x228/0x570 [ 138.146112][ T5329] ? __down_read_common+0x184/0x2c0 [ 138.151431][ T5329] ? iterate_dir+0x10e/0x570 [ 138.156036][ T5329] iterate_dir+0x228/0x570 [ 138.160473][ T5329] ? gfs2_fallocate+0x490/0x490 [ 138.165345][ T5329] __se_sys_getdents64+0x20d/0x4f0 [ 138.170485][ T5329] ? _raw_spin_unlock_irq+0x2e/0x50 [ 138.175712][ T5329] ? __x64_sys_getdents64+0x80/0x80 [ 138.180937][ T5329] ? filldir+0x740/0x740 [ 138.185193][ T5329] ? syscall_enter_from_user_mode+0x32/0x230 [ 138.191364][ T5329] ? syscall_enter_from_user_mode+0x8c/0x230 [ 138.197458][ T5329] do_syscall_64+0x41/0xc0 [ 138.202085][ T5329] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 138.208002][ T5329] RIP: 0033:0x7f281a11eab9 [ 138.212454][ T5329] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 138.232073][ T5329] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 138.240497][ T5329] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 138.248474][ T5329] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 138.256450][ T5329] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 138.264425][ T5329] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5331] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5329] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5329] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5329] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5328] exit_group(0 [pid 5331] <... futex resumed>) = ? [pid 5329] <... futex resumed>) = ? [pid 5328] <... exit_group resumed>) = ? [pid 5329] +++ exited with 0 +++ [pid 5331] +++ exited with 0 +++ [pid 5328] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5328, si_uid=0, si_status=0, si_utime=0, si_stime=34 /* 0.34 s */} --- umount2("./81", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./81", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./81/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./81/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./81/binderfs") = 0 [ 138.272415][ T5329] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 138.280401][ T5329] umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./81/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./81/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./81/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./81/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./81") = 0 mkdir("./82", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5332 ./strace-static-x86_64: Process 5332 attached [pid 5332] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5332] chdir("./82") = 0 [pid 5332] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5332] setpgid(0, 0) = 0 [pid 5332] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5332] write(3, "1000", 4) = 4 [pid 5332] close(3) = 0 [pid 5332] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5332] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5332] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5332] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5332] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5333], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5333 [pid 5332] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5332] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5333 attached [pid 5333] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5333] memfd_create("syzkaller", 0) = 3 [pid 5333] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5333] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5333] munmap(0x7f2811caa000, 16777216) = 0 [pid 5333] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5333] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5333] close(3) = 0 [pid 5333] mkdir("./file0", 0777) = 0 [ 138.745656][ T5333] loop0: detected capacity change from 0 to 32768 [ 138.756553][ T5333] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 138.765060][ T5333] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 138.774481][ T5333] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 138.782994][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 138.789988][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5333] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5333] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5333] chdir("./file0") = 0 [pid 5333] ioctl(4, LOOP_CLR_FD) = 0 [pid 5333] close(4) = 0 [pid 5333] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5332] <... futex resumed>) = 0 [pid 5332] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5332] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5333] <... futex resumed>) = 1 [pid 5333] open(".", O_RDONLY) = 4 [pid 5333] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5332] <... futex resumed>) = 0 [pid 5333] getdents64(4, [pid 5332] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 138.832774][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 138.840329][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 138.845636][ T5333] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 138.859104][ T5333] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 138.868040][ T5333] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 138.868040][ T5333] inode = 12 2341 [pid 5332] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5332] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5332] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5332] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5332] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5335], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5335 [pid 5332] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5332] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5335 attached [pid 5335] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5335] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5335] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5332] <... futex resumed>) = 0 [pid 5335] <... futex resumed>) = 1 [ 138.868040][ T5333] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 138.887446][ T5333] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 138.897164][ T5333] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5333 [syz-executor171] iterate_dir+0x228/0x570 [ 138.907577][ T5333] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 138.916238][ T5333] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 138.923620][ T5333] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 138.932727][ T5333] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 138.939577][ T5333] gfs2: fsid=syz:syz.0: File system withdrawn [ 138.945763][ T5333] CPU: 1 PID: 5333 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 138.955858][ T5333] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 138.965962][ T5333] Call Trace: [ 138.969255][ T5333] [ 138.972183][ T5333] dump_stack_lvl+0x1e7/0x2d0 [ 138.976874][ T5333] ? nf_tcp_handle_invalid+0x650/0x650 [ 138.982356][ T5333] ? panic+0x770/0x770 [ 138.986471][ T5333] ? kobject_uevent_env+0x54e/0x8e0 [ 138.991691][ T5333] gfs2_withdraw+0xf48/0x1550 [ 138.996405][ T5333] ? gfs2_lm+0x240/0x240 [ 139.000656][ T5333] ? gfs2_dirent_scan+0xb2/0x640 [ 139.005605][ T5333] ? panic+0x770/0x770 [ 139.009695][ T5333] ? gfs2_consist_inode_i+0xf5/0x110 [ 139.015002][ T5333] gfs2_dirent_scan+0x512/0x640 [ 139.019864][ T5333] ? gfs2_dirent_scan+0x640/0x640 [ 139.024895][ T5333] gfs2_dir_read+0x82f/0x1af0 [ 139.029584][ T5333] ? inode_dio_wait+0x2ad/0x340 [ 139.034449][ T5333] ? inode_owner_or_capable+0x1c0/0x1c0 [ 139.040015][ T5333] ? gfs2_dir_hash_inval+0x80/0x80 [ 139.045133][ T5333] ? _raw_spin_unlock+0x28/0x40 [ 139.049987][ T5333] ? gfs2_glock_nq+0xcbf/0x16c0 [ 139.054862][ T5333] ? inode_go_held+0xea/0x200 [ 139.059548][ T5333] ? gfs2_glock_wait+0x21a/0x2b0 [ 139.064502][ T5333] gfs2_readdir+0x14e/0x1b0 [ 139.069029][ T5333] ? __fdget_pos+0x254/0x2f0 [ 139.073620][ T5333] ? gfs2_fallocate+0x490/0x490 [ 139.078488][ T5333] ? iterate_dir+0x228/0x570 [ 139.083097][ T5333] ? __down_read_common+0x184/0x2c0 [ 139.088312][ T5333] ? iterate_dir+0x10e/0x570 [ 139.092920][ T5333] iterate_dir+0x228/0x570 [ 139.097389][ T5333] ? gfs2_fallocate+0x490/0x490 [ 139.102276][ T5333] __se_sys_getdents64+0x20d/0x4f0 [ 139.107503][ T5333] ? _raw_spin_unlock_irq+0x2e/0x50 [ 139.112759][ T5333] ? __x64_sys_getdents64+0x80/0x80 [ 139.118005][ T5333] ? filldir+0x740/0x740 [ 139.122278][ T5333] ? syscall_enter_from_user_mode+0x32/0x230 [ 139.128295][ T5333] ? syscall_enter_from_user_mode+0x8c/0x230 [ 139.134295][ T5333] do_syscall_64+0x41/0xc0 [ 139.138745][ T5333] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 139.144643][ T5333] RIP: 0033:0x7f281a11eab9 [ 139.149082][ T5333] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 139.168718][ T5333] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5335] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5333] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5333] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5333] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5332] exit_group(0 [pid 5335] <... futex resumed>) = ? [pid 5333] <... futex resumed>) = ? [pid 5332] <... exit_group resumed>) = ? [pid 5333] +++ exited with 0 +++ [pid 5335] +++ exited with 0 +++ [pid 5332] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5332, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- umount2("./82", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./82", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./82/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./82/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./82/binderfs") = 0 [ 139.177235][ T5333] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 139.185235][ T5333] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 139.193231][ T5333] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 139.201220][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 139.209209][ T5333] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 139.217316][ T5333] umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./82/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./82/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./82/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./82/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./82") = 0 mkdir("./83", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5336 ./strace-static-x86_64: Process 5336 attached [pid 5336] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5336] chdir("./83") = 0 [pid 5336] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5336] setpgid(0, 0) = 0 [pid 5336] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5336] write(3, "1000", 4) = 4 [pid 5336] close(3) = 0 [pid 5336] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5336] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5336] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5336] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5336] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5337 attached [pid 5337] set_robust_list(0x7f281a0ca9e0, 24 [pid 5336] <... clone resumed>, parent_tid=[5337], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5337 [pid 5337] <... set_robust_list resumed>) = 0 [pid 5336] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5336] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5337] memfd_create("syzkaller", 0) = 3 [pid 5337] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5337] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5337] munmap(0x7f2811caa000, 16777216) = 0 [pid 5337] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5337] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5337] close(3) = 0 [pid 5337] mkdir("./file0", 0777) = 0 [ 139.573155][ T5337] loop0: detected capacity change from 0 to 32768 [ 139.585864][ T5337] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 139.594126][ T5337] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 139.602992][ T5337] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 139.612136][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 139.619132][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5337] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5337] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5337] chdir("./file0") = 0 [pid 5337] ioctl(4, LOOP_CLR_FD) = 0 [pid 5337] close(4) = 0 [pid 5337] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5336] <... futex resumed>) = 0 [pid 5337] open(".", O_RDONLY [pid 5336] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5337] <... open resumed>) = 4 [pid 5336] <... futex resumed>) = 0 [pid 5337] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5336] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5337] <... futex resumed>) = 0 [pid 5336] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5337] getdents64(4, [pid 5336] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 139.666231][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 47ms [ 139.675355][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 139.680596][ T5337] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 139.704947][ T5337] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 139.713789][ T5337] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 139.713789][ T5337] inode = 12 2341 [ 139.713789][ T5337] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 139.732644][ T5337] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 139.742487][ T5337] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5337 [syz-executor171] iterate_dir+0x228/0x570 [ 139.752702][ T5337] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5336] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5336] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5336] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5336] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5336] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5339], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5339 [pid 5336] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5336] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5339 attached [pid 5339] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5339] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5339] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5336] <... futex resumed>) = 0 [pid 5339] <... futex resumed>) = 1 [ 139.761380][ T5337] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 139.768898][ T5337] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 139.777965][ T5337] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 139.784783][ T5337] gfs2: fsid=syz:syz.0: File system withdrawn [ 139.790876][ T5337] CPU: 1 PID: 5337 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 139.800959][ T5337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 139.811040][ T5337] Call Trace: [ 139.814325][ T5337] [ 139.817255][ T5337] dump_stack_lvl+0x1e7/0x2d0 [ 139.821956][ T5337] ? nf_tcp_handle_invalid+0x650/0x650 [ 139.827420][ T5337] ? panic+0x770/0x770 [ 139.831492][ T5337] ? kobject_uevent_env+0x54e/0x8e0 [ 139.836705][ T5337] gfs2_withdraw+0xf48/0x1550 [ 139.841400][ T5337] ? gfs2_lm+0x240/0x240 [ 139.845646][ T5337] ? gfs2_dirent_scan+0xb2/0x640 [ 139.850586][ T5337] ? panic+0x770/0x770 [ 139.854680][ T5337] ? gfs2_consist_inode_i+0xf5/0x110 [ 139.859976][ T5337] gfs2_dirent_scan+0x512/0x640 [ 139.864832][ T5337] ? gfs2_dirent_scan+0x640/0x640 [ 139.869876][ T5337] gfs2_dir_read+0x82f/0x1af0 [ 139.874581][ T5337] ? inode_dio_wait+0x2ad/0x340 [ 139.879440][ T5337] ? inode_owner_or_capable+0x1c0/0x1c0 [ 139.884998][ T5337] ? gfs2_dir_hash_inval+0x80/0x80 [ 139.890113][ T5337] ? _raw_spin_unlock+0x28/0x40 [ 139.894964][ T5337] ? gfs2_glock_nq+0xcbf/0x16c0 [ 139.899828][ T5337] ? inode_go_held+0xea/0x200 [ 139.904502][ T5337] ? gfs2_glock_wait+0x21a/0x2b0 [ 139.909444][ T5337] gfs2_readdir+0x14e/0x1b0 [ 139.913951][ T5337] ? __fdget_pos+0x254/0x2f0 [ 139.918552][ T5337] ? gfs2_fallocate+0x490/0x490 [ 139.923419][ T5337] ? iterate_dir+0x228/0x570 [ 139.928019][ T5337] ? __down_read_common+0x184/0x2c0 [ 139.933314][ T5337] ? iterate_dir+0x10e/0x570 [ 139.937930][ T5337] iterate_dir+0x228/0x570 [ 139.942377][ T5337] ? gfs2_fallocate+0x490/0x490 [ 139.947236][ T5337] __se_sys_getdents64+0x20d/0x4f0 [ 139.952351][ T5337] ? _raw_spin_unlock_irq+0x2e/0x50 [ 139.957556][ T5337] ? __x64_sys_getdents64+0x80/0x80 [ 139.962800][ T5337] ? filldir+0x740/0x740 [ 139.967059][ T5337] ? syscall_enter_from_user_mode+0x32/0x230 [ 139.973043][ T5337] ? syscall_enter_from_user_mode+0x8c/0x230 [ 139.979027][ T5337] do_syscall_64+0x41/0xc0 [ 139.983457][ T5337] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 139.989350][ T5337] RIP: 0033:0x7f281a11eab9 [ 139.993783][ T5337] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5339] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5337] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5337] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5336] exit_group(0 [pid 5339] <... futex resumed>) = ? [pid 5336] <... exit_group resumed>) = ? [pid 5339] +++ exited with 0 +++ [pid 5337] +++ exited with 0 +++ [pid 5336] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5336, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=29 /* 0.29 s */} --- umount2("./83", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./83", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./83/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./83/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./83/binderfs") = 0 [ 140.013474][ T5337] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 140.021933][ T5337] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 140.030081][ T5337] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 140.038059][ T5337] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 140.046039][ T5337] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 140.054027][ T5337] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 140.062140][ T5337] umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./83/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./83/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./83/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./83/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./83") = 0 mkdir("./84", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5340 ./strace-static-x86_64: Process 5340 attached [pid 5340] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5340] chdir("./84") = 0 [pid 5340] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5340] setpgid(0, 0) = 0 [pid 5340] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5340] write(3, "1000", 4) = 4 [pid 5340] close(3) = 0 [pid 5340] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5340] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5340] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5340] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5340] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5341], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5341 [pid 5340] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5340] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5341 attached [pid 5341] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5341] memfd_create("syzkaller", 0) = 3 [pid 5341] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5341] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5341] munmap(0x7f2811caa000, 16777216) = 0 [pid 5341] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5341] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5341] close(3) = 0 [pid 5341] mkdir("./file0", 0777) = 0 [ 140.432150][ T5341] loop0: detected capacity change from 0 to 32768 [ 140.444115][ T5341] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 140.453178][ T5341] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 140.463520][ T5341] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 140.472044][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 140.478935][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5341] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5341] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5341] chdir("./file0") = 0 [pid 5341] ioctl(4, LOOP_CLR_FD) = 0 [pid 5341] close(4) = 0 [pid 5341] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5340] <... futex resumed>) = 0 [pid 5341] open(".", O_RDONLY [pid 5340] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5341] <... open resumed>) = 4 [pid 5340] <... futex resumed>) = 0 [pid 5341] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5340] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5341] <... futex resumed>) = 0 [pid 5340] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5341] getdents64(4, [pid 5340] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 140.519769][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 140.527348][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 140.533130][ T5341] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 140.548563][ T5341] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 140.557558][ T5341] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 140.557558][ T5341] inode = 12 2341 [pid 5340] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5340] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5340] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5340] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5340] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5343], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5343 [pid 5340] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 140.557558][ T5341] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 140.576670][ T5341] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 140.586104][ T5341] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5341 [syz-executor171] iterate_dir+0x228/0x570 [ 140.596103][ T5341] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 140.604684][ T5341] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5340] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5343 attached [pid 5343] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5343] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5343] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5340] <... futex resumed>) = 0 [ 140.611931][ T5341] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 140.621496][ T5341] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 140.628781][ T5341] gfs2: fsid=syz:syz.0: File system withdrawn [ 140.634923][ T5341] CPU: 0 PID: 5341 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 140.645007][ T5341] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 140.655171][ T5341] Call Trace: [ 140.658466][ T5341] [ 140.661415][ T5341] dump_stack_lvl+0x1e7/0x2d0 [ 140.666218][ T5341] ? nf_tcp_handle_invalid+0x650/0x650 [ 140.671688][ T5341] ? panic+0x770/0x770 [ 140.675768][ T5341] ? kobject_uevent_env+0x54e/0x8e0 [ 140.681003][ T5341] gfs2_withdraw+0xf48/0x1550 [ 140.685740][ T5341] ? gfs2_lm+0x240/0x240 [ 140.690024][ T5341] ? gfs2_dirent_scan+0xb2/0x640 [ 140.694978][ T5341] ? panic+0x770/0x770 [ 140.699061][ T5341] ? gfs2_consist_inode_i+0xf5/0x110 [ 140.704360][ T5341] gfs2_dirent_scan+0x512/0x640 [ 140.709241][ T5341] ? gfs2_dirent_scan+0x640/0x640 [ 140.714319][ T5341] gfs2_dir_read+0x82f/0x1af0 [pid 5343] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5340] exit_group(0 [pid 5343] <... futex resumed>) = ? [pid 5340] <... exit_group resumed>) = ? [pid 5343] +++ exited with 0 +++ [ 140.719031][ T5341] ? inode_dio_wait+0x2ad/0x340 [ 140.723891][ T5341] ? inode_owner_or_capable+0x1c0/0x1c0 [ 140.729454][ T5341] ? gfs2_dir_hash_inval+0x80/0x80 [ 140.734583][ T5341] ? _raw_spin_unlock+0x28/0x40 [ 140.739460][ T5341] ? gfs2_glock_nq+0xcbf/0x16c0 [ 140.744415][ T5341] ? inode_go_held+0xea/0x200 [ 140.749107][ T5341] ? gfs2_glock_wait+0x21a/0x2b0 [ 140.754085][ T5341] gfs2_readdir+0x14e/0x1b0 [ 140.758628][ T5341] ? __fdget_pos+0x254/0x2f0 [ 140.763254][ T5341] ? gfs2_fallocate+0x490/0x490 [ 140.768135][ T5341] ? iterate_dir+0x228/0x570 [ 140.772753][ T5341] ? __down_read_common+0x184/0x2c0 [ 140.777999][ T5341] ? iterate_dir+0x10e/0x570 [ 140.782616][ T5341] iterate_dir+0x228/0x570 [ 140.787072][ T5341] ? gfs2_fallocate+0x490/0x490 [ 140.791971][ T5341] __se_sys_getdents64+0x20d/0x4f0 [ 140.797092][ T5341] ? _raw_spin_unlock_irq+0x2e/0x50 [ 140.802309][ T5341] ? __x64_sys_getdents64+0x80/0x80 [ 140.807551][ T5341] ? filldir+0x740/0x740 [ 140.811849][ T5341] ? syscall_enter_from_user_mode+0x32/0x230 [ 140.817863][ T5341] ? syscall_enter_from_user_mode+0x8c/0x230 [ 140.823854][ T5341] do_syscall_64+0x41/0xc0 [ 140.828283][ T5341] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 140.834459][ T5341] RIP: 0033:0x7f281a11eab9 [ 140.838901][ T5341] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 140.858522][ T5341] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5341] <... getdents64 resumed> ) = ? [pid 5341] +++ exited with 0 +++ [pid 5340] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5340, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=32 /* 0.32 s */} --- umount2("./84", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./84", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./84/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./84/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./84/binderfs") = 0 [ 140.866937][ T5341] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 140.874925][ T5341] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 140.882891][ T5341] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 140.890873][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 140.898855][ T5341] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 140.906846][ T5341] umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./84/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./84/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./84/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./84/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./84") = 0 mkdir("./85", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5344 attached , child_tidptr=0x5555571fa5d0) = 5344 [pid 5344] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5344] chdir("./85") = 0 [pid 5344] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5344] setpgid(0, 0) = 0 [pid 5344] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5344] write(3, "1000", 4) = 4 [pid 5344] close(3) = 0 [pid 5344] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5344] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5344] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5344] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5344] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5345 attached , parent_tid=[5345], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5345 [pid 5345] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5345] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5344] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5345] <... futex resumed>) = 0 [pid 5344] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5345] memfd_create("syzkaller", 0) = 3 [pid 5345] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5345] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5345] munmap(0x7f2811caa000, 16777216) = 0 [pid 5345] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5345] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5345] close(3) = 0 [pid 5345] mkdir("./file0", 0777) = 0 [ 141.264748][ T5345] loop0: detected capacity change from 0 to 32768 [ 141.277448][ T5345] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 141.285972][ T5345] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 141.296146][ T5345] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 141.304805][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 141.311945][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5345] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5345] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5345] chdir("./file0") = 0 [pid 5345] ioctl(4, LOOP_CLR_FD) = 0 [pid 5345] close(4) = 0 [pid 5345] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5344] <... futex resumed>) = 0 [pid 5344] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5344] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5345] <... futex resumed>) = 1 [pid 5345] open(".", O_RDONLY) = 4 [pid 5345] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5344] <... futex resumed>) = 0 [pid 5344] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5344] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5345] <... futex resumed>) = 1 [ 141.358891][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 141.367707][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 141.373246][ T5345] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 141.394534][ T5345] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5345] getdents64(4, [pid 5344] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5344] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5344] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5344] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5344] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5344] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5347], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5347 [pid 5344] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5344] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5347 attached [pid 5347] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5347] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5347] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5344] <... futex resumed>) = 0 [pid 5347] <... futex resumed>) = 1 [ 141.403522][ T5345] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 141.403522][ T5345] inode = 12 2341 [ 141.403522][ T5345] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 141.422820][ T5345] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 141.432164][ T5345] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5345 [syz-executor171] iterate_dir+0x228/0x570 [ 141.442352][ T5345] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 141.451076][ T5345] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 141.458786][ T5345] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 141.467767][ T5345] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 141.474859][ T5345] gfs2: fsid=syz:syz.0: File system withdrawn [ 141.481291][ T5345] CPU: 0 PID: 5345 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 141.491380][ T5345] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 141.501448][ T5345] Call Trace: [ 141.504741][ T5345] [ 141.507672][ T5345] dump_stack_lvl+0x1e7/0x2d0 [ 141.512359][ T5345] ? nf_tcp_handle_invalid+0x650/0x650 [ 141.517822][ T5345] ? panic+0x770/0x770 [ 141.521905][ T5345] ? kobject_uevent_env+0x54e/0x8e0 [ 141.527130][ T5345] gfs2_withdraw+0xf48/0x1550 [ 141.531826][ T5345] ? gfs2_lm+0x240/0x240 [ 141.536414][ T5345] ? gfs2_dirent_scan+0xb2/0x640 [ 141.541369][ T5345] ? panic+0x770/0x770 [ 141.545440][ T5345] ? gfs2_consist_inode_i+0xf5/0x110 [ 141.550726][ T5345] gfs2_dirent_scan+0x512/0x640 [ 141.555574][ T5345] ? gfs2_dirent_scan+0x640/0x640 [ 141.560593][ T5345] gfs2_dir_read+0x82f/0x1af0 [ 141.565305][ T5345] ? inode_dio_wait+0x2ad/0x340 [ 141.570166][ T5345] ? inode_owner_or_capable+0x1c0/0x1c0 [ 141.575739][ T5345] ? gfs2_dir_hash_inval+0x80/0x80 [ 141.580850][ T5345] ? _raw_spin_unlock+0x28/0x40 [ 141.585719][ T5345] ? gfs2_glock_nq+0xcbf/0x16c0 [ 141.590599][ T5345] ? inode_go_held+0xea/0x200 [ 141.595279][ T5345] ? gfs2_glock_wait+0x21a/0x2b0 [ 141.600233][ T5345] gfs2_readdir+0x14e/0x1b0 [ 141.604746][ T5345] ? __fdget_pos+0x254/0x2f0 [ 141.609338][ T5345] ? gfs2_fallocate+0x490/0x490 [ 141.614205][ T5345] ? iterate_dir+0x228/0x570 [ 141.618806][ T5345] ? __down_read_common+0x184/0x2c0 [ 141.624013][ T5345] ? iterate_dir+0x10e/0x570 [ 141.628705][ T5345] iterate_dir+0x228/0x570 [ 141.633157][ T5345] ? gfs2_fallocate+0x490/0x490 [ 141.638022][ T5345] __se_sys_getdents64+0x20d/0x4f0 [ 141.643151][ T5345] ? _raw_spin_unlock_irq+0x2e/0x50 [ 141.648371][ T5345] ? __x64_sys_getdents64+0x80/0x80 [ 141.653592][ T5345] ? filldir+0x740/0x740 [ 141.657859][ T5345] ? syscall_enter_from_user_mode+0x32/0x230 [ 141.663852][ T5345] ? syscall_enter_from_user_mode+0x8c/0x230 [ 141.669847][ T5345] do_syscall_64+0x41/0xc0 [ 141.674281][ T5345] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 141.680216][ T5345] RIP: 0033:0x7f281a11eab9 [ 141.684640][ T5345] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5347] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5345] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5345] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5344] exit_group(0 [pid 5347] <... futex resumed>) = ? [pid 5344] <... exit_group resumed>) = ? [pid 5347] +++ exited with 0 +++ [pid 5345] <... futex resumed>) = ? [pid 5345] +++ exited with 0 +++ [pid 5344] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5344, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./85", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./85", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./85/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./85/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./85/binderfs") = 0 [ 141.704338][ T5345] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 141.712756][ T5345] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 141.720736][ T5345] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 141.728728][ T5345] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 141.736737][ T5345] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 141.744718][ T5345] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 141.752703][ T5345] umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./85/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./85/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./85/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./85/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./85") = 0 mkdir("./86", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5348 ./strace-static-x86_64: Process 5348 attached [pid 5348] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5348] chdir("./86") = 0 [pid 5348] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5348] setpgid(0, 0) = 0 [pid 5348] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5348] write(3, "1000", 4) = 4 [pid 5348] close(3) = 0 [pid 5348] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5348] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5348] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5348] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5348] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5349 attached , parent_tid=[5349], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5349 [pid 5349] set_robust_list(0x7f281a0ca9e0, 24 [pid 5348] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5348] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5349] <... set_robust_list resumed>) = 0 [pid 5349] memfd_create("syzkaller", 0) = 3 [pid 5349] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5349] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5349] munmap(0x7f2811caa000, 16777216) = 0 [pid 5349] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5349] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5349] close(3) = 0 [pid 5349] mkdir("./file0", 0777) = 0 [ 142.124900][ T5349] loop0: detected capacity change from 0 to 32768 [ 142.139252][ T5349] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 142.147952][ T5349] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 142.158027][ T5349] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 142.166803][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 142.173706][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5349] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5349] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5349] chdir("./file0") = 0 [pid 5349] ioctl(4, LOOP_CLR_FD) = 0 [pid 5349] close(4) = 0 [pid 5349] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5348] <... futex resumed>) = 0 [pid 5348] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5348] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5349] <... futex resumed>) = 1 [pid 5349] open(".", O_RDONLY) = 4 [pid 5349] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5348] <... futex resumed>) = 0 [pid 5348] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5348] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5349] <... futex resumed>) = 1 [ 142.211997][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 142.220301][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 142.225616][ T5349] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 142.241738][ T5349] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 142.250356][ T5349] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 142.250356][ T5349] inode = 12 2341 [pid 5349] getdents64(4, [pid 5348] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 142.250356][ T5349] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 142.269340][ T5349] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 142.278461][ T5349] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5349 [syz-executor171] iterate_dir+0x228/0x570 [ 142.288490][ T5349] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 142.297157][ T5349] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5348] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5348] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5348] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5348] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5351], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5351 [pid 5348] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5348] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5351 attached [pid 5351] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5351] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5351] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5348] <... futex resumed>) = 0 [ 142.304758][ T5349] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 142.313915][ T5349] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 142.320476][ T5349] gfs2: fsid=syz:syz.0: File system withdrawn [ 142.327221][ T5349] CPU: 0 PID: 5349 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 142.337330][ T5349] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 142.347417][ T5349] Call Trace: [ 142.350741][ T5349] [ 142.353696][ T5349] dump_stack_lvl+0x1e7/0x2d0 [ 142.358435][ T5349] ? nf_tcp_handle_invalid+0x650/0x650 [ 142.363923][ T5349] ? panic+0x770/0x770 [ 142.368026][ T5349] ? kobject_uevent_env+0x54e/0x8e0 [ 142.373280][ T5349] gfs2_withdraw+0xf48/0x1550 [ 142.378016][ T5349] ? gfs2_lm+0x240/0x240 [ 142.382298][ T5349] ? gfs2_dirent_scan+0xb2/0x640 [ 142.387245][ T5349] ? panic+0x770/0x770 [ 142.391337][ T5349] ? gfs2_consist_inode_i+0xf5/0x110 [ 142.396653][ T5349] gfs2_dirent_scan+0x512/0x640 [ 142.401530][ T5349] ? gfs2_dirent_scan+0x640/0x640 [ 142.406570][ T5349] gfs2_dir_read+0x82f/0x1af0 [ 142.411286][ T5349] ? inode_dio_wait+0x2ad/0x340 [ 142.416179][ T5349] ? inode_owner_or_capable+0x1c0/0x1c0 [ 142.421744][ T5349] ? gfs2_dir_hash_inval+0x80/0x80 [ 142.426861][ T5349] ? _raw_spin_unlock+0x28/0x40 [ 142.431720][ T5349] ? gfs2_glock_nq+0xcbf/0x16c0 [ 142.436585][ T5349] ? inode_go_held+0xea/0x200 [ 142.441266][ T5349] ? gfs2_glock_wait+0x21a/0x2b0 [ 142.446211][ T5349] gfs2_readdir+0x14e/0x1b0 [ 142.450717][ T5349] ? __fdget_pos+0x254/0x2f0 [ 142.455307][ T5349] ? gfs2_fallocate+0x490/0x490 [ 142.460165][ T5349] ? iterate_dir+0x228/0x570 [ 142.464758][ T5349] ? __down_read_common+0x184/0x2c0 [ 142.469962][ T5349] ? iterate_dir+0x10e/0x570 [ 142.474572][ T5349] iterate_dir+0x228/0x570 [ 142.479006][ T5349] ? gfs2_fallocate+0x490/0x490 [ 142.483870][ T5349] __se_sys_getdents64+0x20d/0x4f0 [ 142.489002][ T5349] ? _raw_spin_unlock_irq+0x2e/0x50 [ 142.494219][ T5349] ? __x64_sys_getdents64+0x80/0x80 [ 142.499435][ T5349] ? filldir+0x740/0x740 [ 142.503693][ T5349] ? syscall_enter_from_user_mode+0x32/0x230 [ 142.509711][ T5349] ? syscall_enter_from_user_mode+0x8c/0x230 [ 142.515695][ T5349] do_syscall_64+0x41/0xc0 [ 142.520206][ T5349] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 142.526109][ T5349] RIP: 0033:0x7f281a11eab9 [ 142.530552][ T5349] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 142.550179][ T5349] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5351] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5349] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5349] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5349] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5348] exit_group(0 [pid 5351] <... futex resumed>) = ? [pid 5349] <... futex resumed>) = ? [pid 5348] <... exit_group resumed>) = ? [pid 5351] +++ exited with 0 +++ [pid 5349] +++ exited with 0 +++ [pid 5348] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5348, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- umount2("./86", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./86", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./86/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./86/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./86/binderfs") = 0 [ 142.558608][ T5349] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 142.566590][ T5349] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 142.574567][ T5349] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 142.582542][ T5349] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 142.590513][ T5349] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 142.598508][ T5349] umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./86/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./86/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./86/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./86/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./86") = 0 mkdir("./87", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5352 ./strace-static-x86_64: Process 5352 attached [pid 5352] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5352] chdir("./87") = 0 [pid 5352] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5352] setpgid(0, 0) = 0 [pid 5352] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5352] write(3, "1000", 4) = 4 [pid 5352] close(3) = 0 [pid 5352] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5352] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5352] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5352] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5352] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5353 attached [pid 5353] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5353] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5352] <... clone resumed>, parent_tid=[5353], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5353 [pid 5352] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5353] <... futex resumed>) = 0 [pid 5352] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5353] memfd_create("syzkaller", 0) = 3 [pid 5353] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5353] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5353] munmap(0x7f2811caa000, 16777216) = 0 [pid 5353] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5353] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5353] close(3) = 0 [pid 5353] mkdir("./file0", 0777) = 0 [ 142.969001][ T5353] loop0: detected capacity change from 0 to 32768 [ 142.981584][ T5353] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 142.990177][ T5353] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 142.999807][ T5353] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 143.008437][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 143.015280][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5353] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5353] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5353] chdir("./file0") = 0 [pid 5353] ioctl(4, LOOP_CLR_FD) = 0 [pid 5353] close(4) = 0 [pid 5353] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5352] <... futex resumed>) = 0 [pid 5352] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5352] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5353] <... futex resumed>) = 1 [pid 5353] open(".", O_RDONLY) = 4 [pid 5353] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5352] <... futex resumed>) = 0 [pid 5353] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5352] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5353] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5352] <... futex resumed>) = 0 [pid 5353] getdents64(4, [ 143.060108][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 143.069307][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 143.074713][ T5353] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5352] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 143.100800][ T5353] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 143.109599][ T5353] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 143.109599][ T5353] inode = 12 2341 [ 143.109599][ T5353] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 143.128435][ T5353] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 143.137819][ T5353] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5353 [syz-executor171] iterate_dir+0x228/0x570 [pid 5352] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5352] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5352] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5352] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5355], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5355 [pid 5352] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5352] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5355 attached [pid 5355] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5355] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5355] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5352] <... futex resumed>) = 0 [pid 5355] <... futex resumed>) = 1 [ 143.147829][ T5353] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 143.156339][ T5353] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 143.163861][ T5353] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 143.172647][ T5353] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 143.179975][ T5353] gfs2: fsid=syz:syz.0: File system withdrawn [ 143.186450][ T5353] CPU: 0 PID: 5353 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 143.196522][ T5353] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 143.206577][ T5353] Call Trace: [ 143.209857][ T5353] [ 143.212784][ T5353] dump_stack_lvl+0x1e7/0x2d0 [ 143.217468][ T5353] ? nf_tcp_handle_invalid+0x650/0x650 [ 143.222939][ T5353] ? panic+0x770/0x770 [ 143.227014][ T5353] ? kobject_uevent_env+0x54e/0x8e0 [ 143.232245][ T5353] gfs2_withdraw+0xf48/0x1550 [ 143.237009][ T5353] ? gfs2_lm+0x240/0x240 [ 143.241285][ T5353] ? gfs2_dirent_scan+0xb2/0x640 [ 143.246403][ T5353] ? panic+0x770/0x770 [ 143.250479][ T5353] ? gfs2_consist_inode_i+0xf5/0x110 [ 143.255768][ T5353] gfs2_dirent_scan+0x512/0x640 [ 143.260621][ T5353] ? gfs2_dirent_scan+0x640/0x640 [ 143.265650][ T5353] gfs2_dir_read+0x82f/0x1af0 [ 143.270434][ T5353] ? inode_dio_wait+0x2ad/0x340 [ 143.275299][ T5353] ? inode_owner_or_capable+0x1c0/0x1c0 [ 143.280872][ T5353] ? gfs2_dir_hash_inval+0x80/0x80 [ 143.286028][ T5353] ? _raw_spin_unlock+0x28/0x40 [ 143.290991][ T5353] ? gfs2_glock_nq+0xcbf/0x16c0 [ 143.295869][ T5353] ? inode_go_held+0xea/0x200 [ 143.300554][ T5353] ? gfs2_glock_wait+0x21a/0x2b0 [ 143.305509][ T5353] gfs2_readdir+0x14e/0x1b0 [ 143.310095][ T5353] ? __fdget_pos+0x254/0x2f0 [ 143.314707][ T5353] ? gfs2_fallocate+0x490/0x490 [ 143.319593][ T5353] ? iterate_dir+0x228/0x570 [ 143.324204][ T5353] ? __down_read_common+0x184/0x2c0 [ 143.329433][ T5353] ? iterate_dir+0x10e/0x570 [ 143.334059][ T5353] iterate_dir+0x228/0x570 [ 143.338501][ T5353] ? gfs2_fallocate+0x490/0x490 [ 143.343373][ T5353] __se_sys_getdents64+0x20d/0x4f0 [ 143.348503][ T5353] ? _raw_spin_unlock_irq+0x2e/0x50 [ 143.353716][ T5353] ? __x64_sys_getdents64+0x80/0x80 [ 143.358942][ T5353] ? filldir+0x740/0x740 [ 143.363202][ T5353] ? syscall_enter_from_user_mode+0x32/0x230 [ 143.369216][ T5353] ? syscall_enter_from_user_mode+0x8c/0x230 [ 143.375208][ T5353] do_syscall_64+0x41/0xc0 [ 143.379639][ T5353] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 143.385633][ T5353] RIP: 0033:0x7f281a11eab9 [ 143.390076][ T5353] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 143.409731][ T5353] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 143.418157][ T5353] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 143.426153][ T5353] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 143.434142][ T5353] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 143.442139][ T5353] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5355] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5353] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5353] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5353] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5352] exit_group(0 [pid 5355] <... futex resumed>) = ? [pid 5353] <... futex resumed>) = ? [pid 5352] <... exit_group resumed>) = ? [pid 5355] +++ exited with 0 +++ [pid 5353] +++ exited with 0 +++ [pid 5352] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5352, si_uid=0, si_status=0, si_utime=0, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./87", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./87", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./87/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./87/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./87/binderfs") = 0 [ 143.450114][ T5353] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 143.458108][ T5353] umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./87/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./87/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./87/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./87/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./87") = 0 mkdir("./88", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5356 ./strace-static-x86_64: Process 5356 attached [pid 5356] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5356] chdir("./88") = 0 [pid 5356] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5356] setpgid(0, 0) = 0 [pid 5356] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5356] write(3, "1000", 4) = 4 [pid 5356] close(3) = 0 [pid 5356] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5356] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5356] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5356] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5356] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5357 attached [pid 5357] set_robust_list(0x7f281a0ca9e0, 24 [pid 5356] <... clone resumed>, parent_tid=[5357], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5357 [pid 5357] <... set_robust_list resumed>) = 0 [pid 5357] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5356] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5357] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5356] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5357] memfd_create("syzkaller", 0) = 3 [pid 5357] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5357] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5357] munmap(0x7f2811caa000, 16777216) = 0 [pid 5357] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5357] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5357] close(3) = 0 [pid 5357] mkdir("./file0", 0777) = 0 [ 143.845948][ T5357] loop0: detected capacity change from 0 to 32768 [ 143.857221][ T5357] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 143.865436][ T5357] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 143.874567][ T5357] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 143.883010][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 143.889829][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5357] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5357] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5357] chdir("./file0") = 0 [pid 5357] ioctl(4, LOOP_CLR_FD) = 0 [pid 5357] close(4) = 0 [pid 5357] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5356] <... futex resumed>) = 0 [pid 5356] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5356] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5357] <... futex resumed>) = 1 [pid 5357] open(".", O_RDONLY) = 4 [pid 5357] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5356] <... futex resumed>) = 0 [pid 5356] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5356] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5357] <... futex resumed>) = 1 [ 143.929426][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 143.938304][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 143.944000][ T5357] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 143.967162][ T5357] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5357] getdents64(4, [pid 5356] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5356] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5356] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5356] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5356] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5359], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5359 [pid 5356] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5356] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5359 attached [pid 5359] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5359] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5359] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5356] <... futex resumed>) = 0 [pid 5359] <... futex resumed>) = 1 [ 143.976531][ T5357] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 143.976531][ T5357] inode = 12 2341 [ 143.976531][ T5357] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 143.995664][ T5357] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 144.005038][ T5357] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5357 [syz-executor171] iterate_dir+0x228/0x570 [ 144.015674][ T5357] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 144.024517][ T5357] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 144.031757][ T5357] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 144.040868][ T5357] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 144.048021][ T5357] gfs2: fsid=syz:syz.0: File system withdrawn [ 144.054603][ T5357] CPU: 0 PID: 5357 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 144.064803][ T5357] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 144.074858][ T5357] Call Trace: [ 144.078154][ T5357] [ 144.081083][ T5357] dump_stack_lvl+0x1e7/0x2d0 [ 144.085772][ T5357] ? nf_tcp_handle_invalid+0x650/0x650 [ 144.091234][ T5357] ? panic+0x770/0x770 [ 144.095302][ T5357] ? kobject_uevent_env+0x54e/0x8e0 [ 144.100603][ T5357] gfs2_withdraw+0xf48/0x1550 [ 144.105294][ T5357] ? gfs2_lm+0x240/0x240 [ 144.109626][ T5357] ? gfs2_dirent_scan+0xb2/0x640 [ 144.114566][ T5357] ? panic+0x770/0x770 [ 144.118660][ T5357] ? gfs2_consist_inode_i+0xf5/0x110 [ 144.124005][ T5357] gfs2_dirent_scan+0x512/0x640 [ 144.128879][ T5357] ? gfs2_dirent_scan+0x640/0x640 [ 144.133907][ T5357] gfs2_dir_read+0x82f/0x1af0 [ 144.138594][ T5357] ? inode_dio_wait+0x2ad/0x340 [ 144.143453][ T5357] ? inode_owner_or_capable+0x1c0/0x1c0 [ 144.149022][ T5357] ? gfs2_dir_hash_inval+0x80/0x80 [ 144.154229][ T5357] ? _raw_spin_unlock+0x28/0x40 [ 144.159111][ T5357] ? gfs2_glock_nq+0xcbf/0x16c0 [ 144.163989][ T5357] ? inode_go_held+0xea/0x200 [ 144.168670][ T5357] ? gfs2_glock_wait+0x21a/0x2b0 [ 144.173617][ T5357] gfs2_readdir+0x14e/0x1b0 [ 144.178139][ T5357] ? __fdget_pos+0x254/0x2f0 [ 144.182738][ T5357] ? gfs2_fallocate+0x490/0x490 [ 144.187626][ T5357] ? iterate_dir+0x228/0x570 [ 144.192235][ T5357] ? __down_read_common+0x184/0x2c0 [ 144.197466][ T5357] ? iterate_dir+0x10e/0x570 [ 144.202065][ T5357] iterate_dir+0x228/0x570 [ 144.206485][ T5357] ? gfs2_fallocate+0x490/0x490 [ 144.211360][ T5357] __se_sys_getdents64+0x20d/0x4f0 [ 144.216492][ T5357] ? _raw_spin_unlock_irq+0x2e/0x50 [ 144.221692][ T5357] ? __x64_sys_getdents64+0x80/0x80 [ 144.226901][ T5357] ? filldir+0x740/0x740 [ 144.231162][ T5357] ? syscall_enter_from_user_mode+0x32/0x230 [ 144.237236][ T5357] ? syscall_enter_from_user_mode+0x8c/0x230 [ 144.243233][ T5357] do_syscall_64+0x41/0xc0 [ 144.247683][ T5357] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 144.253583][ T5357] RIP: 0033:0x7f281a11eab9 [ 144.258001][ T5357] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5359] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5357] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5357] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5356] exit_group(0 [pid 5359] <... futex resumed>) = ? [pid 5356] <... exit_group resumed>) = ? [pid 5359] +++ exited with 0 +++ [pid 5357] <... futex resumed>) = ? [pid 5357] +++ exited with 0 +++ [pid 5356] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5356, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./88", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./88", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./88/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./88/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./88/binderfs") = 0 [ 144.277611][ T5357] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 144.286040][ T5357] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 144.294026][ T5357] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 144.301994][ T5357] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 144.309965][ T5357] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 144.317935][ T5357] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 144.326035][ T5357] umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./88/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./88/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./88/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./88/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./88") = 0 mkdir("./89", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5360 ./strace-static-x86_64: Process 5360 attached [pid 5360] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5360] chdir("./89") = 0 [pid 5360] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5360] setpgid(0, 0) = 0 [pid 5360] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5360] write(3, "1000", 4) = 4 [pid 5360] close(3) = 0 [pid 5360] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5360] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5360] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5360] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5360] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5361], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5361 [pid 5360] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5360] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5361 attached [pid 5361] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5361] memfd_create("syzkaller", 0) = 3 [pid 5361] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5361] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5361] munmap(0x7f2811caa000, 16777216) = 0 [pid 5361] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5361] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5361] close(3) = 0 [pid 5361] mkdir("./file0", 0777) = 0 [ 144.722274][ T5361] loop0: detected capacity change from 0 to 32768 [ 144.733424][ T5361] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 144.741896][ T5361] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 144.751093][ T5361] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 144.760035][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 144.766967][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5361] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5361] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5361] chdir("./file0") = 0 [pid 5361] ioctl(4, LOOP_CLR_FD) = 0 [pid 5361] close(4) = 0 [pid 5361] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5360] <... futex resumed>) = 0 [pid 5360] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5360] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5361] <... futex resumed>) = 1 [pid 5361] open(".", O_RDONLY) = 4 [pid 5361] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5360] <... futex resumed>) = 0 [pid 5360] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5360] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5361] <... futex resumed>) = 1 [ 144.809625][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 144.817151][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 144.822433][ T5361] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 144.837937][ T5361] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 144.846630][ T5361] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 144.846630][ T5361] inode = 12 2341 [pid 5361] getdents64(4, [pid 5360] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 144.846630][ T5361] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 144.865732][ T5361] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 144.875053][ T5361] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5361 [syz-executor171] iterate_dir+0x228/0x570 [ 144.885168][ T5361] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 144.893759][ T5361] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 144.901127][ T5361] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5360] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5360] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5360] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5360] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5363], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5363 [pid 5360] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5360] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5363 attached [pid 5363] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 144.910636][ T5361] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 144.917448][ T5361] gfs2: fsid=syz:syz.0: File system withdrawn [ 144.923771][ T5361] CPU: 0 PID: 5361 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 144.933877][ T5361] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 144.943939][ T5361] Call Trace: [ 144.947217][ T5361] [ 144.950168][ T5361] dump_stack_lvl+0x1e7/0x2d0 [ 144.954911][ T5361] ? nf_tcp_handle_invalid+0x650/0x650 [pid 5363] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5363] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5360] <... futex resumed>) = 0 [ 144.960418][ T5361] ? panic+0x770/0x770 [ 144.964508][ T5361] ? kobject_uevent_env+0x54e/0x8e0 [ 144.969788][ T5361] gfs2_withdraw+0xf48/0x1550 [ 144.974507][ T5361] ? gfs2_lm+0x240/0x240 [ 144.978781][ T5361] ? gfs2_dirent_scan+0xb2/0x640 [ 144.983760][ T5361] ? panic+0x770/0x770 [ 144.987858][ T5361] ? gfs2_consist_inode_i+0xf5/0x110 [ 144.993161][ T5361] gfs2_dirent_scan+0x512/0x640 [ 144.998039][ T5361] ? gfs2_dirent_scan+0x640/0x640 [ 145.003102][ T5361] gfs2_dir_read+0x82f/0x1af0 [ 145.007883][ T5361] ? inode_dio_wait+0x2ad/0x340 [ 145.012760][ T5361] ? inode_owner_or_capable+0x1c0/0x1c0 [ 145.018322][ T5361] ? gfs2_dir_hash_inval+0x80/0x80 [ 145.023447][ T5361] ? _raw_spin_unlock+0x28/0x40 [ 145.028307][ T5361] ? gfs2_glock_nq+0xcbf/0x16c0 [ 145.033177][ T5361] ? inode_go_held+0xea/0x200 [ 145.037870][ T5361] ? gfs2_glock_wait+0x21a/0x2b0 [ 145.042832][ T5361] gfs2_readdir+0x14e/0x1b0 [ 145.047368][ T5361] ? __fdget_pos+0x254/0x2f0 [ 145.051983][ T5361] ? gfs2_fallocate+0x490/0x490 [ 145.056857][ T5361] ? iterate_dir+0x228/0x570 [ 145.061479][ T5361] ? __down_read_common+0x184/0x2c0 [ 145.066697][ T5361] ? iterate_dir+0x10e/0x570 [ 145.071305][ T5361] iterate_dir+0x228/0x570 [ 145.075732][ T5361] ? gfs2_fallocate+0x490/0x490 [ 145.080597][ T5361] __se_sys_getdents64+0x20d/0x4f0 [ 145.085724][ T5361] ? _raw_spin_unlock_irq+0x2e/0x50 [ 145.090936][ T5361] ? __x64_sys_getdents64+0x80/0x80 [ 145.096153][ T5361] ? filldir+0x740/0x740 [ 145.100413][ T5361] ? syscall_enter_from_user_mode+0x32/0x230 [ 145.106405][ T5361] ? syscall_enter_from_user_mode+0x8c/0x230 [ 145.112406][ T5361] do_syscall_64+0x41/0xc0 [ 145.116840][ T5361] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 145.122738][ T5361] RIP: 0033:0x7f281a11eab9 [ 145.127157][ T5361] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 145.146767][ T5361] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5363] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5361] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5361] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5360] exit_group(0 [pid 5361] <... futex resumed>) = ? [pid 5360] <... exit_group resumed>) = ? [pid 5361] +++ exited with 0 +++ [pid 5363] <... futex resumed>) = ? [pid 5363] +++ exited with 0 +++ [pid 5360] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5360, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- umount2("./89", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./89", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./89/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./89/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./89/binderfs") = 0 [ 145.155287][ T5361] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 145.163261][ T5361] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 145.171319][ T5361] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 145.179904][ T5361] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 145.187888][ T5361] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 145.195882][ T5361] umount2("./89/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./89/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./89/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./89/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./89/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./89/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./89") = 0 mkdir("./90", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5364 ./strace-static-x86_64: Process 5364 attached [pid 5364] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5364] chdir("./90") = 0 [pid 5364] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5364] setpgid(0, 0) = 0 [pid 5364] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5364] write(3, "1000", 4) = 4 [pid 5364] close(3) = 0 [pid 5364] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5364] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5364] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5364] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5364] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5365], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5365 ./strace-static-x86_64: Process 5365 attached [pid 5364] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5364] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5365] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5365] memfd_create("syzkaller", 0) = 3 [pid 5365] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5365] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5365] munmap(0x7f2811caa000, 16777216) = 0 [pid 5365] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5365] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5365] close(3) = 0 [pid 5365] mkdir("./file0", 0777) = 0 [ 145.558131][ T5365] loop0: detected capacity change from 0 to 32768 [ 145.570289][ T5365] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 145.578911][ T5365] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 145.589077][ T5365] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 145.598054][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 145.605080][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5365] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5365] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5365] chdir("./file0") = 0 [pid 5365] ioctl(4, LOOP_CLR_FD) = 0 [pid 5365] close(4) = 0 [pid 5365] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5364] <... futex resumed>) = 0 [pid 5365] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5364] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5365] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5364] <... futex resumed>) = 0 [pid 5365] open(".", O_RDONLY [pid 5364] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5365] <... open resumed>) = 4 [pid 5365] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5364] <... futex resumed>) = 0 [pid 5364] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5364] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 145.639931][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 145.647605][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 145.652849][ T5365] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 145.687903][ T5365] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 145.696525][ T5365] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 145.696525][ T5365] inode = 12 2341 [ 145.696525][ T5365] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 145.715403][ T5365] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 145.724596][ T5365] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5365 [syz-executor171] iterate_dir+0x228/0x570 [pid 5365] getdents64(4, [pid 5364] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5364] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5364] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5364] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5364] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5364] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5364] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5367], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5367 [pid 5364] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5364] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5367 attached [pid 5367] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 145.734563][ T5365] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 145.743377][ T5365] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 145.750733][ T5365] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 145.759598][ T5365] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 145.767334][ T5365] gfs2: fsid=syz:syz.0: File system withdrawn [ 145.773768][ T5365] CPU: 0 PID: 5365 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 145.783858][ T5365] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 145.793916][ T5365] Call Trace: [ 145.797203][ T5365] [ 145.800135][ T5365] dump_stack_lvl+0x1e7/0x2d0 [ 145.804829][ T5365] ? nf_tcp_handle_invalid+0x650/0x650 [ 145.810315][ T5365] ? panic+0x770/0x770 [ 145.814398][ T5365] ? kobject_uevent_env+0x54e/0x8e0 [ 145.819636][ T5365] gfs2_withdraw+0xf48/0x1550 [ 145.824370][ T5365] ? gfs2_lm+0x240/0x240 [ 145.828643][ T5365] ? gfs2_dirent_scan+0xb2/0x640 [ 145.833607][ T5365] ? panic+0x770/0x770 [ 145.837711][ T5365] ? gfs2_consist_inode_i+0xf5/0x110 [ 145.843010][ T5365] gfs2_dirent_scan+0x512/0x640 [ 145.847871][ T5365] ? gfs2_dirent_scan+0x640/0x640 [ 145.852906][ T5365] gfs2_dir_read+0x82f/0x1af0 [ 145.857608][ T5365] ? inode_dio_wait+0x2ad/0x340 [ 145.862476][ T5365] ? inode_owner_or_capable+0x1c0/0x1c0 [ 145.868049][ T5365] ? gfs2_dir_hash_inval+0x80/0x80 [ 145.873169][ T5365] ? _raw_spin_unlock+0x28/0x40 [ 145.878024][ T5365] ? gfs2_glock_nq+0xcbf/0x16c0 [ 145.882910][ T5365] ? inode_go_held+0xea/0x200 [ 145.887628][ T5365] ? gfs2_glock_wait+0x21a/0x2b0 [ 145.892609][ T5365] gfs2_readdir+0x14e/0x1b0 [ 145.897155][ T5365] ? __fdget_pos+0x254/0x2f0 [ 145.901753][ T5365] ? gfs2_fallocate+0x490/0x490 [ 145.906621][ T5365] ? iterate_dir+0x228/0x570 [ 145.911223][ T5365] ? __down_read_common+0x184/0x2c0 [ 145.916445][ T5365] ? iterate_dir+0x10e/0x570 [ 145.921057][ T5365] iterate_dir+0x228/0x570 [ 145.925505][ T5365] ? gfs2_fallocate+0x490/0x490 [ 145.930397][ T5365] __se_sys_getdents64+0x20d/0x4f0 [ 145.935521][ T5365] ? _raw_spin_unlock_irq+0x2e/0x50 [ 145.940732][ T5365] ? __x64_sys_getdents64+0x80/0x80 [ 145.945943][ T5365] ? filldir+0x740/0x740 [ 145.950221][ T5365] ? syscall_enter_from_user_mode+0x32/0x230 [ 145.956208][ T5365] ? syscall_enter_from_user_mode+0x8c/0x230 [ 145.962197][ T5365] do_syscall_64+0x41/0xc0 [ 145.966631][ T5365] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 145.972531][ T5365] RIP: 0033:0x7f281a11eab9 [ 145.976949][ T5365] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 145.996554][ T5365] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 146.004973][ T5365] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 146.012953][ T5365] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 146.020926][ T5365] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 146.028902][ T5365] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5367] open("./file0", O_RDONLY [pid 5364] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5367] <... open resumed>) = -1 EIO (Input/output error) [pid 5365] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5367] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5365] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5367] <... futex resumed>) = 0 [pid 5367] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5365] <... futex resumed>) = 0 [pid 5364] exit_group(0 [pid 5367] <... futex resumed>) = ? [pid 5364] <... exit_group resumed>) = ? [pid 5367] +++ exited with 0 +++ [pid 5365] +++ exited with 0 +++ [pid 5364] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5364, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=31 /* 0.31 s */} --- umount2("./90", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./90", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./90/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./90/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./90/binderfs") = 0 [ 146.036888][ T5365] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 146.044882][ T5365] umount2("./90/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./90/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./90/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./90/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./90/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./90/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./90") = 0 mkdir("./91", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5368 ./strace-static-x86_64: Process 5368 attached [pid 5368] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5368] chdir("./91") = 0 [pid 5368] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5368] setpgid(0, 0) = 0 [pid 5368] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5368] write(3, "1000", 4) = 4 [pid 5368] close(3) = 0 [pid 5368] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5368] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5368] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5368] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5368] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5369 attached , parent_tid=[5369], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5369 [pid 5368] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5369] set_robust_list(0x7f281a0ca9e0, 24 [pid 5368] <... futex resumed>) = 0 [pid 5368] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5369] <... set_robust_list resumed>) = 0 [pid 5369] memfd_create("syzkaller", 0) = 3 [pid 5369] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5369] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5369] munmap(0x7f2811caa000, 16777216) = 0 [pid 5369] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5369] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5369] close(3) = 0 [pid 5369] mkdir("./file0", 0777) = 0 [ 146.414129][ T5369] loop0: detected capacity change from 0 to 32768 [ 146.425313][ T5369] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 146.434099][ T5369] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 146.444387][ T5369] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 146.452871][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 146.459789][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5369] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5369] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5369] chdir("./file0") = 0 [pid 5369] ioctl(4, LOOP_CLR_FD) = 0 [pid 5369] close(4) = 0 [pid 5369] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5368] <... futex resumed>) = 0 [pid 5368] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5368] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5369] <... futex resumed>) = 1 [pid 5369] open(".", O_RDONLY) = 4 [pid 5369] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5368] <... futex resumed>) = 0 [pid 5368] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5368] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5369] <... futex resumed>) = 1 [ 146.494084][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 146.503103][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 146.508530][ T5369] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 146.525639][ T5369] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 146.534597][ T5369] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5369] getdents64(4, [pid 5368] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5368] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5368] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5368] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5368] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5371], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5371 [pid 5368] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5368] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5371 attached [pid 5371] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5371] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5371] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5368] <... futex resumed>) = 0 [pid 5371] <... futex resumed>) = 1 [ 146.534597][ T5369] inode = 12 2341 [ 146.534597][ T5369] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 146.554462][ T5369] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 146.564015][ T5369] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5369 [syz-executor171] iterate_dir+0x228/0x570 [ 146.574443][ T5369] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 146.583560][ T5369] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 146.590917][ T5369] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 146.600312][ T5369] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 146.606987][ T5369] gfs2: fsid=syz:syz.0: File system withdrawn [ 146.613356][ T5369] CPU: 1 PID: 5369 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 146.623452][ T5369] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 146.633546][ T5369] Call Trace: [ 146.636866][ T5369] [ 146.639813][ T5369] dump_stack_lvl+0x1e7/0x2d0 [ 146.644499][ T5369] ? nf_tcp_handle_invalid+0x650/0x650 [ 146.649969][ T5369] ? panic+0x770/0x770 [ 146.654046][ T5369] ? kobject_uevent_env+0x54e/0x8e0 [ 146.659275][ T5369] gfs2_withdraw+0xf48/0x1550 [ 146.664014][ T5369] ? gfs2_lm+0x240/0x240 [ 146.668293][ T5369] ? gfs2_dirent_scan+0xb2/0x640 [ 146.673256][ T5369] ? panic+0x770/0x770 [ 146.677355][ T5369] ? gfs2_consist_inode_i+0xf5/0x110 [ 146.682660][ T5369] gfs2_dirent_scan+0x512/0x640 [ 146.687527][ T5369] ? gfs2_dirent_scan+0x640/0x640 [ 146.692609][ T5369] gfs2_dir_read+0x82f/0x1af0 [ 146.697316][ T5369] ? inode_dio_wait+0x2ad/0x340 [ 146.702180][ T5369] ? inode_owner_or_capable+0x1c0/0x1c0 [ 146.707738][ T5369] ? gfs2_dir_hash_inval+0x80/0x80 [ 146.712865][ T5369] ? _raw_spin_unlock+0x28/0x40 [ 146.717722][ T5369] ? gfs2_glock_nq+0xcbf/0x16c0 [ 146.722615][ T5369] ? inode_go_held+0xea/0x200 [ 146.727298][ T5369] ? gfs2_glock_wait+0x21a/0x2b0 [ 146.732249][ T5369] gfs2_readdir+0x14e/0x1b0 [ 146.736768][ T5369] ? __fdget_pos+0x254/0x2f0 [ 146.741384][ T5369] ? gfs2_fallocate+0x490/0x490 [ 146.746249][ T5369] ? iterate_dir+0x228/0x570 [ 146.750844][ T5369] ? __down_read_common+0x184/0x2c0 [ 146.756045][ T5369] ? iterate_dir+0x10e/0x570 [ 146.760648][ T5369] iterate_dir+0x228/0x570 [ 146.765085][ T5369] ? gfs2_fallocate+0x490/0x490 [ 146.769947][ T5369] __se_sys_getdents64+0x20d/0x4f0 [ 146.775073][ T5369] ? _raw_spin_unlock_irq+0x2e/0x50 [ 146.780279][ T5369] ? __x64_sys_getdents64+0x80/0x80 [ 146.785484][ T5369] ? filldir+0x740/0x740 [ 146.789747][ T5369] ? syscall_enter_from_user_mode+0x32/0x230 [ 146.795829][ T5369] ? syscall_enter_from_user_mode+0x8c/0x230 [ 146.801832][ T5369] do_syscall_64+0x41/0xc0 [ 146.806262][ T5369] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 146.812163][ T5369] RIP: 0033:0x7f281a11eab9 [ 146.816611][ T5369] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 146.836222][ T5369] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5371] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5369] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5369] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5369] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5368] exit_group(0 [pid 5369] <... futex resumed>) = ? [pid 5368] <... exit_group resumed>) = ? [pid 5371] <... futex resumed>) = ? [pid 5369] +++ exited with 0 +++ [pid 5371] +++ exited with 0 +++ [pid 5368] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5368, si_uid=0, si_status=0, si_utime=0, si_stime=32 /* 0.32 s */} --- umount2("./91", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./91", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./91/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./91/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./91/binderfs") = 0 [ 146.844635][ T5369] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 146.852621][ T5369] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 146.860609][ T5369] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 146.868603][ T5369] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 146.876593][ T5369] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 146.884604][ T5369] umount2("./91/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./91/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./91/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./91/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./91/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./91/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./91") = 0 mkdir("./92", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5372 ./strace-static-x86_64: Process 5372 attached [pid 5372] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5372] chdir("./92") = 0 [pid 5372] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5372] setpgid(0, 0) = 0 [pid 5372] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5372] write(3, "1000", 4) = 4 [pid 5372] close(3) = 0 [pid 5372] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5372] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5372] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5372] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5372] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5373 attached [pid 5373] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5373] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5372] <... clone resumed>, parent_tid=[5373], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5373 [pid 5372] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5373] <... futex resumed>) = 0 [pid 5372] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5373] memfd_create("syzkaller", 0) = 3 [pid 5373] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5373] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5373] munmap(0x7f2811caa000, 16777216) = 0 [pid 5373] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5373] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5373] close(3) = 0 [pid 5373] mkdir("./file0", 0777) = 0 [ 147.308589][ T5373] loop0: detected capacity change from 0 to 32768 [ 147.319328][ T5373] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 147.327647][ T5373] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 147.338076][ T5373] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 147.346730][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 147.353805][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5373] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5373] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5373] chdir("./file0") = 0 [pid 5373] ioctl(4, LOOP_CLR_FD) = 0 [pid 5373] close(4) = 0 [pid 5373] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5372] <... futex resumed>) = 0 [pid 5372] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5372] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5373] open(".", O_RDONLY) = 4 [pid 5373] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5372] <... futex resumed>) = 0 [pid 5372] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5372] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5373] <... futex resumed>) = 1 [ 147.395388][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 147.404746][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 147.410003][ T5373] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 147.450651][ T5373] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 147.459505][ T5373] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 147.459505][ T5373] inode = 12 2341 [ 147.459505][ T5373] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 147.478890][ T5373] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 147.488360][ T5373] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5373 [syz-executor171] iterate_dir+0x228/0x570 [pid 5373] getdents64(4, [pid 5372] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5372] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5372] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5372] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5372] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5375], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5375 [pid 5372] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5372] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5375 attached [pid 5375] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5375] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5375] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5372] <... futex resumed>) = 0 [pid 5375] <... futex resumed>) = 1 [ 147.498519][ T5373] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 147.507203][ T5373] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 147.515224][ T5373] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 147.524526][ T5373] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 147.534659][ T5373] gfs2: fsid=syz:syz.0: File system withdrawn [ 147.541091][ T5373] CPU: 1 PID: 5373 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 147.551156][ T5373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 147.561207][ T5373] Call Trace: [ 147.564485][ T5373] [ 147.567409][ T5373] dump_stack_lvl+0x1e7/0x2d0 [ 147.572097][ T5373] ? nf_tcp_handle_invalid+0x650/0x650 [ 147.577589][ T5373] ? panic+0x770/0x770 [ 147.581657][ T5373] ? kobject_uevent_env+0x54e/0x8e0 [ 147.586861][ T5373] gfs2_withdraw+0xf48/0x1550 [ 147.591552][ T5373] ? gfs2_lm+0x240/0x240 [ 147.595795][ T5373] ? gfs2_dirent_scan+0xb2/0x640 [ 147.600764][ T5373] ? panic+0x770/0x770 [ 147.604859][ T5373] ? gfs2_consist_inode_i+0xf5/0x110 [ 147.610156][ T5373] gfs2_dirent_scan+0x512/0x640 [ 147.615012][ T5373] ? gfs2_dirent_scan+0x640/0x640 [ 147.620052][ T5373] gfs2_dir_read+0x82f/0x1af0 [ 147.624741][ T5373] ? inode_dio_wait+0x2ad/0x340 [ 147.629608][ T5373] ? inode_owner_or_capable+0x1c0/0x1c0 [ 147.635174][ T5373] ? gfs2_dir_hash_inval+0x80/0x80 [ 147.640307][ T5373] ? _raw_spin_unlock+0x28/0x40 [ 147.645164][ T5373] ? gfs2_glock_nq+0xcbf/0x16c0 [ 147.650040][ T5373] ? inode_go_held+0xea/0x200 [ 147.654899][ T5373] ? gfs2_glock_wait+0x21a/0x2b0 [ 147.659850][ T5373] gfs2_readdir+0x14e/0x1b0 [ 147.664366][ T5373] ? __fdget_pos+0x254/0x2f0 [ 147.668977][ T5373] ? gfs2_fallocate+0x490/0x490 [ 147.673851][ T5373] ? iterate_dir+0x228/0x570 [ 147.678455][ T5373] ? __down_read_common+0x184/0x2c0 [ 147.683670][ T5373] ? iterate_dir+0x10e/0x570 [ 147.688288][ T5373] iterate_dir+0x228/0x570 [ 147.692724][ T5373] ? gfs2_fallocate+0x490/0x490 [ 147.697607][ T5373] __se_sys_getdents64+0x20d/0x4f0 [ 147.702758][ T5373] ? _raw_spin_unlock_irq+0x2e/0x50 [ 147.707972][ T5373] ? __x64_sys_getdents64+0x80/0x80 [ 147.713187][ T5373] ? filldir+0x740/0x740 [ 147.717458][ T5373] ? syscall_enter_from_user_mode+0x32/0x230 [ 147.723451][ T5373] ? syscall_enter_from_user_mode+0x8c/0x230 [ 147.729456][ T5373] do_syscall_64+0x41/0xc0 [ 147.733900][ T5373] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 147.739802][ T5373] RIP: 0033:0x7f281a11eab9 [ 147.744225][ T5373] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 147.763836][ T5373] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 147.772252][ T5373] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 147.780229][ T5373] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 147.788222][ T5373] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5375] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5373] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5373] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5372] exit_group(0 [pid 5375] <... futex resumed>) = ? [pid 5372] <... exit_group resumed>) = ? [pid 5375] +++ exited with 0 +++ [pid 5373] +++ exited with 0 +++ [pid 5372] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5372, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./92", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./92", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./92/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./92/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./92/binderfs") = 0 [ 147.796197][ T5373] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 147.804174][ T5373] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 147.812165][ T5373] umount2("./92/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./92/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./92/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./92/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./92/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./92/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./92") = 0 mkdir("./93", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5376 ./strace-static-x86_64: Process 5376 attached [pid 5376] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5376] chdir("./93") = 0 [pid 5376] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5376] setpgid(0, 0) = 0 [pid 5376] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5376] write(3, "1000", 4) = 4 [pid 5376] close(3) = 0 [pid 5376] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5376] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5376] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5376] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5376] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5377], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5377 ./strace-static-x86_64: Process 5377 attached [pid 5376] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5377] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5376] <... futex resumed>) = 0 [pid 5376] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5377] memfd_create("syzkaller", 0) = 3 [pid 5377] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5377] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5377] munmap(0x7f2811caa000, 16777216) = 0 [pid 5377] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5377] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5377] close(3) = 0 [pid 5377] mkdir("./file0", 0777) = 0 [ 148.168162][ T5377] loop0: detected capacity change from 0 to 32768 [ 148.181403][ T5377] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 148.189828][ T5377] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 148.199192][ T5377] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 148.207752][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 148.214646][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5377] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5377] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5377] chdir("./file0") = 0 [pid 5377] ioctl(4, LOOP_CLR_FD) = 0 [pid 5377] close(4) = 0 [pid 5377] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5377] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5376] <... futex resumed>) = 0 [pid 5376] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5377] <... futex resumed>) = 0 [pid 5376] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5377] open(".", O_RDONLY) = 4 [pid 5377] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5377] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5376] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5376] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5376] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5377] <... futex resumed>) = 0 [ 148.254462][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 148.262230][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 148.267940][ T5377] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5377] getdents64(4, [pid 5376] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 148.298200][ T5377] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 148.306929][ T5377] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 148.306929][ T5377] inode = 12 2341 [ 148.306929][ T5377] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 148.325763][ T5377] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 148.335654][ T5377] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5377 [syz-executor171] iterate_dir+0x228/0x570 [pid 5376] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5376] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5376] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5376] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5379], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5379 [pid 5376] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5376] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5379 attached [pid 5379] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5379] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5379] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5376] <... futex resumed>) = 0 [pid 5379] <... futex resumed>) = 1 [ 148.345871][ T5377] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 148.354654][ T5377] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 148.361901][ T5377] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 148.371056][ T5377] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 148.379826][ T5377] gfs2: fsid=syz:syz.0: File system withdrawn [ 148.386423][ T5377] CPU: 1 PID: 5377 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 148.396716][ T5377] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 148.406793][ T5377] Call Trace: [ 148.410082][ T5377] [ 148.413046][ T5377] dump_stack_lvl+0x1e7/0x2d0 [ 148.417742][ T5377] ? nf_tcp_handle_invalid+0x650/0x650 [ 148.423223][ T5377] ? panic+0x770/0x770 [ 148.427306][ T5377] ? kobject_uevent_env+0x54e/0x8e0 [ 148.432529][ T5377] gfs2_withdraw+0xf48/0x1550 [ 148.437243][ T5377] ? gfs2_lm+0x240/0x240 [ 148.441506][ T5377] ? gfs2_dirent_scan+0xb2/0x640 [ 148.446446][ T5377] ? panic+0x770/0x770 [ 148.450518][ T5377] ? gfs2_consist_inode_i+0xf5/0x110 [ 148.455820][ T5377] gfs2_dirent_scan+0x512/0x640 [ 148.460671][ T5377] ? gfs2_dirent_scan+0x640/0x640 [ 148.465705][ T5377] gfs2_dir_read+0x82f/0x1af0 [ 148.470390][ T5377] ? inode_dio_wait+0x2ad/0x340 [ 148.475257][ T5377] ? inode_owner_or_capable+0x1c0/0x1c0 [ 148.480854][ T5377] ? gfs2_dir_hash_inval+0x80/0x80 [ 148.485972][ T5377] ? _raw_spin_unlock+0x28/0x40 [ 148.490841][ T5377] ? gfs2_glock_nq+0xcbf/0x16c0 [pid 5379] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5376] exit_group(0 [pid 5379] <... futex resumed>) = ? [pid 5376] <... exit_group resumed>) = ? [pid 5379] +++ exited with 0 +++ [ 148.495733][ T5377] ? inode_go_held+0xea/0x200 [ 148.500411][ T5377] ? gfs2_glock_wait+0x21a/0x2b0 [ 148.505490][ T5377] gfs2_readdir+0x14e/0x1b0 [ 148.510040][ T5377] ? __fdget_pos+0x254/0x2f0 [ 148.514679][ T5377] ? gfs2_fallocate+0x490/0x490 [ 148.519542][ T5377] ? iterate_dir+0x228/0x570 [ 148.524150][ T5377] ? __down_read_common+0x184/0x2c0 [ 148.529391][ T5377] ? iterate_dir+0x10e/0x570 [ 148.534032][ T5377] iterate_dir+0x228/0x570 [ 148.538479][ T5377] ? gfs2_fallocate+0x490/0x490 [ 148.543362][ T5377] __se_sys_getdents64+0x20d/0x4f0 [ 148.548581][ T5377] ? _raw_spin_unlock_irq+0x2e/0x50 [ 148.553797][ T5377] ? __x64_sys_getdents64+0x80/0x80 [ 148.559017][ T5377] ? filldir+0x740/0x740 [ 148.563305][ T5377] ? syscall_enter_from_user_mode+0x32/0x230 [ 148.569332][ T5377] ? syscall_enter_from_user_mode+0x8c/0x230 [ 148.575318][ T5377] do_syscall_64+0x41/0xc0 [ 148.579740][ T5377] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 148.585639][ T5377] RIP: 0033:0x7f281a11eab9 [ 148.590081][ T5377] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 148.609800][ T5377] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 148.618244][ T5377] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 148.626229][ T5377] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 148.634237][ T5377] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5377] <... getdents64 resumed> ) = ? [pid 5377] +++ exited with 0 +++ [pid 5376] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5376, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=30 /* 0.30 s */} --- umount2("./93", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./93", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./93/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./93/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./93/binderfs") = 0 [ 148.642209][ T5377] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 148.650190][ T5377] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 148.658201][ T5377] umount2("./93/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./93/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./93/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./93/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./93/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./93/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./93") = 0 mkdir("./94", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5380 ./strace-static-x86_64: Process 5380 attached [pid 5380] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5380] chdir("./94") = 0 [pid 5380] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5380] setpgid(0, 0) = 0 [pid 5380] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5380] write(3, "1000", 4) = 4 [pid 5380] close(3) = 0 [pid 5380] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5380] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5380] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5380] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5380] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5381], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5381 [pid 5380] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5380] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5381 attached [pid 5381] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5381] memfd_create("syzkaller", 0) = 3 [pid 5381] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5381] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5381] munmap(0x7f2811caa000, 16777216) = 0 [pid 5381] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5381] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5381] close(3) = 0 [pid 5381] mkdir("./file0", 0777) = 0 [ 149.026333][ T5381] loop0: detected capacity change from 0 to 32768 [ 149.039041][ T5381] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 149.047624][ T5381] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 149.057395][ T5381] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 149.066133][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 149.073172][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5381] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5381] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5381] chdir("./file0") = 0 [pid 5381] ioctl(4, LOOP_CLR_FD) = 0 [pid 5381] close(4) = 0 [pid 5381] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5381] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5380] <... futex resumed>) = 0 [pid 5380] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5381] <... futex resumed>) = 0 [pid 5380] <... futex resumed>) = 1 [pid 5380] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5381] open(".", O_RDONLY) = 4 [pid 5381] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5380] <... futex resumed>) = 0 [pid 5380] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5380] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5381] <... futex resumed>) = 1 [ 149.112802][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 149.121257][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 149.126963][ T5381] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 149.154172][ T5381] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 149.162670][ T5381] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 149.162670][ T5381] inode = 12 2341 [ 149.162670][ T5381] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 149.181428][ T5381] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 149.191064][ T5381] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5381 [syz-executor171] iterate_dir+0x228/0x570 [pid 5381] getdents64(4, [pid 5380] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5380] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5380] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5380] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5380] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5383], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5383 [pid 5380] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5380] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5383 attached [pid 5383] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5383] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5383] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5380] <... futex resumed>) = 0 [pid 5383] <... futex resumed>) = 1 [ 149.201256][ T5381] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 149.210305][ T5381] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 149.218399][ T5381] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 149.227348][ T5381] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 149.235612][ T5381] gfs2: fsid=syz:syz.0: File system withdrawn [ 149.241707][ T5381] CPU: 0 PID: 5381 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 149.251856][ T5381] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 149.261910][ T5381] Call Trace: [ 149.265189][ T5381] [ 149.268122][ T5381] dump_stack_lvl+0x1e7/0x2d0 [ 149.272829][ T5381] ? nf_tcp_handle_invalid+0x650/0x650 [ 149.278332][ T5381] ? panic+0x770/0x770 [ 149.282426][ T5381] ? kobject_uevent_env+0x54e/0x8e0 [ 149.287637][ T5381] gfs2_withdraw+0xf48/0x1550 [ 149.292357][ T5381] ? gfs2_lm+0x240/0x240 [ 149.296644][ T5381] ? gfs2_dirent_scan+0xb2/0x640 [pid 5383] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5380] exit_group(0 [pid 5383] <... futex resumed>) = ? [ 149.301580][ T5381] ? panic+0x770/0x770 [ 149.305666][ T5381] ? gfs2_consist_inode_i+0xf5/0x110 [ 149.310984][ T5381] gfs2_dirent_scan+0x512/0x640 [ 149.315857][ T5381] ? gfs2_dirent_scan+0x640/0x640 [ 149.320886][ T5381] gfs2_dir_read+0x82f/0x1af0 [ 149.325605][ T5381] ? inode_dio_wait+0x2ad/0x340 [ 149.330488][ T5381] ? inode_owner_or_capable+0x1c0/0x1c0 [ 149.336058][ T5381] ? gfs2_dir_hash_inval+0x80/0x80 [ 149.341311][ T5381] ? _raw_spin_unlock+0x28/0x40 [ 149.346233][ T5381] ? gfs2_glock_nq+0xcbf/0x16c0 [pid 5380] <... exit_group resumed>) = ? [pid 5383] +++ exited with 0 +++ [ 149.351121][ T5381] ? inode_go_held+0xea/0x200 [ 149.355827][ T5381] ? gfs2_glock_wait+0x21a/0x2b0 [ 149.360798][ T5381] gfs2_readdir+0x14e/0x1b0 [ 149.365420][ T5381] ? __fdget_pos+0x254/0x2f0 [ 149.370013][ T5381] ? gfs2_fallocate+0x490/0x490 [ 149.374900][ T5381] ? iterate_dir+0x228/0x570 [ 149.379500][ T5381] ? __down_read_common+0x184/0x2c0 [ 149.384699][ T5381] ? iterate_dir+0x10e/0x570 [ 149.389293][ T5381] iterate_dir+0x228/0x570 [ 149.393715][ T5381] ? gfs2_fallocate+0x490/0x490 [ 149.398620][ T5381] __se_sys_getdents64+0x20d/0x4f0 [ 149.403786][ T5381] ? _raw_spin_unlock_irq+0x2e/0x50 [ 149.409013][ T5381] ? __x64_sys_getdents64+0x80/0x80 [ 149.414234][ T5381] ? filldir+0x740/0x740 [ 149.418503][ T5381] ? syscall_enter_from_user_mode+0x32/0x230 [ 149.424499][ T5381] ? syscall_enter_from_user_mode+0x8c/0x230 [ 149.430485][ T5381] do_syscall_64+0x41/0xc0 [ 149.434919][ T5381] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 149.440910][ T5381] RIP: 0033:0x7f281a11eab9 [ 149.445346][ T5381] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 149.464959][ T5381] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 149.473380][ T5381] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 149.481364][ T5381] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 149.489340][ T5381] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 149.497429][ T5381] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5381] <... getdents64 resumed> ) = ? [pid 5381] +++ exited with 0 +++ [pid 5380] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5380, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./94", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./94", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./94/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./94/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./94/binderfs") = 0 [ 149.505397][ T5381] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 149.513417][ T5381] umount2("./94/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./94/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./94/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./94/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./94/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./94/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./94") = 0 mkdir("./95", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5384 ./strace-static-x86_64: Process 5384 attached [pid 5384] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5384] chdir("./95") = 0 [pid 5384] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5384] setpgid(0, 0) = 0 [pid 5384] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5384] write(3, "1000", 4) = 4 [pid 5384] close(3) = 0 [pid 5384] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5384] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5384] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5384] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5384] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5385], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5385 ./strace-static-x86_64: Process 5385 attached [pid 5384] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5385] set_robust_list(0x7f281a0ca9e0, 24 [pid 5384] <... futex resumed>) = 0 [pid 5385] <... set_robust_list resumed>) = 0 [pid 5384] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5385] memfd_create("syzkaller", 0) = 3 [pid 5385] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5385] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5385] munmap(0x7f2811caa000, 16777216) = 0 [pid 5385] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5385] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5385] close(3) = 0 [pid 5385] mkdir("./file0", 0777) = 0 [ 149.865715][ T5385] loop0: detected capacity change from 0 to 32768 [ 149.879400][ T5385] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 149.887703][ T5385] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 149.896945][ T5385] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 149.905400][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 149.912175][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5385] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5385] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5385] chdir("./file0") = 0 [pid 5385] ioctl(4, LOOP_CLR_FD) = 0 [pid 5385] close(4) = 0 [pid 5385] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5384] <... futex resumed>) = 0 [pid 5385] open(".", O_RDONLY [pid 5384] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5385] <... open resumed>) = 4 [pid 5384] <... futex resumed>) = 0 [pid 5385] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5384] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5385] <... futex resumed>) = 0 [pid 5384] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5385] getdents64(4, [ 149.953139][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 149.962474][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 149.967809][ T5385] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5384] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 149.996104][ T5385] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 150.005072][ T5385] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 150.005072][ T5385] inode = 12 2341 [ 150.005072][ T5385] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 150.024065][ T5385] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 150.033126][ T5385] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5385 [syz-executor171] iterate_dir+0x228/0x570 [pid 5384] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5384] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5384] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5384] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5384] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5384] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5387], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5387 [pid 5384] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5384] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5387 attached [pid 5387] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5387] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5387] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5384] <... futex resumed>) = 0 [pid 5387] <... futex resumed>) = 1 [ 150.043167][ T5385] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 150.051631][ T5385] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 150.059240][ T5385] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 150.068461][ T5385] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 150.076562][ T5385] gfs2: fsid=syz:syz.0: File system withdrawn [ 150.082666][ T5385] CPU: 0 PID: 5385 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 150.092729][ T5385] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 150.102868][ T5385] Call Trace: [ 150.106153][ T5385] [ 150.109097][ T5385] dump_stack_lvl+0x1e7/0x2d0 [ 150.113843][ T5385] ? nf_tcp_handle_invalid+0x650/0x650 [ 150.119363][ T5385] ? panic+0x770/0x770 [ 150.123450][ T5385] ? kobject_uevent_env+0x54e/0x8e0 [ 150.128764][ T5385] gfs2_withdraw+0xf48/0x1550 [ 150.133492][ T5385] ? gfs2_lm+0x240/0x240 [ 150.137760][ T5385] ? gfs2_dirent_scan+0xb2/0x640 [ 150.142727][ T5385] ? panic+0x770/0x770 [pid 5387] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5384] exit_group(0 [pid 5387] <... futex resumed>) = ? [pid 5384] <... exit_group resumed>) = ? [pid 5387] +++ exited with 0 +++ [ 150.146804][ T5385] ? gfs2_consist_inode_i+0xf5/0x110 [ 150.152108][ T5385] gfs2_dirent_scan+0x512/0x640 [ 150.156972][ T5385] ? gfs2_dirent_scan+0x640/0x640 [ 150.162033][ T5385] gfs2_dir_read+0x82f/0x1af0 [ 150.166745][ T5385] ? inode_dio_wait+0x2ad/0x340 [ 150.171601][ T5385] ? inode_owner_or_capable+0x1c0/0x1c0 [ 150.177151][ T5385] ? gfs2_dir_hash_inval+0x80/0x80 [ 150.182274][ T5385] ? _raw_spin_unlock+0x28/0x40 [ 150.187148][ T5385] ? gfs2_glock_nq+0xcbf/0x16c0 [ 150.192043][ T5385] ? inode_go_held+0xea/0x200 [ 150.196737][ T5385] ? gfs2_glock_wait+0x21a/0x2b0 [ 150.201686][ T5385] gfs2_readdir+0x14e/0x1b0 [ 150.206244][ T5385] ? __fdget_pos+0x254/0x2f0 [ 150.210849][ T5385] ? gfs2_fallocate+0x490/0x490 [ 150.215717][ T5385] ? iterate_dir+0x228/0x570 [ 150.220421][ T5385] ? __down_read_common+0x184/0x2c0 [ 150.225635][ T5385] ? iterate_dir+0x10e/0x570 [ 150.230268][ T5385] iterate_dir+0x228/0x570 [ 150.234691][ T5385] ? gfs2_fallocate+0x490/0x490 [ 150.239566][ T5385] __se_sys_getdents64+0x20d/0x4f0 [ 150.244703][ T5385] ? _raw_spin_unlock_irq+0x2e/0x50 [ 150.249908][ T5385] ? __x64_sys_getdents64+0x80/0x80 [ 150.255118][ T5385] ? filldir+0x740/0x740 [ 150.259377][ T5385] ? syscall_enter_from_user_mode+0x32/0x230 [ 150.265369][ T5385] ? syscall_enter_from_user_mode+0x8c/0x230 [ 150.271359][ T5385] do_syscall_64+0x41/0xc0 [ 150.275788][ T5385] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 150.281697][ T5385] RIP: 0033:0x7f281a11eab9 [ 150.286130][ T5385] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 150.305734][ T5385] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 150.314151][ T5385] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 150.322126][ T5385] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 150.330190][ T5385] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 150.338198][ T5385] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5385] <... getdents64 resumed> ) = ? [pid 5385] +++ exited with 0 +++ [pid 5384] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5384, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- umount2("./95", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./95", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./95/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./95/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./95/binderfs") = 0 [ 150.346196][ T5385] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 150.354186][ T5385] umount2("./95/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./95/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./95/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./95/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./95/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./95/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./95") = 0 mkdir("./96", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5388 ./strace-static-x86_64: Process 5388 attached [pid 5388] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5388] chdir("./96") = 0 [pid 5388] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5388] setpgid(0, 0) = 0 [pid 5388] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5388] write(3, "1000", 4) = 4 [pid 5388] close(3) = 0 [pid 5388] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5388] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5388] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5388] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5388] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5389 attached , parent_tid=[5389], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5389 [pid 5389] set_robust_list(0x7f281a0ca9e0, 24 [pid 5388] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5389] <... set_robust_list resumed>) = 0 [pid 5388] <... futex resumed>) = 0 [pid 5388] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5389] memfd_create("syzkaller", 0) = 3 [pid 5389] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5389] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5389] munmap(0x7f2811caa000, 16777216) = 0 [pid 5389] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5389] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5389] close(3) = 0 [pid 5389] mkdir("./file0", 0777) = 0 [ 150.736240][ T5389] loop0: detected capacity change from 0 to 32768 [ 150.748685][ T5389] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 150.756884][ T5389] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 150.767004][ T5389] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 150.775833][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 150.782600][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5389] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5389] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5389] chdir("./file0") = 0 [pid 5389] ioctl(4, LOOP_CLR_FD) = 0 [pid 5389] close(4) = 0 [pid 5389] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5388] <... futex resumed>) = 0 [pid 5388] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5388] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5389] <... futex resumed>) = 1 [pid 5389] open(".", O_RDONLY) = 4 [pid 5389] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5388] <... futex resumed>) = 0 [pid 5389] getdents64(4, [pid 5388] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 150.818310][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 150.827153][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 150.832385][ T5389] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 150.855191][ T5389] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5388] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5388] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5388] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5388] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5388] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5388] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5391], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5391 [pid 5388] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5388] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5391 attached [pid 5391] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5391] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5391] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5388] <... futex resumed>) = 0 [pid 5391] <... futex resumed>) = 1 [ 150.863881][ T5389] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 150.863881][ T5389] inode = 12 2341 [ 150.863881][ T5389] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 150.882659][ T5389] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 150.891902][ T5389] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5389 [syz-executor171] iterate_dir+0x228/0x570 [ 150.902371][ T5389] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 150.910865][ T5389] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 150.919302][ T5389] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 150.928158][ T5389] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 150.936120][ T5389] gfs2: fsid=syz:syz.0: File system withdrawn [ 150.942218][ T5389] CPU: 0 PID: 5389 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 150.952292][ T5389] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 150.962345][ T5389] Call Trace: [ 150.965636][ T5389] [ 150.968612][ T5389] dump_stack_lvl+0x1e7/0x2d0 [ 150.973376][ T5389] ? nf_tcp_handle_invalid+0x650/0x650 [ 150.978859][ T5389] ? panic+0x770/0x770 [ 150.982947][ T5389] ? kobject_uevent_env+0x54e/0x8e0 [ 150.988180][ T5389] gfs2_withdraw+0xf48/0x1550 [ 150.992916][ T5389] ? gfs2_lm+0x240/0x240 [ 150.997166][ T5389] ? gfs2_dirent_scan+0xb2/0x640 [ 151.002106][ T5389] ? panic+0x770/0x770 [ 151.006182][ T5389] ? gfs2_consist_inode_i+0xf5/0x110 [ 151.011483][ T5389] gfs2_dirent_scan+0x512/0x640 [ 151.016351][ T5389] ? gfs2_dirent_scan+0x640/0x640 [ 151.021394][ T5389] gfs2_dir_read+0x82f/0x1af0 [ 151.026094][ T5389] ? inode_dio_wait+0x2ad/0x340 [ 151.030966][ T5389] ? inode_owner_or_capable+0x1c0/0x1c0 [ 151.036549][ T5389] ? gfs2_dir_hash_inval+0x80/0x80 [ 151.041669][ T5389] ? _raw_spin_unlock+0x28/0x40 [ 151.046531][ T5389] ? gfs2_glock_nq+0xcbf/0x16c0 [ 151.051442][ T5389] ? inode_go_held+0xea/0x200 [ 151.056152][ T5389] ? gfs2_glock_wait+0x21a/0x2b0 [ 151.061142][ T5389] gfs2_readdir+0x14e/0x1b0 [ 151.065680][ T5389] ? __fdget_pos+0x254/0x2f0 [ 151.070293][ T5389] ? gfs2_fallocate+0x490/0x490 [ 151.075182][ T5389] ? iterate_dir+0x228/0x570 [ 151.079780][ T5389] ? __down_read_common+0x184/0x2c0 [ 151.085010][ T5389] ? iterate_dir+0x10e/0x570 [ 151.089622][ T5389] iterate_dir+0x228/0x570 [ 151.094055][ T5389] ? gfs2_fallocate+0x490/0x490 [ 151.098962][ T5389] __se_sys_getdents64+0x20d/0x4f0 [ 151.104304][ T5389] ? _raw_spin_unlock_irq+0x2e/0x50 [ 151.109516][ T5389] ? __x64_sys_getdents64+0x80/0x80 [ 151.114735][ T5389] ? filldir+0x740/0x740 [pid 5391] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5388] exit_group(0 [pid 5391] <... futex resumed>) = ? [pid 5388] <... exit_group resumed>) = ? [pid 5391] +++ exited with 0 +++ [ 151.119025][ T5389] ? syscall_enter_from_user_mode+0x32/0x230 [ 151.125028][ T5389] ? syscall_enter_from_user_mode+0x8c/0x230 [ 151.131018][ T5389] do_syscall_64+0x41/0xc0 [ 151.135447][ T5389] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 151.141360][ T5389] RIP: 0033:0x7f281a11eab9 [ 151.145799][ T5389] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5389] <... getdents64 resumed> ) = ? [pid 5389] +++ exited with 0 +++ [pid 5388] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5388, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- umount2("./96", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./96", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./96/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./96/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./96/binderfs") = 0 [ 151.165407][ T5389] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 151.173825][ T5389] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 151.181814][ T5389] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 151.189813][ T5389] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 151.197800][ T5389] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 151.205793][ T5389] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 151.213821][ T5389] umount2("./96/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./96/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./96/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./96/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./96/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./96/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./96") = 0 mkdir("./97", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5392 attached , child_tidptr=0x5555571fa5d0) = 5392 [pid 5392] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5392] chdir("./97") = 0 [pid 5392] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5392] setpgid(0, 0) = 0 [pid 5392] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5392] write(3, "1000", 4) = 4 [pid 5392] close(3) = 0 [pid 5392] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5392] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5392] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5392] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5392] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5393 attached [pid 5393] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5393] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5392] <... clone resumed>, parent_tid=[5393], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5393 [pid 5392] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5393] <... futex resumed>) = 0 [pid 5392] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5393] memfd_create("syzkaller", 0) = 3 [pid 5393] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5393] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5393] munmap(0x7f2811caa000, 16777216) = 0 [pid 5393] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5393] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5393] close(3) = 0 [pid 5393] mkdir("./file0", 0777) = 0 [ 151.569655][ T5393] loop0: detected capacity change from 0 to 32768 [ 151.583582][ T5393] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 151.591831][ T5393] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 151.601534][ T5393] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 151.610057][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 151.617064][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5393] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5393] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5393] chdir("./file0") = 0 [pid 5393] ioctl(4, LOOP_CLR_FD) = 0 [pid 5393] close(4) = 0 [pid 5393] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5393] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5392] <... futex resumed>) = 0 [pid 5392] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5392] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5393] <... futex resumed>) = 0 [pid 5393] open(".", O_RDONLY) = 4 [pid 5393] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5392] <... futex resumed>) = 0 [pid 5393] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5392] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5393] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5392] <... futex resumed>) = 0 [pid 5393] getdents64(4, [ 151.658015][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 151.665586][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 151.670856][ T5393] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 151.697293][ T5393] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5392] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5392] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5392] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5392] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5392] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5395], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5395 [pid 5392] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5392] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5395 attached [ 151.705815][ T5393] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 151.705815][ T5393] inode = 12 2341 [ 151.705815][ T5393] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 151.724891][ T5393] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 151.734283][ T5393] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5393 [syz-executor171] iterate_dir+0x228/0x570 [ 151.744392][ T5393] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5395] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5395] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5395] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5392] <... futex resumed>) = 0 [pid 5395] <... futex resumed>) = 1 [ 151.753429][ T5393] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 151.760715][ T5393] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 151.769980][ T5393] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 151.776733][ T5393] gfs2: fsid=syz:syz.0: File system withdrawn [ 151.782839][ T5393] CPU: 1 PID: 5393 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 151.792919][ T5393] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 151.802973][ T5393] Call Trace: [ 151.806255][ T5393] [ 151.809188][ T5393] dump_stack_lvl+0x1e7/0x2d0 [ 151.813899][ T5393] ? nf_tcp_handle_invalid+0x650/0x650 [ 151.819385][ T5393] ? panic+0x770/0x770 [ 151.823453][ T5393] ? kobject_uevent_env+0x54e/0x8e0 [ 151.828679][ T5393] gfs2_withdraw+0xf48/0x1550 [ 151.833435][ T5393] ? gfs2_lm+0x240/0x240 [ 151.837702][ T5393] ? gfs2_dirent_scan+0xb2/0x640 [ 151.842667][ T5393] ? panic+0x770/0x770 [ 151.846735][ T5393] ? gfs2_consist_inode_i+0xf5/0x110 [ 151.852037][ T5393] gfs2_dirent_scan+0x512/0x640 [ 151.856911][ T5393] ? gfs2_dirent_scan+0x640/0x640 [ 151.861949][ T5393] gfs2_dir_read+0x82f/0x1af0 [ 151.866730][ T5393] ? inode_dio_wait+0x2ad/0x340 [ 151.871605][ T5393] ? inode_owner_or_capable+0x1c0/0x1c0 [ 151.877188][ T5393] ? gfs2_dir_hash_inval+0x80/0x80 [ 151.882333][ T5393] ? _raw_spin_unlock+0x28/0x40 [ 151.887189][ T5393] ? gfs2_glock_nq+0xcbf/0x16c0 [ 151.892054][ T5393] ? inode_go_held+0xea/0x200 [ 151.896739][ T5393] ? gfs2_glock_wait+0x21a/0x2b0 [ 151.901707][ T5393] gfs2_readdir+0x14e/0x1b0 [ 151.906244][ T5393] ? __fdget_pos+0x254/0x2f0 [ 151.910842][ T5393] ? gfs2_fallocate+0x490/0x490 [ 151.915713][ T5393] ? iterate_dir+0x228/0x570 [ 151.920314][ T5393] ? __down_read_common+0x184/0x2c0 [ 151.925515][ T5393] ? iterate_dir+0x10e/0x570 [ 151.930140][ T5393] iterate_dir+0x228/0x570 [ 151.934566][ T5393] ? gfs2_fallocate+0x490/0x490 [ 151.939438][ T5393] __se_sys_getdents64+0x20d/0x4f0 [ 151.944567][ T5393] ? _raw_spin_unlock_irq+0x2e/0x50 [ 151.949772][ T5393] ? __x64_sys_getdents64+0x80/0x80 [ 151.954978][ T5393] ? filldir+0x740/0x740 [ 151.959240][ T5393] ? syscall_enter_from_user_mode+0x32/0x230 [ 151.965237][ T5393] ? syscall_enter_from_user_mode+0x8c/0x230 [ 151.971229][ T5393] do_syscall_64+0x41/0xc0 [ 151.975673][ T5393] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 151.981576][ T5393] RIP: 0033:0x7f281a11eab9 [ 151.986002][ T5393] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5395] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5393] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5393] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5393] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5392] exit_group(0 [pid 5395] <... futex resumed>) = ? [pid 5393] <... futex resumed>) = ? [pid 5392] <... exit_group resumed>) = ? [pid 5395] +++ exited with 0 +++ [pid 5393] +++ exited with 0 +++ [pid 5392] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5392, si_uid=0, si_status=0, si_utime=0, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./97", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./97", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./97/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./97/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./97/binderfs") = 0 [ 152.005618][ T5393] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 152.014042][ T5393] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 152.022021][ T5393] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 152.030000][ T5393] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 152.037999][ T5393] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 152.046006][ T5393] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 152.054002][ T5393] umount2("./97/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./97/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./97/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./97/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./97/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./97/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./97") = 0 mkdir("./98", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5396 ./strace-static-x86_64: Process 5396 attached [pid 5396] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5396] chdir("./98") = 0 [pid 5396] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5396] setpgid(0, 0) = 0 [pid 5396] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5396] write(3, "1000", 4) = 4 [pid 5396] close(3) = 0 [pid 5396] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5396] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5396] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5396] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5396] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5397], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5397 ./strace-static-x86_64: Process 5397 attached [pid 5396] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5397] set_robust_list(0x7f281a0ca9e0, 24 [pid 5396] <... futex resumed>) = 0 [pid 5397] <... set_robust_list resumed>) = 0 [pid 5396] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5397] memfd_create("syzkaller", 0) = 3 [pid 5397] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5397] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5397] munmap(0x7f2811caa000, 16777216) = 0 [pid 5397] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5397] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5397] close(3) = 0 [pid 5397] mkdir("./file0", 0777) = 0 [ 152.419410][ T5397] loop0: detected capacity change from 0 to 32768 [ 152.430301][ T5397] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 152.438707][ T5397] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 152.447934][ T5397] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 152.456582][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 152.463437][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5397] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5397] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5397] chdir("./file0") = 0 [pid 5397] ioctl(4, LOOP_CLR_FD) = 0 [pid 5397] close(4) = 0 [pid 5397] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5396] <... futex resumed>) = 0 [pid 5396] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5396] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5397] <... futex resumed>) = 1 [pid 5397] open(".", O_RDONLY) = 4 [pid 5397] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5396] <... futex resumed>) = 0 [pid 5396] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5396] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5397] <... futex resumed>) = 1 [ 152.509975][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 152.519131][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 152.524946][ T5397] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 152.543156][ T5397] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 152.551931][ T5397] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5397] getdents64(4, [pid 5396] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5396] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5396] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5396] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5396] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5396] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5399], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5399 [pid 5396] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5396] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5399 attached [pid 5399] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5399] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5399] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5396] <... futex resumed>) = 0 [pid 5399] <... futex resumed>) = 1 [ 152.551931][ T5397] inode = 12 2341 [ 152.551931][ T5397] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 152.570942][ T5397] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 152.580209][ T5397] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5397 [syz-executor171] iterate_dir+0x228/0x570 [ 152.590381][ T5397] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 152.598992][ T5397] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 152.606537][ T5397] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 152.615853][ T5397] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 152.623649][ T5397] gfs2: fsid=syz:syz.0: File system withdrawn [ 152.630099][ T5397] CPU: 0 PID: 5397 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 152.640163][ T5397] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 152.650216][ T5397] Call Trace: [ 152.653495][ T5397] [ 152.656425][ T5397] dump_stack_lvl+0x1e7/0x2d0 [ 152.661144][ T5397] ? nf_tcp_handle_invalid+0x650/0x650 [ 152.666613][ T5397] ? panic+0x770/0x770 [ 152.670680][ T5397] ? kobject_uevent_env+0x54e/0x8e0 [ 152.675985][ T5397] gfs2_withdraw+0xf48/0x1550 [ 152.680680][ T5397] ? gfs2_lm+0x240/0x240 [ 152.684928][ T5397] ? gfs2_dirent_scan+0xb2/0x640 [ 152.689890][ T5397] ? panic+0x770/0x770 [ 152.693980][ T5397] ? gfs2_consist_inode_i+0xf5/0x110 [ 152.699325][ T5397] gfs2_dirent_scan+0x512/0x640 [ 152.704206][ T5397] ? gfs2_dirent_scan+0x640/0x640 [ 152.709240][ T5397] gfs2_dir_read+0x82f/0x1af0 [ 152.713928][ T5397] ? inode_dio_wait+0x2ad/0x340 [ 152.718795][ T5397] ? inode_owner_or_capable+0x1c0/0x1c0 [ 152.724354][ T5397] ? gfs2_dir_hash_inval+0x80/0x80 [ 152.729479][ T5397] ? _raw_spin_unlock+0x28/0x40 [ 152.734426][ T5397] ? gfs2_glock_nq+0xcbf/0x16c0 [ 152.739305][ T5397] ? inode_go_held+0xea/0x200 [ 152.743990][ T5397] ? gfs2_glock_wait+0x21a/0x2b0 [ 152.748941][ T5397] gfs2_readdir+0x14e/0x1b0 [ 152.753468][ T5397] ? __fdget_pos+0x254/0x2f0 [ 152.758070][ T5397] ? gfs2_fallocate+0x490/0x490 [ 152.762941][ T5397] ? iterate_dir+0x228/0x570 [ 152.767563][ T5397] ? __down_read_common+0x184/0x2c0 [ 152.772793][ T5397] ? iterate_dir+0x10e/0x570 [ 152.777407][ T5397] iterate_dir+0x228/0x570 [ 152.781842][ T5397] ? gfs2_fallocate+0x490/0x490 [ 152.786724][ T5397] __se_sys_getdents64+0x20d/0x4f0 [ 152.791864][ T5397] ? _raw_spin_unlock_irq+0x2e/0x50 [ 152.797094][ T5397] ? __x64_sys_getdents64+0x80/0x80 [ 152.802311][ T5397] ? filldir+0x740/0x740 [ 152.806602][ T5397] ? syscall_enter_from_user_mode+0x32/0x230 [ 152.812599][ T5397] ? syscall_enter_from_user_mode+0x8c/0x230 [ 152.818588][ T5397] do_syscall_64+0x41/0xc0 [ 152.823021][ T5397] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 152.828915][ T5397] RIP: 0033:0x7f281a11eab9 [ 152.833338][ T5397] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 152.852952][ T5397] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5399] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5397] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5397] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5396] exit_group(0 [pid 5399] <... futex resumed>) = ? [pid 5396] <... exit_group resumed>) = ? [pid 5399] +++ exited with 0 +++ [pid 5397] <... futex resumed>) = ? [pid 5397] +++ exited with 0 +++ [pid 5396] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5396, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./98", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./98", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./98/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./98/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./98/binderfs") = 0 [ 152.861373][ T5397] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 152.869348][ T5397] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 152.877322][ T5397] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 152.885292][ T5397] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 152.893269][ T5397] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 152.901257][ T5397] umount2("./98/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./98/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./98/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./98/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./98/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./98/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./98") = 0 mkdir("./99", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5400 ./strace-static-x86_64: Process 5400 attached [pid 5400] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5400] chdir("./99") = 0 [pid 5400] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5400] setpgid(0, 0) = 0 [pid 5400] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5400] write(3, "1000", 4) = 4 [pid 5400] close(3) = 0 [pid 5400] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5400] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5400] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5400] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5400] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5401], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5401 [pid 5400] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5400] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5401 attached [pid 5401] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5401] memfd_create("syzkaller", 0) = 3 [pid 5401] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5401] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5401] munmap(0x7f2811caa000, 16777216) = 0 [pid 5401] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5401] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5401] close(3) = 0 [pid 5401] mkdir("./file0", 0777) = 0 [ 153.286960][ T5401] loop0: detected capacity change from 0 to 32768 [ 153.298595][ T5401] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 153.306845][ T5401] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 153.316238][ T5401] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 153.324782][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 153.331568][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5401] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5401] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5401] chdir("./file0") = 0 [pid 5401] ioctl(4, LOOP_CLR_FD) = 0 [pid 5401] close(4) = 0 [pid 5401] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5400] <... futex resumed>) = 0 [pid 5401] open(".", O_RDONLY [pid 5400] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5401] <... open resumed>) = 4 [pid 5400] <... futex resumed>) = 0 [pid 5401] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5400] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5401] <... futex resumed>) = 0 [pid 5400] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5401] getdents64(4, [pid 5400] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 153.372986][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 41ms [ 153.380548][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 153.385865][ T5401] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 153.399437][ T5401] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 153.408387][ T5401] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 153.408387][ T5401] inode = 12 2341 [pid 5400] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 153.408387][ T5401] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 153.427489][ T5401] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 153.436834][ T5401] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5401 [syz-executor171] iterate_dir+0x228/0x570 [ 153.446861][ T5401] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 153.455369][ T5401] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 153.462644][ T5401] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5400] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5400] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5400] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5400] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5403], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5403 [pid 5400] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5400] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5403 attached [pid 5403] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5403] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5403] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5400] <... futex resumed>) = 0 [pid 5403] <... futex resumed>) = 1 [ 153.471669][ T5401] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 153.478542][ T5401] gfs2: fsid=syz:syz.0: File system withdrawn [ 153.485401][ T5401] CPU: 0 PID: 5401 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 153.495505][ T5401] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 153.505577][ T5401] Call Trace: [ 153.508855][ T5401] [ 153.511796][ T5401] dump_stack_lvl+0x1e7/0x2d0 [ 153.516498][ T5401] ? nf_tcp_handle_invalid+0x650/0x650 [ 153.522004][ T5401] ? panic+0x770/0x770 [ 153.526087][ T5401] ? kobject_uevent_env+0x54e/0x8e0 [ 153.531318][ T5401] gfs2_withdraw+0xf48/0x1550 [ 153.536107][ T5401] ? gfs2_lm+0x240/0x240 [ 153.540357][ T5401] ? gfs2_dirent_scan+0xb2/0x640 [ 153.545316][ T5401] ? panic+0x770/0x770 [ 153.549425][ T5401] ? gfs2_consist_inode_i+0xf5/0x110 [ 153.554746][ T5401] gfs2_dirent_scan+0x512/0x640 [ 153.559617][ T5401] ? gfs2_dirent_scan+0x640/0x640 [ 153.564705][ T5401] gfs2_dir_read+0x82f/0x1af0 [ 153.569422][ T5401] ? inode_dio_wait+0x2ad/0x340 [ 153.574304][ T5401] ? inode_owner_or_capable+0x1c0/0x1c0 [ 153.579869][ T5401] ? gfs2_dir_hash_inval+0x80/0x80 [ 153.585005][ T5401] ? _raw_spin_unlock+0x28/0x40 [ 153.589863][ T5401] ? gfs2_glock_nq+0xcbf/0x16c0 [ 153.594727][ T5401] ? inode_go_held+0xea/0x200 [ 153.599411][ T5401] ? gfs2_glock_wait+0x21a/0x2b0 [ 153.604358][ T5401] gfs2_readdir+0x14e/0x1b0 [ 153.608866][ T5401] ? __fdget_pos+0x254/0x2f0 [ 153.613458][ T5401] ? gfs2_fallocate+0x490/0x490 [ 153.618327][ T5401] ? iterate_dir+0x228/0x570 [ 153.622938][ T5401] ? __down_read_common+0x184/0x2c0 [ 153.628152][ T5401] ? iterate_dir+0x10e/0x570 [ 153.632761][ T5401] iterate_dir+0x228/0x570 [ 153.637197][ T5401] ? gfs2_fallocate+0x490/0x490 [ 153.642067][ T5401] __se_sys_getdents64+0x20d/0x4f0 [ 153.647197][ T5401] ? _raw_spin_unlock_irq+0x2e/0x50 [ 153.652407][ T5401] ? __x64_sys_getdents64+0x80/0x80 [ 153.657617][ T5401] ? filldir+0x740/0x740 [ 153.661880][ T5401] ? syscall_enter_from_user_mode+0x32/0x230 [ 153.667882][ T5401] ? syscall_enter_from_user_mode+0x8c/0x230 [ 153.673878][ T5401] do_syscall_64+0x41/0xc0 [ 153.678318][ T5401] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 153.684223][ T5401] RIP: 0033:0x7f281a11eab9 [ 153.688657][ T5401] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 153.708272][ T5401] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 153.716701][ T5401] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [pid 5403] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5401] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5401] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5401] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5400] exit_group(0 [pid 5401] <... futex resumed>) = ? [pid 5400] <... exit_group resumed>) = ? [pid 5403] <... futex resumed>) = ? [pid 5401] +++ exited with 0 +++ [pid 5403] +++ exited with 0 +++ [pid 5400] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5400, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=35 /* 0.35 s */} --- umount2("./99", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./99", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./99/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./99/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./99/binderfs") = 0 [ 153.724690][ T5401] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 153.732836][ T5401] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 153.740808][ T5401] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 153.748798][ T5401] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 153.756789][ T5401] umount2("./99/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./99/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./99/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./99/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./99/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./99/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./99") = 0 mkdir("./100", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5404 ./strace-static-x86_64: Process 5404 attached [pid 5404] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5404] chdir("./100") = 0 [pid 5404] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5404] setpgid(0, 0) = 0 [pid 5404] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5404] write(3, "1000", 4) = 4 [pid 5404] close(3) = 0 [pid 5404] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5404] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5404] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5404] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5404] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5405 attached [pid 5405] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5405] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5404] <... clone resumed>, parent_tid=[5405], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5405 [pid 5404] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5405] <... futex resumed>) = 0 [pid 5404] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5405] memfd_create("syzkaller", 0) = 3 [pid 5405] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5405] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5405] munmap(0x7f2811caa000, 16777216) = 0 [pid 5405] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5405] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5405] close(3) = 0 [pid 5405] mkdir("./file0", 0777) = 0 [ 154.126574][ T5405] loop0: detected capacity change from 0 to 32768 [ 154.138445][ T5405] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 154.146918][ T5405] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 154.156876][ T5405] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 154.165642][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 154.172656][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5405] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5405] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5405] chdir("./file0") = 0 [pid 5405] ioctl(4, LOOP_CLR_FD) = 0 [pid 5405] close(4) = 0 [pid 5405] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5404] <... futex resumed>) = 0 [pid 5405] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5404] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5405] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5404] <... futex resumed>) = 0 [pid 5405] open(".", O_RDONLY [pid 5404] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5405] <... open resumed>) = 4 [pid 5405] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5404] <... futex resumed>) = 0 [pid 5405] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5404] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5405] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5404] <... futex resumed>) = 0 [pid 5405] getdents64(4, [ 154.214755][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 154.223109][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 154.228661][ T5405] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 154.263557][ T5405] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 154.272009][ T5405] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 154.272009][ T5405] inode = 12 2341 [ 154.272009][ T5405] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 154.291065][ T5405] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 154.300147][ T5405] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5405 [syz-executor171] iterate_dir+0x228/0x570 [pid 5404] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5404] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5404] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5404] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5404] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5407], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5407 [pid 5404] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 154.310152][ T5405] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 154.318705][ T5405] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 154.326323][ T5405] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 154.335498][ T5405] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 154.342222][ T5405] gfs2: fsid=syz:syz.0: File system withdrawn [ 154.348857][ T5405] CPU: 0 PID: 5405 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [pid 5404] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5407 attached [pid 5407] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5407] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5407] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5404] <... futex resumed>) = 0 [ 154.358956][ T5405] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 154.369017][ T5405] Call Trace: [ 154.372315][ T5405] [ 154.375245][ T5405] dump_stack_lvl+0x1e7/0x2d0 [ 154.379933][ T5405] ? nf_tcp_handle_invalid+0x650/0x650 [ 154.385418][ T5405] ? panic+0x770/0x770 [ 154.389488][ T5405] ? kobject_uevent_env+0x54e/0x8e0 [ 154.394711][ T5405] gfs2_withdraw+0xf48/0x1550 [ 154.399429][ T5405] ? gfs2_lm+0x240/0x240 [ 154.403672][ T5405] ? gfs2_dirent_scan+0xb2/0x640 [ 154.408614][ T5405] ? panic+0x770/0x770 [ 154.412705][ T5405] ? gfs2_consist_inode_i+0xf5/0x110 [ 154.418026][ T5405] gfs2_dirent_scan+0x512/0x640 [ 154.422907][ T5405] ? gfs2_dirent_scan+0x640/0x640 [ 154.427941][ T5405] gfs2_dir_read+0x82f/0x1af0 [ 154.432664][ T5405] ? inode_dio_wait+0x2ad/0x340 [ 154.437569][ T5405] ? inode_owner_or_capable+0x1c0/0x1c0 [ 154.443160][ T5405] ? gfs2_dir_hash_inval+0x80/0x80 [ 154.448283][ T5405] ? _raw_spin_unlock+0x28/0x40 [ 154.453149][ T5405] ? gfs2_glock_nq+0xcbf/0x16c0 [ 154.458044][ T5405] ? inode_go_held+0xea/0x200 [ 154.462732][ T5405] ? gfs2_glock_wait+0x21a/0x2b0 [ 154.467685][ T5405] gfs2_readdir+0x14e/0x1b0 [ 154.472206][ T5405] ? __fdget_pos+0x254/0x2f0 [ 154.476799][ T5405] ? gfs2_fallocate+0x490/0x490 [ 154.481693][ T5405] ? iterate_dir+0x228/0x570 [ 154.486296][ T5405] ? __down_read_common+0x184/0x2c0 [ 154.491502][ T5405] ? iterate_dir+0x10e/0x570 [ 154.496107][ T5405] iterate_dir+0x228/0x570 [ 154.500535][ T5405] ? gfs2_fallocate+0x490/0x490 [ 154.505396][ T5405] __se_sys_getdents64+0x20d/0x4f0 [ 154.510523][ T5405] ? _raw_spin_unlock_irq+0x2e/0x50 [ 154.515730][ T5405] ? __x64_sys_getdents64+0x80/0x80 [ 154.520936][ T5405] ? filldir+0x740/0x740 [ 154.525190][ T5405] ? syscall_enter_from_user_mode+0x32/0x230 [ 154.531176][ T5405] ? syscall_enter_from_user_mode+0x8c/0x230 [ 154.537176][ T5405] do_syscall_64+0x41/0xc0 [ 154.541626][ T5405] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 154.547543][ T5405] RIP: 0033:0x7f281a11eab9 [ 154.552003][ T5405] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 154.571613][ T5405] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 154.580030][ T5405] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 154.588008][ T5405] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 154.595987][ T5405] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 154.603959][ T5405] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5407] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5405] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5405] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5405] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5404] exit_group(0 [pid 5405] <... futex resumed>) = ? [pid 5404] <... exit_group resumed>) = ? [pid 5405] +++ exited with 0 +++ [pid 5407] <... futex resumed>) = ? [pid 5407] +++ exited with 0 +++ [pid 5404] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5404, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=27 /* 0.27 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./100", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./100", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./100/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./100/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./100/binderfs") = 0 [ 154.611928][ T5405] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 154.619910][ T5405] umount2("./100/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./100/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./100/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./100/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./100/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./100/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./100") = 0 mkdir("./101", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5408 ./strace-static-x86_64: Process 5408 attached [pid 5408] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5408] chdir("./101") = 0 [pid 5408] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5408] setpgid(0, 0) = 0 [pid 5408] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5408] write(3, "1000", 4) = 4 [pid 5408] close(3) = 0 [pid 5408] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5408] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5408] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5408] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5408] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5409], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5409 [pid 5408] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5408] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5409 attached [pid 5409] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5409] memfd_create("syzkaller", 0) = 3 [pid 5409] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5409] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5409] munmap(0x7f2811caa000, 16777216) = 0 [pid 5409] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5409] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5409] close(3) = 0 [pid 5409] mkdir("./file0", 0777) = 0 [ 154.967825][ T5409] loop0: detected capacity change from 0 to 32768 [ 154.979890][ T5409] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 154.988215][ T5409] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 154.997942][ T5409] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 155.006606][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 155.013698][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5409] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5409] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5409] chdir("./file0") = 0 [pid 5409] ioctl(4, LOOP_CLR_FD) = 0 [pid 5409] close(4) = 0 [pid 5409] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5408] <... futex resumed>) = 0 [pid 5409] open(".", O_RDONLY [pid 5408] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5409] <... open resumed>) = 4 [pid 5408] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5409] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5408] <... futex resumed>) = 0 [pid 5408] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5408] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 155.053477][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 155.061763][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 155.067149][ T5409] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 155.097490][ T5409] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 155.106243][ T5409] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 155.106243][ T5409] inode = 12 2341 [ 155.106243][ T5409] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 155.125249][ T5409] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 155.134807][ T5409] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5409 [syz-executor171] iterate_dir+0x228/0x570 [pid 5409] getdents64(4, [pid 5408] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5408] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5408] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5408] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5408] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5411], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5411 [pid 5408] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5408] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5411 attached [pid 5411] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5411] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5411] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5408] <... futex resumed>) = 0 [ 155.144985][ T5409] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 155.153678][ T5409] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 155.162340][ T5409] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 155.171404][ T5409] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 155.178138][ T5409] gfs2: fsid=syz:syz.0: File system withdrawn [ 155.184764][ T5409] CPU: 0 PID: 5409 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 155.194863][ T5409] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 155.204953][ T5409] Call Trace: [ 155.208269][ T5409] [ 155.211242][ T5409] dump_stack_lvl+0x1e7/0x2d0 [ 155.215960][ T5409] ? nf_tcp_handle_invalid+0x650/0x650 [ 155.221465][ T5409] ? panic+0x770/0x770 [ 155.225538][ T5409] ? kobject_uevent_env+0x54e/0x8e0 [ 155.230772][ T5409] gfs2_withdraw+0xf48/0x1550 [ 155.235497][ T5409] ? gfs2_lm+0x240/0x240 [ 155.239767][ T5409] ? gfs2_dirent_scan+0xb2/0x640 [ 155.244711][ T5409] ? panic+0x770/0x770 [ 155.248806][ T5409] ? gfs2_consist_inode_i+0xf5/0x110 [ 155.254109][ T5409] gfs2_dirent_scan+0x512/0x640 [ 155.258987][ T5409] ? gfs2_dirent_scan+0x640/0x640 [ 155.264024][ T5409] gfs2_dir_read+0x82f/0x1af0 [ 155.268734][ T5409] ? inode_dio_wait+0x2ad/0x340 [ 155.273616][ T5409] ? inode_owner_or_capable+0x1c0/0x1c0 [ 155.279194][ T5409] ? gfs2_dir_hash_inval+0x80/0x80 [ 155.284318][ T5409] ? _raw_spin_unlock+0x28/0x40 [ 155.289178][ T5409] ? gfs2_glock_nq+0xcbf/0x16c0 [ 155.294047][ T5409] ? inode_go_held+0xea/0x200 [ 155.298750][ T5409] ? gfs2_glock_wait+0x21a/0x2b0 [ 155.303708][ T5409] gfs2_readdir+0x14e/0x1b0 [ 155.308221][ T5409] ? __fdget_pos+0x254/0x2f0 [ 155.312861][ T5409] ? gfs2_fallocate+0x490/0x490 [ 155.317741][ T5409] ? iterate_dir+0x228/0x570 [ 155.322361][ T5409] ? __down_read_common+0x184/0x2c0 [ 155.327600][ T5409] ? iterate_dir+0x10e/0x570 [ 155.332206][ T5409] iterate_dir+0x228/0x570 [ 155.336657][ T5409] ? gfs2_fallocate+0x490/0x490 [ 155.341523][ T5409] __se_sys_getdents64+0x20d/0x4f0 [ 155.346752][ T5409] ? _raw_spin_unlock_irq+0x2e/0x50 [ 155.351967][ T5409] ? __x64_sys_getdents64+0x80/0x80 [ 155.357179][ T5409] ? filldir+0x740/0x740 [ 155.361458][ T5409] ? syscall_enter_from_user_mode+0x32/0x230 [ 155.367454][ T5409] ? syscall_enter_from_user_mode+0x8c/0x230 [ 155.373446][ T5409] do_syscall_64+0x41/0xc0 [ 155.377880][ T5409] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 155.383805][ T5409] RIP: 0033:0x7f281a11eab9 [ 155.388230][ T5409] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 155.407933][ T5409] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 155.416356][ T5409] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 155.424336][ T5409] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 155.432314][ T5409] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 155.440285][ T5409] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5411] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5409] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5409] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5409] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5408] exit_group(0 [pid 5411] <... futex resumed>) = ? [pid 5409] <... futex resumed>) = ? [pid 5408] <... exit_group resumed>) = ? [pid 5411] +++ exited with 0 +++ [pid 5409] +++ exited with 0 +++ [pid 5408] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5408, si_uid=0, si_status=0, si_utime=0, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./101", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./101", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./101/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./101/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./101/binderfs") = 0 [ 155.448258][ T5409] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 155.456252][ T5409] umount2("./101/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./101/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./101/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./101/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./101/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./101/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./101") = 0 mkdir("./102", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5412 ./strace-static-x86_64: Process 5412 attached [pid 5412] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5412] chdir("./102") = 0 [pid 5412] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5412] setpgid(0, 0) = 0 [pid 5412] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5412] write(3, "1000", 4) = 4 [pid 5412] close(3) = 0 [pid 5412] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5412] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5412] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5412] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5412] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5413 attached , parent_tid=[5413], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5413 [pid 5412] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5412] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5413] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5413] memfd_create("syzkaller", 0) = 3 [pid 5413] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5413] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5413] munmap(0x7f2811caa000, 16777216) = 0 [pid 5413] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5413] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5413] close(3) = 0 [pid 5413] mkdir("./file0", 0777) = 0 [ 155.811794][ T5413] loop0: detected capacity change from 0 to 32768 [ 155.823025][ T5413] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 155.831388][ T5413] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 155.841076][ T5413] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 155.849778][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 155.856855][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5413] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5413] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5413] chdir("./file0") = 0 [pid 5413] ioctl(4, LOOP_CLR_FD) = 0 [pid 5413] close(4) = 0 [pid 5413] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5412] <... futex resumed>) = 0 [pid 5413] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5412] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5412] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5413] <... futex resumed>) = 0 [pid 5413] open(".", O_RDONLY) = 4 [pid 5413] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5412] <... futex resumed>) = 0 [pid 5413] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5412] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5413] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5412] <... futex resumed>) = 0 [ 155.895449][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 155.902937][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 155.908251][ T5413] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5413] getdents64(4, [ 155.941011][ T5413] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 155.952537][ T5413] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 155.952537][ T5413] inode = 12 2341 [ 155.952537][ T5413] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 155.971239][ T5413] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 155.980846][ T5413] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5413 [syz-executor171] iterate_dir+0x228/0x570 [pid 5412] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5412] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5412] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5412] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5412] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5415], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5415 [pid 5412] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5412] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5415 attached [pid 5415] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5415] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5415] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5412] <... futex resumed>) = 0 [pid 5415] <... futex resumed>) = 1 [ 155.990819][ T5413] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 156.000213][ T5413] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 156.008023][ T5413] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 156.016858][ T5413] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 156.025137][ T5413] gfs2: fsid=syz:syz.0: File system withdrawn [ 156.031223][ T5413] CPU: 0 PID: 5413 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 156.041313][ T5413] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 156.051394][ T5413] Call Trace: [ 156.054685][ T5413] [ 156.057625][ T5413] dump_stack_lvl+0x1e7/0x2d0 [ 156.062327][ T5413] ? nf_tcp_handle_invalid+0x650/0x650 [ 156.067803][ T5413] ? panic+0x770/0x770 [ 156.071882][ T5413] ? kobject_uevent_env+0x54e/0x8e0 [ 156.077113][ T5413] gfs2_withdraw+0xf48/0x1550 [ 156.081837][ T5413] ? gfs2_lm+0x240/0x240 [ 156.086083][ T5413] ? gfs2_dirent_scan+0xb2/0x640 [pid 5415] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5412] exit_group(0 [pid 5415] <... futex resumed>) = ? [ 156.091024][ T5413] ? panic+0x770/0x770 [ 156.095103][ T5413] ? gfs2_consist_inode_i+0xf5/0x110 [ 156.100395][ T5413] gfs2_dirent_scan+0x512/0x640 [ 156.105253][ T5413] ? gfs2_dirent_scan+0x640/0x640 [ 156.110281][ T5413] gfs2_dir_read+0x82f/0x1af0 [ 156.114994][ T5413] ? inode_dio_wait+0x2ad/0x340 [ 156.119876][ T5413] ? inode_owner_or_capable+0x1c0/0x1c0 [ 156.125512][ T5413] ? gfs2_dir_hash_inval+0x80/0x80 [ 156.130653][ T5413] ? _raw_spin_unlock+0x28/0x40 [ 156.135516][ T5413] ? gfs2_glock_nq+0xcbf/0x16c0 [ 156.140390][ T5413] ? inode_go_held+0xea/0x200 [ 156.145080][ T5413] ? gfs2_glock_wait+0x21a/0x2b0 [ 156.150055][ T5413] gfs2_readdir+0x14e/0x1b0 [ 156.154570][ T5413] ? __fdget_pos+0x254/0x2f0 [ 156.159183][ T5413] ? gfs2_fallocate+0x490/0x490 [ 156.164071][ T5413] ? iterate_dir+0x228/0x570 [ 156.168675][ T5413] ? __down_read_common+0x184/0x2c0 [ 156.173901][ T5413] ? iterate_dir+0x10e/0x570 [ 156.178511][ T5413] iterate_dir+0x228/0x570 [ 156.182948][ T5413] ? gfs2_fallocate+0x490/0x490 [ 156.187823][ T5413] __se_sys_getdents64+0x20d/0x4f0 [ 156.192953][ T5413] ? _raw_spin_unlock_irq+0x2e/0x50 [ 156.198173][ T5413] ? __x64_sys_getdents64+0x80/0x80 [ 156.203395][ T5413] ? filldir+0x740/0x740 [ 156.207652][ T5413] ? syscall_enter_from_user_mode+0x32/0x230 [ 156.213652][ T5413] ? syscall_enter_from_user_mode+0x8c/0x230 [ 156.219659][ T5413] do_syscall_64+0x41/0xc0 [ 156.224102][ T5413] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 156.230006][ T5413] RIP: 0033:0x7f281a11eab9 [ 156.234427][ T5413] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 156.254058][ T5413] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 156.262495][ T5413] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 156.270500][ T5413] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 156.278485][ T5413] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5412] <... exit_group resumed>) = ? [pid 5413] <... getdents64 resumed> ) = ? [pid 5413] +++ exited with 0 +++ [pid 5415] +++ exited with 0 +++ [pid 5412] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5412, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./102", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./102", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./102/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./102/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./102/binderfs") = 0 [ 156.286461][ T5413] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 156.294559][ T5413] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 156.302543][ T5413] umount2("./102/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./102/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./102/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./102/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./102/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./102/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./102") = 0 mkdir("./103", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5416 ./strace-static-x86_64: Process 5416 attached [pid 5416] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5416] chdir("./103") = 0 [pid 5416] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5416] setpgid(0, 0) = 0 [pid 5416] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5416] write(3, "1000", 4) = 4 [pid 5416] close(3) = 0 [pid 5416] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5416] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5416] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5416] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5416] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5417 attached , parent_tid=[5417], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5417 [pid 5416] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5416] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5417] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5417] memfd_create("syzkaller", 0) = 3 [pid 5417] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5417] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5417] munmap(0x7f2811caa000, 16777216) = 0 [pid 5417] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5417] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5417] close(3) = 0 [pid 5417] mkdir("./file0", 0777) = 0 [ 156.694630][ T5417] loop0: detected capacity change from 0 to 32768 [ 156.706492][ T5417] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 156.715019][ T5417] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 156.724741][ T5417] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 156.733539][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 156.740354][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5417] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5417] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5417] chdir("./file0") = 0 [pid 5417] ioctl(4, LOOP_CLR_FD) = 0 [pid 5417] close(4) = 0 [pid 5417] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5416] <... futex resumed>) = 0 [pid 5416] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5416] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5417] <... futex resumed>) = 1 [pid 5417] open(".", O_RDONLY) = 4 [pid 5417] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5416] <... futex resumed>) = 0 [pid 5417] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5416] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5417] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5416] <... futex resumed>) = 0 [pid 5417] getdents64(4, [ 156.776750][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 156.784255][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 156.789497][ T5417] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 156.816221][ T5417] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5416] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5416] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5416] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5416] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5416] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5419], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5419 [pid 5416] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5416] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5419 attached [pid 5419] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5419] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5419] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5416] <... futex resumed>) = 0 [ 156.825117][ T5417] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 156.825117][ T5417] inode = 12 2341 [ 156.825117][ T5417] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 156.844238][ T5417] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 156.853809][ T5417] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5417 [syz-executor171] iterate_dir+0x228/0x570 [ 156.864280][ T5417] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5419] <... futex resumed>) = 1 [ 156.872754][ T5417] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 156.880277][ T5417] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 156.889290][ T5417] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 156.896368][ T5417] gfs2: fsid=syz:syz.0: File system withdrawn [ 156.902808][ T5417] CPU: 0 PID: 5417 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 156.912900][ T5417] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 156.922958][ T5417] Call Trace: [ 156.926237][ T5417] [ 156.929167][ T5417] dump_stack_lvl+0x1e7/0x2d0 [ 156.933866][ T5417] ? nf_tcp_handle_invalid+0x650/0x650 [ 156.939331][ T5417] ? panic+0x770/0x770 [ 156.943399][ T5417] ? kobject_uevent_env+0x54e/0x8e0 [ 156.948626][ T5417] gfs2_withdraw+0xf48/0x1550 [ 156.953328][ T5417] ? gfs2_lm+0x240/0x240 [ 156.957601][ T5417] ? gfs2_dirent_scan+0xb2/0x640 [ 156.962545][ T5417] ? panic+0x770/0x770 [ 156.966622][ T5417] ? gfs2_consist_inode_i+0xf5/0x110 [ 156.971915][ T5417] gfs2_dirent_scan+0x512/0x640 [ 156.976770][ T5417] ? gfs2_dirent_scan+0x640/0x640 [ 156.981795][ T5417] gfs2_dir_read+0x82f/0x1af0 [ 156.986496][ T5417] ? inode_dio_wait+0x2ad/0x340 [ 156.991366][ T5417] ? inode_owner_or_capable+0x1c0/0x1c0 [ 156.996934][ T5417] ? gfs2_dir_hash_inval+0x80/0x80 [ 157.002062][ T5417] ? _raw_spin_unlock+0x28/0x40 [ 157.006918][ T5417] ? gfs2_glock_nq+0xcbf/0x16c0 [ 157.011788][ T5417] ? inode_go_held+0xea/0x200 [ 157.016479][ T5417] ? gfs2_glock_wait+0x21a/0x2b0 [ 157.021448][ T5417] gfs2_readdir+0x14e/0x1b0 [ 157.025966][ T5417] ? __fdget_pos+0x254/0x2f0 [ 157.030566][ T5417] ? gfs2_fallocate+0x490/0x490 [ 157.035439][ T5417] ? iterate_dir+0x228/0x570 [ 157.040045][ T5417] ? __down_read_common+0x184/0x2c0 [ 157.045264][ T5417] ? iterate_dir+0x10e/0x570 [ 157.049871][ T5417] iterate_dir+0x228/0x570 [ 157.054303][ T5417] ? gfs2_fallocate+0x490/0x490 [ 157.059192][ T5417] __se_sys_getdents64+0x20d/0x4f0 [ 157.064337][ T5417] ? _raw_spin_unlock_irq+0x2e/0x50 [ 157.069559][ T5417] ? __x64_sys_getdents64+0x80/0x80 [ 157.074773][ T5417] ? filldir+0x740/0x740 [ 157.079039][ T5417] ? syscall_enter_from_user_mode+0x32/0x230 [ 157.085033][ T5417] ? syscall_enter_from_user_mode+0x8c/0x230 [ 157.091022][ T5417] do_syscall_64+0x41/0xc0 [ 157.095456][ T5417] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 157.101384][ T5417] RIP: 0033:0x7f281a11eab9 [ 157.105803][ T5417] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5419] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5417] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5417] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5416] exit_group(0 [pid 5419] <... futex resumed>) = ? [pid 5416] <... exit_group resumed>) = ? [pid 5419] +++ exited with 0 +++ [pid 5417] <... futex resumed>) = ? [pid 5417] +++ exited with 0 +++ [pid 5416] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5416, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=30 /* 0.30 s */} --- umount2("./103", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./103", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./103/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./103/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./103/binderfs") = 0 [ 157.125435][ T5417] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 157.133867][ T5417] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 157.141852][ T5417] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 157.149827][ T5417] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 157.157803][ T5417] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 157.165783][ T5417] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 157.173781][ T5417] umount2("./103/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./103/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./103/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./103/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./103/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./103/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./103") = 0 mkdir("./104", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5420 ./strace-static-x86_64: Process 5420 attached [pid 5420] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5420] chdir("./104") = 0 [pid 5420] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5420] setpgid(0, 0) = 0 [pid 5420] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5420] write(3, "1000", 4) = 4 [pid 5420] close(3) = 0 [pid 5420] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5420] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5420] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5420] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5420] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5421 attached , parent_tid=[5421], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5421 [pid 5420] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5421] set_robust_list(0x7f281a0ca9e0, 24 [pid 5420] <... futex resumed>) = 0 [pid 5421] <... set_robust_list resumed>) = 0 [pid 5420] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5421] memfd_create("syzkaller", 0) = 3 [pid 5421] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5421] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5421] munmap(0x7f2811caa000, 16777216) = 0 [pid 5421] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5421] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5421] close(3) = 0 [pid 5421] mkdir("./file0", 0777) = 0 [ 157.558676][ T5421] loop0: detected capacity change from 0 to 32768 [ 157.569634][ T5421] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 157.577891][ T5421] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 157.587781][ T5421] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 157.596503][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 157.603366][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5421] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5421] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5421] chdir("./file0") = 0 [pid 5421] ioctl(4, LOOP_CLR_FD) = 0 [pid 5421] close(4) = 0 [pid 5421] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5420] <... futex resumed>) = 0 [pid 5420] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5420] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5421] <... futex resumed>) = 1 [pid 5421] open(".", O_RDONLY) = 4 [pid 5421] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5420] <... futex resumed>) = 0 [pid 5420] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5420] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5421] <... futex resumed>) = 1 [ 157.643510][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 157.651844][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 157.657527][ T5421] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 157.682669][ T5421] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5421] getdents64(4, [pid 5420] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5420] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5420] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5420] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5420] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5420] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5423], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5423 [pid 5420] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5420] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5423 attached [pid 5423] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5423] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [ 157.691896][ T5421] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 157.691896][ T5421] inode = 12 2341 [ 157.691896][ T5421] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 157.711094][ T5421] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 157.720624][ T5421] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5421 [syz-executor171] iterate_dir+0x228/0x570 [ 157.730808][ T5421] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5423] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5420] <... futex resumed>) = 0 [pid 5423] <... futex resumed>) = 1 [ 157.739797][ T5421] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 157.747287][ T5421] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 157.756154][ T5421] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 157.763382][ T5421] gfs2: fsid=syz:syz.0: File system withdrawn [ 157.769862][ T5421] CPU: 0 PID: 5421 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 157.780017][ T5421] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 157.790068][ T5421] Call Trace: [ 157.793347][ T5421] [ 157.796288][ T5421] dump_stack_lvl+0x1e7/0x2d0 [ 157.801056][ T5421] ? nf_tcp_handle_invalid+0x650/0x650 [ 157.806517][ T5421] ? panic+0x770/0x770 [ 157.810593][ T5421] ? kobject_uevent_env+0x54e/0x8e0 [ 157.815797][ T5421] gfs2_withdraw+0xf48/0x1550 [ 157.820526][ T5421] ? gfs2_lm+0x240/0x240 [ 157.824769][ T5421] ? gfs2_dirent_scan+0xb2/0x640 [ 157.829703][ T5421] ? panic+0x770/0x770 [ 157.833780][ T5421] ? gfs2_consist_inode_i+0xf5/0x110 [ 157.839073][ T5421] gfs2_dirent_scan+0x512/0x640 [ 157.843927][ T5421] ? gfs2_dirent_scan+0x640/0x640 [ 157.848964][ T5421] gfs2_dir_read+0x82f/0x1af0 [ 157.853673][ T5421] ? inode_dio_wait+0x2ad/0x340 [ 157.858553][ T5421] ? inode_owner_or_capable+0x1c0/0x1c0 [ 157.864122][ T5421] ? gfs2_dir_hash_inval+0x80/0x80 [ 157.869243][ T5421] ? _raw_spin_unlock+0x28/0x40 [ 157.874106][ T5421] ? gfs2_glock_nq+0xcbf/0x16c0 [ 157.878998][ T5421] ? inode_go_held+0xea/0x200 [ 157.883708][ T5421] ? gfs2_glock_wait+0x21a/0x2b0 [ 157.888686][ T5421] gfs2_readdir+0x14e/0x1b0 [ 157.893227][ T5421] ? __fdget_pos+0x254/0x2f0 [ 157.897849][ T5421] ? gfs2_fallocate+0x490/0x490 [ 157.902724][ T5421] ? iterate_dir+0x228/0x570 [ 157.907334][ T5421] ? __down_read_common+0x184/0x2c0 [ 157.912547][ T5421] ? iterate_dir+0x10e/0x570 [ 157.917177][ T5421] iterate_dir+0x228/0x570 [ 157.921625][ T5421] ? gfs2_fallocate+0x490/0x490 [ 157.926501][ T5421] __se_sys_getdents64+0x20d/0x4f0 [ 157.931635][ T5421] ? _raw_spin_unlock_irq+0x2e/0x50 [ 157.936856][ T5421] ? __x64_sys_getdents64+0x80/0x80 [ 157.942111][ T5421] ? filldir+0x740/0x740 [ 157.946374][ T5421] ? syscall_enter_from_user_mode+0x32/0x230 [ 157.952393][ T5421] ? syscall_enter_from_user_mode+0x8c/0x230 [ 157.958385][ T5421] do_syscall_64+0x41/0xc0 [ 157.962843][ T5421] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 157.968784][ T5421] RIP: 0033:0x7f281a11eab9 [ 157.973212][ T5421] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5423] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5421] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5421] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5421] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5420] exit_group(0 [pid 5423] <... futex resumed>) = ? [pid 5420] <... exit_group resumed>) = ? [pid 5421] <... futex resumed>) = ? [pid 5421] +++ exited with 0 +++ [pid 5423] +++ exited with 0 +++ [pid 5420] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5420, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./104", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./104", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./104/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./104/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./104/binderfs") = 0 [ 157.992835][ T5421] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 158.001271][ T5421] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 158.009253][ T5421] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 158.017253][ T5421] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 158.025229][ T5421] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 158.033214][ T5421] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 158.041213][ T5421] umount2("./104/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./104/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./104/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./104/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./104/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./104/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./104") = 0 mkdir("./105", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5424 ./strace-static-x86_64: Process 5424 attached [pid 5424] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5424] chdir("./105") = 0 [pid 5424] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5424] setpgid(0, 0) = 0 [pid 5424] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5424] write(3, "1000", 4) = 4 [pid 5424] close(3) = 0 [pid 5424] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5424] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5424] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5424] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5424] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5425 attached , parent_tid=[5425], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5425 [pid 5424] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5424] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5425] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5425] memfd_create("syzkaller", 0) = 3 [pid 5425] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5425] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5425] munmap(0x7f2811caa000, 16777216) = 0 [pid 5425] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5425] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5425] close(3) = 0 [pid 5425] mkdir("./file0", 0777) = 0 [ 158.436865][ T5425] loop0: detected capacity change from 0 to 32768 [ 158.447691][ T5425] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 158.456144][ T5425] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 158.465134][ T5425] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 158.473648][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 158.480434][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5425] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5425] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5425] chdir("./file0") = 0 [pid 5425] ioctl(4, LOOP_CLR_FD) = 0 [pid 5425] close(4) = 0 [pid 5425] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5425] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5424] <... futex resumed>) = 0 [pid 5424] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5425] <... futex resumed>) = 0 [pid 5424] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5425] open(".", O_RDONLY) = 4 [pid 5425] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5424] <... futex resumed>) = 0 [pid 5425] <... futex resumed>) = 1 [pid 5424] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5425] getdents64(4, [ 158.521062][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 158.528704][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 158.534041][ T5425] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5424] <... futex resumed>) = 0 [ 158.568642][ T5425] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 158.577183][ T5425] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 158.577183][ T5425] inode = 12 2341 [ 158.577183][ T5425] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 158.595935][ T5425] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 158.605306][ T5425] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5425 [syz-executor171] iterate_dir+0x228/0x570 [pid 5424] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5424] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5424] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5424] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5424] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5427], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5427 [pid 5424] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5424] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5427 attached [pid 5427] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5427] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5427] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5424] <... futex resumed>) = 0 [ 158.615345][ T5425] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 158.624014][ T5425] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 158.631238][ T5425] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 158.640136][ T5425] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 158.646956][ T5425] gfs2: fsid=syz:syz.0: File system withdrawn [ 158.653054][ T5425] CPU: 1 PID: 5425 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 158.663149][ T5425] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 158.673220][ T5425] Call Trace: [ 158.676549][ T5425] [ 158.679513][ T5425] dump_stack_lvl+0x1e7/0x2d0 [ 158.684230][ T5425] ? nf_tcp_handle_invalid+0x650/0x650 [ 158.689741][ T5425] ? panic+0x770/0x770 [ 158.693836][ T5425] ? kobject_uevent_env+0x54e/0x8e0 [ 158.699068][ T5425] gfs2_withdraw+0xf48/0x1550 [ 158.703767][ T5425] ? gfs2_lm+0x240/0x240 [ 158.708017][ T5425] ? gfs2_dirent_scan+0xb2/0x640 [ 158.712965][ T5425] ? panic+0x770/0x770 [ 158.717133][ T5425] ? gfs2_consist_inode_i+0xf5/0x110 [ 158.722426][ T5425] gfs2_dirent_scan+0x512/0x640 [ 158.727282][ T5425] ? gfs2_dirent_scan+0x640/0x640 [ 158.732322][ T5425] gfs2_dir_read+0x82f/0x1af0 [ 158.737064][ T5425] ? inode_dio_wait+0x2ad/0x340 [ 158.741951][ T5425] ? inode_owner_or_capable+0x1c0/0x1c0 [ 158.747538][ T5425] ? gfs2_dir_hash_inval+0x80/0x80 [ 158.752725][ T5425] ? _raw_spin_unlock+0x28/0x40 [ 158.757609][ T5425] ? gfs2_glock_nq+0xcbf/0x16c0 [ 158.762489][ T5425] ? inode_go_held+0xea/0x200 [ 158.767206][ T5425] ? gfs2_glock_wait+0x21a/0x2b0 [ 158.772165][ T5425] gfs2_readdir+0x14e/0x1b0 [ 158.776683][ T5425] ? __fdget_pos+0x254/0x2f0 [ 158.781277][ T5425] ? gfs2_fallocate+0x490/0x490 [ 158.786150][ T5425] ? iterate_dir+0x228/0x570 [ 158.790767][ T5425] ? __down_read_common+0x184/0x2c0 [ 158.795993][ T5425] ? iterate_dir+0x10e/0x570 [ 158.800598][ T5425] iterate_dir+0x228/0x570 [ 158.805025][ T5425] ? gfs2_fallocate+0x490/0x490 [ 158.809888][ T5425] __se_sys_getdents64+0x20d/0x4f0 [ 158.815012][ T5425] ? _raw_spin_unlock_irq+0x2e/0x50 [ 158.820225][ T5425] ? __x64_sys_getdents64+0x80/0x80 [ 158.825435][ T5425] ? filldir+0x740/0x740 [ 158.829703][ T5425] ? syscall_enter_from_user_mode+0x32/0x230 [ 158.835713][ T5425] ? syscall_enter_from_user_mode+0x8c/0x230 [ 158.841702][ T5425] do_syscall_64+0x41/0xc0 [ 158.846163][ T5425] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 158.852064][ T5425] RIP: 0033:0x7f281a11eab9 [ 158.856482][ T5425] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 158.876091][ T5425] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 158.884541][ T5425] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 158.892514][ T5425] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 158.900496][ T5425] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 158.908472][ T5425] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5427] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5425] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5425] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5425] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5424] exit_group(0) = ? [pid 5427] <... futex resumed>) = ? [pid 5425] <... futex resumed>) = ? [pid 5427] +++ exited with 0 +++ [pid 5425] +++ exited with 0 +++ [pid 5424] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5424, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./105", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./105", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./105/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./105/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./105/binderfs") = 0 [ 158.916451][ T5425] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 158.924446][ T5425] umount2("./105/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./105/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./105/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./105/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./105/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./105/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./105") = 0 mkdir("./106", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5428 ./strace-static-x86_64: Process 5428 attached [pid 5428] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5428] chdir("./106") = 0 [pid 5428] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5428] setpgid(0, 0) = 0 [pid 5428] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5428] write(3, "1000", 4) = 4 [pid 5428] close(3) = 0 [pid 5428] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5428] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5428] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5428] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5428] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5429 attached , parent_tid=[5429], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5429 [pid 5429] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5429] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5428] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5428] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5429] <... futex resumed>) = 0 [pid 5429] memfd_create("syzkaller", 0) = 3 [pid 5429] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5429] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5429] munmap(0x7f2811caa000, 16777216) = 0 [pid 5429] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5429] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5429] close(3) = 0 [pid 5429] mkdir("./file0", 0777) = 0 [ 159.292284][ T5429] loop0: detected capacity change from 0 to 32768 [ 159.306783][ T5429] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 159.315080][ T5429] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 159.324889][ T5429] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 159.333733][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 159.340549][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5429] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5429] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5429] chdir("./file0") = 0 [pid 5429] ioctl(4, LOOP_CLR_FD) = 0 [pid 5429] close(4) = 0 [pid 5429] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5428] <... futex resumed>) = 0 [pid 5428] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5428] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5429] <... futex resumed>) = 1 [pid 5429] open(".", O_RDONLY) = 4 [pid 5429] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5428] <... futex resumed>) = 0 [pid 5428] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5428] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5429] <... futex resumed>) = 1 [ 159.381201][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 159.390143][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 159.395573][ T5429] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 159.411025][ T5429] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 159.419826][ T5429] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 159.419826][ T5429] inode = 12 2341 [pid 5429] getdents64(4, [pid 5428] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5428] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5428] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5428] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5428] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5428] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5428] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5431], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5431 [pid 5428] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5428] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5431 attached [pid 5431] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 159.419826][ T5429] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 159.438992][ T5429] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 159.448337][ T5429] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5429 [syz-executor171] iterate_dir+0x228/0x570 [ 159.458678][ T5429] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 159.464930][ T5431] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 159.467517][ T5429] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 159.476096][ T5431] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 159.492440][ T5429] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 159.492441][ T5431] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5429 [syz-executor171] iterate_dir+0x228/0x570 [ 159.501246][ T5429] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 159.503314][ T5429] gfs2: fsid=syz:syz.0: File system withdrawn [pid 5431] open("./file0", O_RDONLY [pid 5428] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 159.511838][ T5431] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5431 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 159.533802][ T5429] CPU: 0 PID: 5429 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 159.533829][ T5429] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 159.533842][ T5429] Call Trace: [ 159.533851][ T5429] [ 159.544603][ T5431] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 159.553946][ T5429] dump_stack_lvl+0x1e7/0x2d0 [ 159.553983][ T5429] ? nf_tcp_handle_invalid+0x650/0x650 [ 159.554014][ T5429] ? panic+0x770/0x770 [ 159.554036][ T5429] ? kobject_uevent_env+0x54e/0x8e0 [ 159.588077][ T5429] gfs2_withdraw+0xf48/0x1550 [ 159.592790][ T5429] ? gfs2_lm+0x240/0x240 [ 159.597043][ T5429] ? gfs2_dirent_scan+0xb2/0x640 [ 159.601980][ T5429] ? panic+0x770/0x770 [ 159.606060][ T5429] ? gfs2_consist_inode_i+0xf5/0x110 [ 159.611356][ T5429] gfs2_dirent_scan+0x512/0x640 [ 159.616212][ T5429] ? gfs2_dirent_scan+0x640/0x640 [ 159.621242][ T5429] gfs2_dir_read+0x82f/0x1af0 [ 159.625934][ T5429] ? inode_dio_wait+0x2ad/0x340 [ 159.630797][ T5429] ? inode_owner_or_capable+0x1c0/0x1c0 [ 159.636354][ T5429] ? gfs2_dir_hash_inval+0x80/0x80 [ 159.641483][ T5429] ? _raw_spin_unlock+0x28/0x40 [ 159.646338][ T5429] ? gfs2_glock_nq+0xcbf/0x16c0 [ 159.651208][ T5429] ? inode_go_held+0xea/0x200 [ 159.655893][ T5429] ? gfs2_glock_wait+0x21a/0x2b0 [ 159.660840][ T5429] gfs2_readdir+0x14e/0x1b0 [ 159.665357][ T5429] ? __fdget_pos+0x254/0x2f0 [ 159.669952][ T5429] ? gfs2_fallocate+0x490/0x490 [ 159.674826][ T5429] ? iterate_dir+0x228/0x570 [ 159.679433][ T5429] ? __down_read_common+0x184/0x2c0 [ 159.684651][ T5429] ? iterate_dir+0x10e/0x570 [ 159.689258][ T5429] iterate_dir+0x228/0x570 [ 159.693694][ T5429] ? gfs2_fallocate+0x490/0x490 [ 159.698568][ T5429] __se_sys_getdents64+0x20d/0x4f0 [ 159.703698][ T5429] ? _raw_spin_unlock_irq+0x2e/0x50 [ 159.708907][ T5429] ? __x64_sys_getdents64+0x80/0x80 [ 159.714120][ T5429] ? filldir+0x740/0x740 [ 159.718390][ T5429] ? syscall_enter_from_user_mode+0x32/0x230 [ 159.724383][ T5429] ? syscall_enter_from_user_mode+0x8c/0x230 [ 159.730374][ T5429] do_syscall_64+0x41/0xc0 [ 159.734804][ T5429] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 159.740702][ T5429] RIP: 0033:0x7f281a11eab9 [ 159.745123][ T5429] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 159.764734][ T5429] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 159.773168][ T5429] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [pid 5429] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5431] <... open resumed>) = -1 EIO (Input/output error) [pid 5429] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5429] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5431] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5428] exit_group(0 [pid 5431] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5428] <... exit_group resumed>) = ? [pid 5431] <... futex resumed>) = ? [pid 5429] <... futex resumed>) = ? [pid 5431] +++ exited with 0 +++ [pid 5429] +++ exited with 0 +++ [pid 5428] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5428, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=40 /* 0.40 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./106", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./106", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./106/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./106/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./106/binderfs") = 0 [ 159.781150][ T5429] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 159.789127][ T5429] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 159.797109][ T5429] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 159.805085][ T5429] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 159.813074][ T5429] umount2("./106/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./106/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./106/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./106/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./106/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./106/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./106") = 0 mkdir("./107", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5432 ./strace-static-x86_64: Process 5432 attached [pid 5432] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5432] chdir("./107") = 0 [pid 5432] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5432] setpgid(0, 0) = 0 [pid 5432] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5432] write(3, "1000", 4) = 4 [pid 5432] close(3) = 0 [pid 5432] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5432] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5432] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5432] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5432] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5433], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5433 ./strace-static-x86_64: Process 5433 attached [pid 5432] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5433] set_robust_list(0x7f281a0ca9e0, 24 [pid 5432] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5433] <... set_robust_list resumed>) = 0 [pid 5433] memfd_create("syzkaller", 0) = 3 [pid 5433] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5433] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5433] munmap(0x7f2811caa000, 16777216) = 0 [pid 5433] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5433] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5433] close(3) = 0 [pid 5433] mkdir("./file0", 0777) = 0 [ 160.183564][ T5433] loop0: detected capacity change from 0 to 32768 [ 160.197594][ T5433] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 160.205880][ T5433] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 160.215842][ T5433] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 160.224689][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 160.231488][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5433] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5433] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5433] chdir("./file0") = 0 [pid 5433] ioctl(4, LOOP_CLR_FD) = 0 [pid 5433] close(4) = 0 [pid 5433] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5433] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5432] <... futex resumed>) = 0 [pid 5432] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5432] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5433] <... futex resumed>) = 0 [pid 5433] open(".", O_RDONLY) = 4 [pid 5433] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5432] <... futex resumed>) = 0 [pid 5432] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5432] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5433] <... futex resumed>) = 1 [ 160.276384][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 160.283923][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 160.289194][ T5433] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 160.312057][ T5433] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5433] getdents64(4, [pid 5432] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5432] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5432] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5432] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5432] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5435], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5435 [pid 5432] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5432] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5435 attached [pid 5435] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5435] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5435] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5432] <... futex resumed>) = 0 [pid 5435] <... futex resumed>) = 1 [ 160.321045][ T5433] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 160.321045][ T5433] inode = 12 2341 [ 160.321045][ T5433] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 160.339912][ T5433] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 160.349479][ T5433] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5433 [syz-executor171] iterate_dir+0x228/0x570 [ 160.359688][ T5433] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 160.368443][ T5433] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 160.375962][ T5433] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 160.384897][ T5433] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 160.392951][ T5433] gfs2: fsid=syz:syz.0: File system withdrawn [ 160.399121][ T5433] CPU: 0 PID: 5433 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 160.409193][ T5433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 160.419248][ T5433] Call Trace: [ 160.422526][ T5433] [ 160.425457][ T5433] dump_stack_lvl+0x1e7/0x2d0 [ 160.430142][ T5433] ? nf_tcp_handle_invalid+0x650/0x650 [ 160.435614][ T5433] ? panic+0x770/0x770 [ 160.439688][ T5433] ? kobject_uevent_env+0x54e/0x8e0 [ 160.444906][ T5433] gfs2_withdraw+0xf48/0x1550 [ 160.449649][ T5433] ? gfs2_lm+0x240/0x240 [ 160.453901][ T5433] ? gfs2_dirent_scan+0xb2/0x640 [ 160.458857][ T5433] ? panic+0x770/0x770 [ 160.462949][ T5433] ? gfs2_consist_inode_i+0xf5/0x110 [ 160.468257][ T5433] gfs2_dirent_scan+0x512/0x640 [pid 5435] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5432] exit_group(0) = ? [ 160.473132][ T5433] ? gfs2_dirent_scan+0x640/0x640 [ 160.478178][ T5433] gfs2_dir_read+0x82f/0x1af0 [ 160.482871][ T5433] ? inode_dio_wait+0x2ad/0x340 [ 160.487739][ T5433] ? inode_owner_or_capable+0x1c0/0x1c0 [ 160.493331][ T5433] ? gfs2_dir_hash_inval+0x80/0x80 [ 160.498469][ T5433] ? _raw_spin_unlock+0x28/0x40 [ 160.503326][ T5433] ? gfs2_glock_nq+0xcbf/0x16c0 [ 160.508217][ T5433] ? inode_go_held+0xea/0x200 [ 160.512915][ T5433] ? gfs2_glock_wait+0x21a/0x2b0 [ 160.517881][ T5433] gfs2_readdir+0x14e/0x1b0 [ 160.522412][ T5433] ? __fdget_pos+0x254/0x2f0 [pid 5435] <... futex resumed>) = ? [pid 5435] +++ exited with 0 +++ [ 160.526996][ T5433] ? gfs2_fallocate+0x490/0x490 [ 160.531860][ T5433] ? iterate_dir+0x228/0x570 [ 160.536481][ T5433] ? __down_read_common+0x184/0x2c0 [ 160.541694][ T5433] ? iterate_dir+0x10e/0x570 [ 160.546288][ T5433] iterate_dir+0x228/0x570 [ 160.550707][ T5433] ? gfs2_fallocate+0x490/0x490 [ 160.555564][ T5433] __se_sys_getdents64+0x20d/0x4f0 [ 160.560682][ T5433] ? _raw_spin_unlock_irq+0x2e/0x50 [ 160.565897][ T5433] ? __x64_sys_getdents64+0x80/0x80 [ 160.571091][ T5433] ? filldir+0x740/0x740 [ 160.575343][ T5433] ? syscall_enter_from_user_mode+0x32/0x230 [ 160.581328][ T5433] ? syscall_enter_from_user_mode+0x8c/0x230 [ 160.587322][ T5433] do_syscall_64+0x41/0xc0 [ 160.591759][ T5433] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 160.597653][ T5433] RIP: 0033:0x7f281a11eab9 [ 160.602066][ T5433] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5433] <... getdents64 resumed> ) = ? [pid 5433] +++ exited with 0 +++ [pid 5432] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5432, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=32 /* 0.32 s */} --- umount2("./107", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./107", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./107/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./107/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./107/binderfs") = 0 [ 160.621689][ T5433] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 160.630117][ T5433] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 160.638092][ T5433] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 160.646063][ T5433] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 160.654056][ T5433] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 160.662040][ T5433] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 160.670027][ T5433] umount2("./107/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./107/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./107/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./107/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./107/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./107/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./107") = 0 mkdir("./108", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5436 ./strace-static-x86_64: Process 5436 attached [pid 5436] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5436] chdir("./108") = 0 [pid 5436] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5436] setpgid(0, 0) = 0 [pid 5436] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5436] write(3, "1000", 4) = 4 [pid 5436] close(3) = 0 [pid 5436] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5436] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5436] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5436] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5436] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5437 attached , parent_tid=[5437], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5437 [pid 5436] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5436] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5437] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5437] memfd_create("syzkaller", 0) = 3 [pid 5437] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5437] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5437] munmap(0x7f2811caa000, 16777216) = 0 [pid 5437] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5437] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5437] close(3) = 0 [pid 5437] mkdir("./file0", 0777) = 0 [ 161.033884][ T5437] loop0: detected capacity change from 0 to 32768 [ 161.046257][ T5437] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 161.054742][ T5437] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 161.064425][ T5437] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 161.072731][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 161.079701][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5437] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5437] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5437] chdir("./file0") = 0 [pid 5437] ioctl(4, LOOP_CLR_FD) = 0 [pid 5437] close(4) = 0 [pid 5437] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5436] <... futex resumed>) = 0 [pid 5436] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5436] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5437] <... futex resumed>) = 1 [pid 5437] open(".", O_RDONLY) = 4 [pid 5437] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5436] <... futex resumed>) = 0 [pid 5436] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5436] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5437] <... futex resumed>) = 1 [ 161.119501][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 39ms [ 161.127050][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 161.132295][ T5437] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 161.147034][ T5437] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 161.155682][ T5437] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 161.155682][ T5437] inode = 12 2341 [pid 5437] getdents64(4, [pid 5436] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5436] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5436] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5436] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5436] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5439], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5439 [pid 5436] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5436] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5439 attached [pid 5439] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5439] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5439] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5436] <... futex resumed>) = 0 [pid 5439] <... futex resumed>) = 1 [ 161.155682][ T5437] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 161.174800][ T5437] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 161.184113][ T5437] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5437 [syz-executor171] iterate_dir+0x228/0x570 [ 161.194442][ T5437] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 161.202947][ T5437] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 161.210492][ T5437] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 161.219456][ T5437] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 161.226288][ T5437] gfs2: fsid=syz:syz.0: File system withdrawn [ 161.232387][ T5437] CPU: 1 PID: 5437 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 161.242469][ T5437] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 161.252565][ T5437] Call Trace: [ 161.255878][ T5437] [ 161.258811][ T5437] dump_stack_lvl+0x1e7/0x2d0 [ 161.263501][ T5437] ? nf_tcp_handle_invalid+0x650/0x650 [ 161.268981][ T5437] ? panic+0x770/0x770 [ 161.273063][ T5437] ? kobject_uevent_env+0x54e/0x8e0 [ 161.278278][ T5437] gfs2_withdraw+0xf48/0x1550 [ 161.283001][ T5437] ? gfs2_lm+0x240/0x240 [ 161.287273][ T5437] ? gfs2_dirent_scan+0xb2/0x640 [ 161.292217][ T5437] ? panic+0x770/0x770 [ 161.296303][ T5437] ? gfs2_consist_inode_i+0xf5/0x110 [ 161.301603][ T5437] gfs2_dirent_scan+0x512/0x640 [ 161.306469][ T5437] ? gfs2_dirent_scan+0x640/0x640 [ 161.311503][ T5437] gfs2_dir_read+0x82f/0x1af0 [pid 5439] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5436] exit_group(0 [pid 5439] <... futex resumed>) = ? [pid 5436] <... exit_group resumed>) = ? [pid 5439] +++ exited with 0 +++ [ 161.316205][ T5437] ? inode_dio_wait+0x2ad/0x340 [ 161.321084][ T5437] ? inode_owner_or_capable+0x1c0/0x1c0 [ 161.326674][ T5437] ? gfs2_dir_hash_inval+0x80/0x80 [ 161.331807][ T5437] ? _raw_spin_unlock+0x28/0x40 [ 161.336675][ T5437] ? gfs2_glock_nq+0xcbf/0x16c0 [ 161.341555][ T5437] ? inode_go_held+0xea/0x200 [ 161.346234][ T5437] ? gfs2_glock_wait+0x21a/0x2b0 [ 161.351193][ T5437] gfs2_readdir+0x14e/0x1b0 [ 161.355703][ T5437] ? __fdget_pos+0x254/0x2f0 [ 161.360308][ T5437] ? gfs2_fallocate+0x490/0x490 [ 161.365187][ T5437] ? iterate_dir+0x228/0x570 [ 161.369788][ T5437] ? __down_read_common+0x184/0x2c0 [ 161.374992][ T5437] ? iterate_dir+0x10e/0x570 [ 161.379587][ T5437] iterate_dir+0x228/0x570 [ 161.384002][ T5437] ? gfs2_fallocate+0x490/0x490 [ 161.388887][ T5437] __se_sys_getdents64+0x20d/0x4f0 [ 161.394026][ T5437] ? _raw_spin_unlock_irq+0x2e/0x50 [ 161.399240][ T5437] ? __x64_sys_getdents64+0x80/0x80 [ 161.404445][ T5437] ? filldir+0x740/0x740 [ 161.408711][ T5437] ? syscall_enter_from_user_mode+0x32/0x230 [ 161.414704][ T5437] ? syscall_enter_from_user_mode+0x8c/0x230 [ 161.420702][ T5437] do_syscall_64+0x41/0xc0 [ 161.425120][ T5437] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 161.431008][ T5437] RIP: 0033:0x7f281a11eab9 [ 161.435424][ T5437] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 161.455048][ T5437] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5437] <... getdents64 resumed> ) = ? [pid 5437] +++ exited with 0 +++ [pid 5436] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5436, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=31 /* 0.31 s */} --- umount2("./108", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./108", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./108/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./108/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./108/binderfs") = 0 [ 161.463488][ T5437] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 161.471465][ T5437] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 161.479434][ T5437] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 161.487406][ T5437] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 161.495386][ T5437] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 161.503382][ T5437] umount2("./108/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./108/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./108/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./108/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./108/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./108/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./108") = 0 mkdir("./109", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5440 ./strace-static-x86_64: Process 5440 attached [pid 5440] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5440] chdir("./109") = 0 [pid 5440] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5440] setpgid(0, 0) = 0 [pid 5440] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5440] write(3, "1000", 4) = 4 [pid 5440] close(3) = 0 [pid 5440] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5440] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5440] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5440] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5440] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5441 attached [pid 5441] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5441] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5440] <... clone resumed>, parent_tid=[5441], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5441 [pid 5440] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5441] <... futex resumed>) = 0 [pid 5440] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5441] memfd_create("syzkaller", 0) = 3 [pid 5441] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5441] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5441] munmap(0x7f2811caa000, 16777216) = 0 [pid 5441] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5441] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5441] close(3) = 0 [pid 5441] mkdir("./file0", 0777) = 0 [ 161.876025][ T5441] loop0: detected capacity change from 0 to 32768 [ 161.887988][ T5441] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 161.896291][ T5441] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 161.906396][ T5441] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 161.915022][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 161.921812][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5441] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5441] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5441] chdir("./file0") = 0 [pid 5441] ioctl(4, LOOP_CLR_FD) = 0 [pid 5441] close(4) = 0 [pid 5441] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5440] <... futex resumed>) = 0 [pid 5440] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5440] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5441] <... futex resumed>) = 1 [pid 5441] open(".", O_RDONLY) = 4 [pid 5441] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5440] <... futex resumed>) = 0 [pid 5440] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5440] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5441] <... futex resumed>) = 1 [ 161.959728][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 161.967355][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 161.972651][ T5441] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 161.994710][ T5441] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5441] getdents64(4, [pid 5440] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5440] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5440] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5440] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5440] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5443], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5443 [pid 5440] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 162.003529][ T5441] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 162.003529][ T5441] inode = 12 2341 [ 162.003529][ T5441] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 162.022532][ T5441] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 162.031681][ T5441] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5441 [syz-executor171] iterate_dir+0x228/0x570 [ 162.041670][ T5441] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 162.050216][ T5441] gfs2: fsid=syz:syz.0: about to withdraw this file system [pid 5440] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5443 attached [pid 5443] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5443] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5443] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5440] <... futex resumed>) = 0 [ 162.058060][ T5441] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 162.067222][ T5441] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 162.074247][ T5441] gfs2: fsid=syz:syz.0: File system withdrawn [ 162.080434][ T5441] CPU: 0 PID: 5441 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 162.090502][ T5441] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 162.100602][ T5441] Call Trace: [ 162.103905][ T5441] [ 162.106851][ T5441] dump_stack_lvl+0x1e7/0x2d0 [ 162.111566][ T5441] ? nf_tcp_handle_invalid+0x650/0x650 [ 162.117033][ T5441] ? panic+0x770/0x770 [ 162.121112][ T5441] ? kobject_uevent_env+0x54e/0x8e0 [ 162.126338][ T5441] gfs2_withdraw+0xf48/0x1550 [ 162.131036][ T5441] ? gfs2_lm+0x240/0x240 [ 162.135301][ T5441] ? gfs2_dirent_scan+0xb2/0x640 [ 162.140258][ T5441] ? panic+0x770/0x770 [ 162.144389][ T5441] ? gfs2_consist_inode_i+0xf5/0x110 [ 162.149711][ T5441] gfs2_dirent_scan+0x512/0x640 [ 162.154581][ T5441] ? gfs2_dirent_scan+0x640/0x640 [ 162.159632][ T5441] gfs2_dir_read+0x82f/0x1af0 [ 162.164318][ T5441] ? inode_dio_wait+0x2ad/0x340 [ 162.169192][ T5441] ? inode_owner_or_capable+0x1c0/0x1c0 [ 162.174784][ T5441] ? gfs2_dir_hash_inval+0x80/0x80 [ 162.179916][ T5441] ? _raw_spin_unlock+0x28/0x40 [ 162.184769][ T5441] ? gfs2_glock_nq+0xcbf/0x16c0 [ 162.189678][ T5441] ? inode_go_held+0xea/0x200 [ 162.194383][ T5441] ? gfs2_glock_wait+0x21a/0x2b0 [ 162.199344][ T5441] gfs2_readdir+0x14e/0x1b0 [ 162.203885][ T5441] ? __fdget_pos+0x254/0x2f0 [pid 5443] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5440] exit_group(0 [pid 5443] <... futex resumed>) = ? [pid 5440] <... exit_group resumed>) = ? [pid 5443] +++ exited with 0 +++ [ 162.208501][ T5441] ? gfs2_fallocate+0x490/0x490 [ 162.213367][ T5441] ? iterate_dir+0x228/0x570 [ 162.217983][ T5441] ? __down_read_common+0x184/0x2c0 [ 162.223223][ T5441] ? iterate_dir+0x10e/0x570 [ 162.227872][ T5441] iterate_dir+0x228/0x570 [ 162.232324][ T5441] ? gfs2_fallocate+0x490/0x490 [ 162.237184][ T5441] __se_sys_getdents64+0x20d/0x4f0 [ 162.242303][ T5441] ? _raw_spin_unlock_irq+0x2e/0x50 [ 162.247525][ T5441] ? __x64_sys_getdents64+0x80/0x80 [ 162.252774][ T5441] ? filldir+0x740/0x740 [ 162.257032][ T5441] ? syscall_enter_from_user_mode+0x32/0x230 [ 162.263028][ T5441] ? syscall_enter_from_user_mode+0x8c/0x230 [ 162.269052][ T5441] do_syscall_64+0x41/0xc0 [ 162.273520][ T5441] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 162.279444][ T5441] RIP: 0033:0x7f281a11eab9 [ 162.283887][ T5441] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5441] <... getdents64 resumed> ) = ? [pid 5441] +++ exited with 0 +++ [pid 5440] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5440, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=33 /* 0.33 s */} --- umount2("./109", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./109", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./109/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./109/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./109/binderfs") = 0 [ 162.303501][ T5441] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 162.311917][ T5441] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 162.319899][ T5441] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 162.327888][ T5441] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 162.335865][ T5441] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 162.343847][ T5441] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 162.351844][ T5441] umount2("./109/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./109/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./109/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./109/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./109/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./109/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./109") = 0 mkdir("./110", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5444 ./strace-static-x86_64: Process 5444 attached [pid 5444] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5444] chdir("./110") = 0 [pid 5444] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5444] setpgid(0, 0) = 0 [pid 5444] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5444] write(3, "1000", 4) = 4 [pid 5444] close(3) = 0 [pid 5444] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5444] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5444] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5444] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5444] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5445 attached [pid 5445] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5445] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5444] <... clone resumed>, parent_tid=[5445], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5445 [pid 5444] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5445] <... futex resumed>) = 0 [pid 5444] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5445] memfd_create("syzkaller", 0) = 3 [pid 5445] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5445] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5445] munmap(0x7f2811caa000, 16777216) = 0 [pid 5445] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5445] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5445] close(3) = 0 [pid 5445] mkdir("./file0", 0777) = 0 [ 162.726230][ T5445] loop0: detected capacity change from 0 to 32768 [ 162.738199][ T5445] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 162.746492][ T5445] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 162.755727][ T5445] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 162.764426][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 162.771194][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5445] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5445] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5445] chdir("./file0") = 0 [pid 5445] ioctl(4, LOOP_CLR_FD) = 0 [pid 5445] close(4) = 0 [pid 5445] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5444] <... futex resumed>) = 0 [pid 5445] <... futex resumed>) = 1 [pid 5444] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5445] open(".", O_RDONLY [pid 5444] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5445] <... open resumed>) = 4 [pid 5445] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5444] <... futex resumed>) = 0 [pid 5445] getdents64(4, [pid 5444] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 162.807927][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 162.816543][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 162.821987][ T5445] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 162.845605][ T5445] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5444] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5444] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5444] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5444] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5444] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5447], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5447 [pid 5444] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5444] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5447 attached [pid 5447] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5447] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5447] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5444] <... futex resumed>) = 0 [pid 5447] <... futex resumed>) = 1 [ 162.854122][ T5445] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 162.854122][ T5445] inode = 12 2341 [ 162.854122][ T5445] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 162.873718][ T5445] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 162.882829][ T5445] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5445 [syz-executor171] iterate_dir+0x228/0x570 [ 162.892891][ T5445] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 162.901453][ T5445] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 162.909229][ T5445] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 162.918080][ T5445] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 162.925534][ T5445] gfs2: fsid=syz:syz.0: File system withdrawn [ 162.932317][ T5445] CPU: 0 PID: 5445 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 162.942379][ T5445] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 162.952428][ T5445] Call Trace: [ 162.955740][ T5445] [ 162.958666][ T5445] dump_stack_lvl+0x1e7/0x2d0 [ 162.963390][ T5445] ? nf_tcp_handle_invalid+0x650/0x650 [ 162.968846][ T5445] ? panic+0x770/0x770 [ 162.972928][ T5445] ? kobject_uevent_env+0x54e/0x8e0 [ 162.978140][ T5445] gfs2_withdraw+0xf48/0x1550 [ 162.982832][ T5445] ? gfs2_lm+0x240/0x240 [ 162.987074][ T5445] ? gfs2_dirent_scan+0xb2/0x640 [ 162.992008][ T5445] ? panic+0x770/0x770 [ 162.996074][ T5445] ? gfs2_consist_inode_i+0xf5/0x110 [ 163.001460][ T5445] gfs2_dirent_scan+0x512/0x640 [ 163.006305][ T5445] ? gfs2_dirent_scan+0x640/0x640 [ 163.011339][ T5445] gfs2_dir_read+0x82f/0x1af0 [ 163.016025][ T5445] ? inode_dio_wait+0x2ad/0x340 [ 163.020884][ T5445] ? inode_owner_or_capable+0x1c0/0x1c0 [ 163.026460][ T5445] ? gfs2_dir_hash_inval+0x80/0x80 [ 163.031584][ T5445] ? _raw_spin_unlock+0x28/0x40 [ 163.036448][ T5445] ? gfs2_glock_nq+0xcbf/0x16c0 [ 163.041313][ T5445] ? inode_go_held+0xea/0x200 [ 163.046016][ T5445] ? gfs2_glock_wait+0x21a/0x2b0 [ 163.050965][ T5445] gfs2_readdir+0x14e/0x1b0 [ 163.055479][ T5445] ? __fdget_pos+0x254/0x2f0 [ 163.060082][ T5445] ? gfs2_fallocate+0x490/0x490 [ 163.064945][ T5445] ? iterate_dir+0x228/0x570 [ 163.069538][ T5445] ? __down_read_common+0x184/0x2c0 [ 163.074750][ T5445] ? iterate_dir+0x10e/0x570 [ 163.079341][ T5445] iterate_dir+0x228/0x570 [ 163.083768][ T5445] ? gfs2_fallocate+0x490/0x490 [ 163.088634][ T5445] __se_sys_getdents64+0x20d/0x4f0 [ 163.093754][ T5445] ? _raw_spin_unlock_irq+0x2e/0x50 [ 163.098959][ T5445] ? __x64_sys_getdents64+0x80/0x80 [ 163.104251][ T5445] ? filldir+0x740/0x740 [ 163.108496][ T5445] ? syscall_enter_from_user_mode+0x32/0x230 [ 163.114475][ T5445] ? syscall_enter_from_user_mode+0x8c/0x230 [ 163.120459][ T5445] do_syscall_64+0x41/0xc0 [ 163.124878][ T5445] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 163.130766][ T5445] RIP: 0033:0x7f281a11eab9 [ 163.135171][ T5445] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5447] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5445] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5445] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5444] exit_group(0 [pid 5447] <... futex resumed>) = ? [pid 5444] <... exit_group resumed>) = ? [pid 5447] +++ exited with 0 +++ [pid 5445] <... futex resumed>) = ? [pid 5445] +++ exited with 0 +++ [pid 5444] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5444, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./110", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./110", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./110/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./110/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./110/binderfs") = 0 [ 163.154782][ T5445] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 163.163196][ T5445] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 163.171190][ T5445] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 163.179162][ T5445] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 163.187136][ T5445] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 163.195101][ T5445] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 163.203077][ T5445] umount2("./110/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./110/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./110/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./110/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./110/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./110/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./110") = 0 mkdir("./111", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5448 ./strace-static-x86_64: Process 5448 attached [pid 5448] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5448] chdir("./111") = 0 [pid 5448] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5448] setpgid(0, 0) = 0 [pid 5448] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5448] write(3, "1000", 4) = 4 [pid 5448] close(3) = 0 [pid 5448] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5448] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5448] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5448] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5448] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5449 attached , parent_tid=[5449], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5449 [pid 5448] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5448] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5449] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5449] memfd_create("syzkaller", 0) = 3 [pid 5449] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5449] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5449] munmap(0x7f2811caa000, 16777216) = 0 [pid 5449] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5449] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5449] close(3) = 0 [pid 5449] mkdir("./file0", 0777) = 0 [ 163.554841][ T5449] loop0: detected capacity change from 0 to 32768 [ 163.566642][ T5449] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 163.575113][ T5449] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 163.585302][ T5449] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 163.594147][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 163.600917][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5449] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5449] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5449] chdir("./file0") = 0 [pid 5449] ioctl(4, LOOP_CLR_FD) = 0 [pid 5449] close(4) = 0 [pid 5449] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5448] <... futex resumed>) = 0 [pid 5448] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5448] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5449] <... futex resumed>) = 1 [pid 5449] open(".", O_RDONLY) = 4 [pid 5449] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5448] <... futex resumed>) = 0 [pid 5448] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5448] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5449] <... futex resumed>) = 1 [ 163.636484][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 163.644017][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 163.649258][ T5449] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 163.666131][ T5449] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5449] getdents64(4, [pid 5448] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5448] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5448] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5448] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5448] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5451], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5451 [ 163.682265][ T5449] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 163.682265][ T5449] inode = 12 2341 [ 163.682265][ T5449] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 163.701511][ T5449] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 163.710894][ T5449] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5449 [syz-executor171] iterate_dir+0x228/0x570 [ 163.721238][ T5449] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5448] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5448] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5451 attached [pid 5451] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5451] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5451] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5448] <... futex resumed>) = 0 [pid 5451] <... futex resumed>) = 1 [ 163.730135][ T5449] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 163.737935][ T5449] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 163.748163][ T5449] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 163.756209][ T5449] gfs2: fsid=syz:syz.0: File system withdrawn [ 163.762282][ T5449] CPU: 0 PID: 5449 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 163.772353][ T5449] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 163.782425][ T5449] Call Trace: [ 163.785725][ T5449] [ 163.788675][ T5449] dump_stack_lvl+0x1e7/0x2d0 [ 163.793397][ T5449] ? nf_tcp_handle_invalid+0x650/0x650 [ 163.798867][ T5449] ? panic+0x770/0x770 [ 163.802936][ T5449] ? kobject_uevent_env+0x54e/0x8e0 [ 163.808158][ T5449] gfs2_withdraw+0xf48/0x1550 [ 163.812880][ T5449] ? gfs2_lm+0x240/0x240 [ 163.817125][ T5449] ? gfs2_dirent_scan+0xb2/0x640 [ 163.822077][ T5449] ? panic+0x770/0x770 [ 163.826148][ T5449] ? gfs2_consist_inode_i+0xf5/0x110 [ 163.831434][ T5449] gfs2_dirent_scan+0x512/0x640 [pid 5451] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5448] exit_group(0 [pid 5451] <... futex resumed>) = ? [pid 5448] <... exit_group resumed>) = ? [pid 5451] +++ exited with 0 +++ [ 163.836301][ T5449] ? gfs2_dirent_scan+0x640/0x640 [ 163.841353][ T5449] gfs2_dir_read+0x82f/0x1af0 [ 163.846034][ T5449] ? inode_dio_wait+0x2ad/0x340 [ 163.850899][ T5449] ? inode_owner_or_capable+0x1c0/0x1c0 [ 163.856476][ T5449] ? gfs2_dir_hash_inval+0x80/0x80 [ 163.861618][ T5449] ? _raw_spin_unlock+0x28/0x40 [ 163.866485][ T5449] ? gfs2_glock_nq+0xcbf/0x16c0 [ 163.871382][ T5449] ? inode_go_held+0xea/0x200 [ 163.876094][ T5449] ? gfs2_glock_wait+0x21a/0x2b0 [ 163.881055][ T5449] gfs2_readdir+0x14e/0x1b0 [ 163.885652][ T5449] ? __fdget_pos+0x254/0x2f0 [ 163.890252][ T5449] ? gfs2_fallocate+0x490/0x490 [ 163.895101][ T5449] ? iterate_dir+0x228/0x570 [ 163.899697][ T5449] ? __down_read_common+0x184/0x2c0 [ 163.904920][ T5449] ? iterate_dir+0x10e/0x570 [ 163.909527][ T5449] iterate_dir+0x228/0x570 [ 163.913958][ T5449] ? gfs2_fallocate+0x490/0x490 [ 163.918835][ T5449] __se_sys_getdents64+0x20d/0x4f0 [ 163.923966][ T5449] ? _raw_spin_unlock_irq+0x2e/0x50 [ 163.929170][ T5449] ? __x64_sys_getdents64+0x80/0x80 [ 163.934374][ T5449] ? filldir+0x740/0x740 [ 163.938630][ T5449] ? syscall_enter_from_user_mode+0x32/0x230 [ 163.944617][ T5449] ? syscall_enter_from_user_mode+0x8c/0x230 [ 163.950611][ T5449] do_syscall_64+0x41/0xc0 [ 163.955052][ T5449] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 163.960955][ T5449] RIP: 0033:0x7f281a11eab9 [ 163.965370][ T5449] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5449] <... getdents64 resumed> ) = ? [pid 5449] +++ exited with 0 +++ [pid 5448] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5448, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- umount2("./111", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./111", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./111/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./111/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./111/binderfs") = 0 [ 163.984974][ T5449] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 163.993396][ T5449] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 164.001388][ T5449] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 164.009354][ T5449] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 164.017321][ T5449] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 164.025291][ T5449] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 164.033296][ T5449] umount2("./111/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./111/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./111/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./111/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./111/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./111/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./111") = 0 mkdir("./112", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5452 ./strace-static-x86_64: Process 5452 attached [pid 5452] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5452] chdir("./112") = 0 [pid 5452] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5452] setpgid(0, 0) = 0 [pid 5452] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5452] write(3, "1000", 4) = 4 [pid 5452] close(3) = 0 [pid 5452] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5452] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5452] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5452] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5452] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5453], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5453 ./strace-static-x86_64: Process 5453 attached [pid 5452] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5453] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5452] <... futex resumed>) = 0 [pid 5452] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5453] memfd_create("syzkaller", 0) = 3 [pid 5453] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5453] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5453] munmap(0x7f2811caa000, 16777216) = 0 [pid 5453] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5453] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5453] close(3) = 0 [pid 5453] mkdir("./file0", 0777) = 0 [ 164.385485][ T5453] loop0: detected capacity change from 0 to 32768 [ 164.397595][ T5453] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 164.405792][ T5453] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 164.414817][ T5453] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 164.423029][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 164.429859][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5453] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5453] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5453] chdir("./file0") = 0 [pid 5453] ioctl(4, LOOP_CLR_FD) = 0 [pid 5453] close(4) = 0 [pid 5453] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5452] <... futex resumed>) = 0 [pid 5453] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5452] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5453] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5452] <... futex resumed>) = 0 [pid 5453] open(".", O_RDONLY [pid 5452] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5453] <... open resumed>) = 4 [pid 5453] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5452] <... futex resumed>) = 0 [pid 5453] getdents64(4, [ 164.470670][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 164.479445][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 164.484863][ T5453] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5452] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 164.515385][ T5453] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 164.523903][ T5453] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 164.523903][ T5453] inode = 12 2341 [ 164.523903][ T5453] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 164.542685][ T5453] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 164.551805][ T5453] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5453 [syz-executor171] iterate_dir+0x228/0x570 [pid 5452] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5452] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5452] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5452] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5452] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5452] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5455], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5455 [pid 5452] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5452] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5455 attached [pid 5455] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5455] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5455] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5452] <... futex resumed>) = 0 [pid 5455] <... futex resumed>) = 1 [ 164.561790][ T5453] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 164.570291][ T5453] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 164.577544][ T5453] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 164.586429][ T5453] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 164.592970][ T5453] gfs2: fsid=syz:syz.0: File system withdrawn [ 164.599121][ T5453] CPU: 1 PID: 5453 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 164.609209][ T5453] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 164.619289][ T5453] Call Trace: [ 164.622580][ T5453] [ 164.625528][ T5453] dump_stack_lvl+0x1e7/0x2d0 [ 164.630230][ T5453] ? nf_tcp_handle_invalid+0x650/0x650 [ 164.635717][ T5453] ? panic+0x770/0x770 [ 164.639786][ T5453] ? kobject_uevent_env+0x54e/0x8e0 [ 164.645010][ T5453] gfs2_withdraw+0xf48/0x1550 [ 164.649735][ T5453] ? gfs2_lm+0x240/0x240 [ 164.653987][ T5453] ? gfs2_dirent_scan+0xb2/0x640 [ 164.658935][ T5453] ? panic+0x770/0x770 [ 164.663008][ T5453] ? gfs2_consist_inode_i+0xf5/0x110 [ 164.668318][ T5453] gfs2_dirent_scan+0x512/0x640 [ 164.673200][ T5453] ? gfs2_dirent_scan+0x640/0x640 [ 164.678270][ T5453] gfs2_dir_read+0x82f/0x1af0 [ 164.682992][ T5453] ? inode_dio_wait+0x2ad/0x340 [ 164.687851][ T5453] ? inode_owner_or_capable+0x1c0/0x1c0 [ 164.693423][ T5453] ? gfs2_dir_hash_inval+0x80/0x80 [ 164.698573][ T5453] ? _raw_spin_unlock+0x28/0x40 [ 164.703464][ T5453] ? gfs2_glock_nq+0xcbf/0x16c0 [ 164.708348][ T5453] ? inode_go_held+0xea/0x200 [pid 5455] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5452] exit_group(0 [pid 5455] <... futex resumed>) = ? [pid 5452] <... exit_group resumed>) = ? [pid 5455] +++ exited with 0 +++ [ 164.713064][ T5453] ? gfs2_glock_wait+0x21a/0x2b0 [ 164.718042][ T5453] gfs2_readdir+0x14e/0x1b0 [ 164.722635][ T5453] ? __fdget_pos+0x254/0x2f0 [ 164.727333][ T5453] ? gfs2_fallocate+0x490/0x490 [ 164.732207][ T5453] ? iterate_dir+0x228/0x570 [ 164.736855][ T5453] ? __down_read_common+0x184/0x2c0 [ 164.742067][ T5453] ? iterate_dir+0x10e/0x570 [ 164.746683][ T5453] iterate_dir+0x228/0x570 [ 164.751110][ T5453] ? gfs2_fallocate+0x490/0x490 [ 164.755988][ T5453] __se_sys_getdents64+0x20d/0x4f0 [ 164.761119][ T5453] ? _raw_spin_unlock_irq+0x2e/0x50 [ 164.766320][ T5453] ? __x64_sys_getdents64+0x80/0x80 [ 164.771531][ T5453] ? filldir+0x740/0x740 [ 164.775845][ T5453] ? syscall_enter_from_user_mode+0x32/0x230 [ 164.781852][ T5453] ? syscall_enter_from_user_mode+0x8c/0x230 [ 164.787836][ T5453] do_syscall_64+0x41/0xc0 [ 164.792277][ T5453] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 164.798204][ T5453] RIP: 0033:0x7f281a11eab9 [ 164.802651][ T5453] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 164.822255][ T5453] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 164.830666][ T5453] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 164.838635][ T5453] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 164.846615][ T5453] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 164.854599][ T5453] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5453] <... getdents64 resumed> ) = ? [pid 5453] +++ exited with 0 +++ [pid 5452] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5452, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- umount2("./112", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./112", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./112/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./112/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./112/binderfs") = 0 [ 164.862565][ T5453] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 164.870542][ T5453] umount2("./112/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./112/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./112/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./112/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./112/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./112/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./112") = 0 mkdir("./113", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5456 ./strace-static-x86_64: Process 5456 attached [pid 5456] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5456] chdir("./113") = 0 [pid 5456] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5456] setpgid(0, 0) = 0 [pid 5456] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5456] write(3, "1000", 4) = 4 [pid 5456] close(3) = 0 [pid 5456] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5456] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5456] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5456] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5456] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5457], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5457 ./strace-static-x86_64: Process 5457 attached [pid 5456] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5456] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5457] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5457] memfd_create("syzkaller", 0) = 3 [pid 5457] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5457] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5457] munmap(0x7f2811caa000, 16777216) = 0 [pid 5457] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5457] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5457] close(3) = 0 [pid 5457] mkdir("./file0", 0777) = 0 [ 165.218174][ T5457] loop0: detected capacity change from 0 to 32768 [ 165.229997][ T5457] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 165.238499][ T5457] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 165.248844][ T5457] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 165.257339][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 165.264169][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5457] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5457] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5457] chdir("./file0") = 0 [pid 5457] ioctl(4, LOOP_CLR_FD) = 0 [pid 5457] close(4) = 0 [pid 5457] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5456] <... futex resumed>) = 0 [pid 5456] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5456] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5457] <... futex resumed>) = 1 [pid 5457] open(".", O_RDONLY) = 4 [pid 5457] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5456] <... futex resumed>) = 0 [pid 5456] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5456] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5457] <... futex resumed>) = 1 [ 165.302191][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 165.311346][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 165.316781][ T5457] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 165.340910][ T5457] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5457] getdents64(4, [pid 5456] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5456] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5456] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5456] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5456] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5459], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5459 [pid 5456] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5456] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5459 attached [pid 5459] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5459] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5459] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5456] <... futex resumed>) = 0 [pid 5459] <... futex resumed>) = 1 [ 165.349919][ T5457] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 165.349919][ T5457] inode = 12 2341 [ 165.349919][ T5457] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 165.368783][ T5457] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 165.378289][ T5457] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5457 [syz-executor171] iterate_dir+0x228/0x570 [ 165.388259][ T5457] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 165.396762][ T5457] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 165.404020][ T5457] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 165.412793][ T5457] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 165.419455][ T5457] gfs2: fsid=syz:syz.0: File system withdrawn [ 165.425900][ T5457] CPU: 0 PID: 5457 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 165.435956][ T5457] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 165.446002][ T5457] Call Trace: [ 165.449290][ T5457] [ 165.452216][ T5457] dump_stack_lvl+0x1e7/0x2d0 [ 165.456916][ T5457] ? nf_tcp_handle_invalid+0x650/0x650 [ 165.462368][ T5457] ? panic+0x770/0x770 [ 165.466436][ T5457] ? kobject_uevent_env+0x54e/0x8e0 [ 165.471636][ T5457] gfs2_withdraw+0xf48/0x1550 [ 165.476319][ T5457] ? gfs2_lm+0x240/0x240 [ 165.480555][ T5457] ? gfs2_dirent_scan+0xb2/0x640 [ 165.485484][ T5457] ? panic+0x770/0x770 [ 165.489548][ T5457] ? gfs2_consist_inode_i+0xf5/0x110 [ 165.494832][ T5457] gfs2_dirent_scan+0x512/0x640 [ 165.499677][ T5457] ? gfs2_dirent_scan+0x640/0x640 [ 165.504694][ T5457] gfs2_dir_read+0x82f/0x1af0 [ 165.509367][ T5457] ? inode_dio_wait+0x2ad/0x340 [ 165.514216][ T5457] ? inode_owner_or_capable+0x1c0/0x1c0 [ 165.519759][ T5457] ? gfs2_dir_hash_inval+0x80/0x80 [ 165.524863][ T5457] ? _raw_spin_unlock+0x28/0x40 [ 165.529714][ T5457] ? gfs2_glock_nq+0xcbf/0x16c0 [ 165.534652][ T5457] ? inode_go_held+0xea/0x200 [ 165.539329][ T5457] ? gfs2_glock_wait+0x21a/0x2b0 [ 165.544269][ T5457] gfs2_readdir+0x14e/0x1b0 [ 165.548782][ T5457] ? __fdget_pos+0x254/0x2f0 [ 165.553379][ T5457] ? gfs2_fallocate+0x490/0x490 [ 165.558234][ T5457] ? iterate_dir+0x228/0x570 [ 165.562823][ T5457] ? __down_read_common+0x184/0x2c0 [ 165.568035][ T5457] ? iterate_dir+0x10e/0x570 [ 165.572631][ T5457] iterate_dir+0x228/0x570 [ 165.577047][ T5457] ? gfs2_fallocate+0x490/0x490 [ 165.581901][ T5457] __se_sys_getdents64+0x20d/0x4f0 [ 165.587022][ T5457] ? _raw_spin_unlock_irq+0x2e/0x50 [ 165.592223][ T5457] ? __x64_sys_getdents64+0x80/0x80 [ 165.597442][ T5457] ? filldir+0x740/0x740 [ 165.601688][ T5457] ? syscall_enter_from_user_mode+0x32/0x230 [ 165.607665][ T5457] ? syscall_enter_from_user_mode+0x8c/0x230 [ 165.613648][ T5457] do_syscall_64+0x41/0xc0 [ 165.618069][ T5457] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 165.623966][ T5457] RIP: 0033:0x7f281a11eab9 [ 165.628378][ T5457] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5459] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5457] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5457] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5457] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5456] exit_group(0) = ? [pid 5457] <... futex resumed>) = ? [pid 5459] <... futex resumed>) = ? [pid 5457] +++ exited with 0 +++ [pid 5459] +++ exited with 0 +++ [pid 5456] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5456, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=34 /* 0.34 s */} --- umount2("./113", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./113", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./113/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./113/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 [ 165.647986][ T5457] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 165.656406][ T5457] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 165.664377][ T5457] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 165.672358][ T5457] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 165.680339][ T5457] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 165.688316][ T5457] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 165.696310][ T5457] unlink("./113/binderfs") = 0 umount2("./113/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./113/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./113/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./113/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./113/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./113/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./113") = 0 mkdir("./114", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5460 ./strace-static-x86_64: Process 5460 attached [pid 5460] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5460] chdir("./114") = 0 [pid 5460] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5460] setpgid(0, 0) = 0 [pid 5460] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5460] write(3, "1000", 4) = 4 [pid 5460] close(3) = 0 [pid 5460] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5460] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5460] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5460] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5460] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5461 attached , parent_tid=[5461], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5461 [pid 5460] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5461] set_robust_list(0x7f281a0ca9e0, 24 [pid 5460] <... futex resumed>) = 0 [pid 5461] <... set_robust_list resumed>) = 0 [pid 5460] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5461] memfd_create("syzkaller", 0) = 3 [pid 5461] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5461] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5461] munmap(0x7f2811caa000, 16777216) = 0 [pid 5461] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5461] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5461] close(3) = 0 [pid 5461] mkdir("./file0", 0777) = 0 [ 166.123926][ T5461] loop0: detected capacity change from 0 to 32768 [ 166.137061][ T5461] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 166.145656][ T5461] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 166.155841][ T5461] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 166.164387][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 166.171173][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5461] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5461] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5461] chdir("./file0") = 0 [pid 5461] ioctl(4, LOOP_CLR_FD) = 0 [pid 5461] close(4) = 0 [pid 5461] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5460] <... futex resumed>) = 0 [pid 5460] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5460] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5461] <... futex resumed>) = 1 [pid 5461] open(".", O_RDONLY) = 4 [pid 5461] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5460] <... futex resumed>) = 0 [pid 5460] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5460] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5461] <... futex resumed>) = 1 [ 166.207247][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 166.215431][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 166.220926][ T5461] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 166.251363][ T5461] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 166.260127][ T5461] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 166.260127][ T5461] inode = 12 2341 [ 166.260127][ T5461] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 166.279653][ T5461] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 166.288990][ T5461] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5461 [syz-executor171] iterate_dir+0x228/0x570 [pid 5461] getdents64(4, [pid 5460] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5460] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5460] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5460] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5460] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5463], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5463 [pid 5460] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5460] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5463 attached [pid 5463] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5463] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5463] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5460] <... futex resumed>) = 0 [ 166.299104][ T5461] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 166.307668][ T5461] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 166.315136][ T5461] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 166.324396][ T5461] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 166.331268][ T5461] gfs2: fsid=syz:syz.0: File system withdrawn [ 166.337453][ T5461] CPU: 0 PID: 5461 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 166.347538][ T5461] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 166.357622][ T5461] Call Trace: [ 166.360923][ T5461] [ 166.363873][ T5461] dump_stack_lvl+0x1e7/0x2d0 [ 166.368608][ T5461] ? nf_tcp_handle_invalid+0x650/0x650 [ 166.374103][ T5461] ? panic+0x770/0x770 [ 166.378184][ T5461] ? kobject_uevent_env+0x54e/0x8e0 [ 166.383416][ T5461] gfs2_withdraw+0xf48/0x1550 [ 166.388135][ T5461] ? gfs2_lm+0x240/0x240 [ 166.392396][ T5461] ? gfs2_dirent_scan+0xb2/0x640 [ 166.397358][ T5461] ? panic+0x770/0x770 [ 166.401448][ T5461] ? gfs2_consist_inode_i+0xf5/0x110 [ 166.406751][ T5461] gfs2_dirent_scan+0x512/0x640 [ 166.411607][ T5461] ? gfs2_dirent_scan+0x640/0x640 [ 166.416652][ T5461] gfs2_dir_read+0x82f/0x1af0 [ 166.421360][ T5461] ? inode_dio_wait+0x2ad/0x340 [ 166.426288][ T5461] ? inode_owner_or_capable+0x1c0/0x1c0 [ 166.431849][ T5461] ? gfs2_dir_hash_inval+0x80/0x80 [ 166.436970][ T5461] ? _raw_spin_unlock+0x28/0x40 [ 166.441832][ T5461] ? gfs2_glock_nq+0xcbf/0x16c0 [ 166.446703][ T5461] ? inode_go_held+0xea/0x200 [ 166.451392][ T5461] ? gfs2_glock_wait+0x21a/0x2b0 [ 166.456349][ T5461] gfs2_readdir+0x14e/0x1b0 [ 166.460861][ T5461] ? __fdget_pos+0x254/0x2f0 [ 166.465457][ T5461] ? gfs2_fallocate+0x490/0x490 [ 166.470316][ T5461] ? iterate_dir+0x228/0x570 [ 166.474910][ T5461] ? __down_read_common+0x184/0x2c0 [ 166.480111][ T5461] ? iterate_dir+0x10e/0x570 [ 166.484714][ T5461] iterate_dir+0x228/0x570 [ 166.489152][ T5461] ? gfs2_fallocate+0x490/0x490 [ 166.494027][ T5461] __se_sys_getdents64+0x20d/0x4f0 [ 166.499159][ T5461] ? _raw_spin_unlock_irq+0x2e/0x50 [ 166.504366][ T5461] ? __x64_sys_getdents64+0x80/0x80 [ 166.509570][ T5461] ? filldir+0x740/0x740 [ 166.513824][ T5461] ? syscall_enter_from_user_mode+0x32/0x230 [ 166.519835][ T5461] ? syscall_enter_from_user_mode+0x8c/0x230 [ 166.525880][ T5461] do_syscall_64+0x41/0xc0 [ 166.530311][ T5461] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 166.536205][ T5461] RIP: 0033:0x7f281a11eab9 [ 166.540637][ T5461] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 166.560261][ T5461] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 166.568695][ T5461] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 166.576683][ T5461] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 166.584657][ T5461] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 166.592649][ T5461] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5463] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5461] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5461] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5461] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5460] exit_group(0 [pid 5461] <... futex resumed>) = ? [pid 5460] <... exit_group resumed>) = ? [pid 5463] <... futex resumed>) = ? [pid 5461] +++ exited with 0 +++ [pid 5463] +++ exited with 0 +++ [pid 5460] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5460, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=29 /* 0.29 s */} --- umount2("./114", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./114", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./114/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./114/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./114/binderfs") = 0 [ 166.600630][ T5461] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 166.608623][ T5461] umount2("./114/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./114/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./114/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./114/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./114/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./114/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./114") = 0 mkdir("./115", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5464 ./strace-static-x86_64: Process 5464 attached [pid 5464] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5464] chdir("./115") = 0 [pid 5464] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5464] setpgid(0, 0) = 0 [pid 5464] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5464] write(3, "1000", 4) = 4 [pid 5464] close(3) = 0 [pid 5464] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5464] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5464] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5464] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5464] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5465 attached , parent_tid=[5465], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5465 [pid 5465] set_robust_list(0x7f281a0ca9e0, 24 [pid 5464] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5464] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5465] <... set_robust_list resumed>) = 0 [pid 5465] memfd_create("syzkaller", 0) = 3 [pid 5465] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5465] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5465] munmap(0x7f2811caa000, 16777216) = 0 [pid 5465] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5465] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5465] close(3) = 0 [pid 5465] mkdir("./file0", 0777) = 0 [ 166.988250][ T5465] loop0: detected capacity change from 0 to 32768 [ 167.000349][ T5465] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 167.009006][ T5465] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 167.019481][ T5465] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 167.028375][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 167.035374][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5465] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5465] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5465] chdir("./file0") = 0 [pid 5465] ioctl(4, LOOP_CLR_FD) = 0 [pid 5465] close(4) = 0 [pid 5465] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5464] <... futex resumed>) = 0 [pid 5464] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5464] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5465] <... futex resumed>) = 1 [pid 5465] open(".", O_RDONLY) = 4 [pid 5465] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5464] <... futex resumed>) = 0 [pid 5464] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5464] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5465] <... futex resumed>) = 1 [ 167.071059][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 167.078590][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 167.083975][ T5465] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 167.107053][ T5465] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5465] getdents64(4, [pid 5464] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5464] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5464] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5464] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5464] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5467 attached [pid 5467] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5467] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5464] <... clone resumed>, parent_tid=[5467], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5467 [pid 5464] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5464] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5467] <... futex resumed>) = 0 [ 167.116147][ T5465] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 167.116147][ T5465] inode = 12 2341 [ 167.116147][ T5465] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 167.135768][ T5465] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 167.145454][ T5465] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5465 [syz-executor171] iterate_dir+0x228/0x570 [ 167.161365][ T5465] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5467] open("./file0", O_RDONLY [pid 5464] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 167.164023][ T5467] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 167.170775][ T5465] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 167.185466][ T5467] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 167.194658][ T5467] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5465 [syz-executor171] iterate_dir+0x228/0x570 [ 167.204667][ T5465] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 167.213530][ T5467] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5467 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 167.214731][ T5465] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 167.223662][ T5467] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 167.230673][ T5465] gfs2: fsid=syz:syz.0: File system withdrawn [ 167.244621][ T5465] CPU: 0 PID: 5465 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 167.254688][ T5465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 167.264785][ T5465] Call Trace: [ 167.268098][ T5465] [ 167.271054][ T5465] dump_stack_lvl+0x1e7/0x2d0 [ 167.275801][ T5465] ? nf_tcp_handle_invalid+0x650/0x650 [ 167.281292][ T5465] ? panic+0x770/0x770 [ 167.285372][ T5465] ? kobject_uevent_env+0x54e/0x8e0 [ 167.290582][ T5465] gfs2_withdraw+0xf48/0x1550 [ 167.295318][ T5465] ? gfs2_lm+0x240/0x240 [ 167.299596][ T5465] ? gfs2_dirent_scan+0xb2/0x640 [ 167.304558][ T5465] ? panic+0x770/0x770 [ 167.308655][ T5465] ? gfs2_consist_inode_i+0xf5/0x110 [ 167.314000][ T5465] gfs2_dirent_scan+0x512/0x640 [ 167.318880][ T5465] ? gfs2_dirent_scan+0x640/0x640 [ 167.323913][ T5465] gfs2_dir_read+0x82f/0x1af0 [ 167.328609][ T5465] ? inode_dio_wait+0x2ad/0x340 [ 167.333511][ T5465] ? inode_owner_or_capable+0x1c0/0x1c0 [ 167.339097][ T5465] ? gfs2_dir_hash_inval+0x80/0x80 [ 167.344236][ T5465] ? _raw_spin_unlock+0x28/0x40 [ 167.349099][ T5465] ? gfs2_glock_nq+0xcbf/0x16c0 [ 167.353988][ T5465] ? inode_go_held+0xea/0x200 [ 167.358671][ T5465] ? gfs2_glock_wait+0x21a/0x2b0 [ 167.363646][ T5465] gfs2_readdir+0x14e/0x1b0 [pid 5464] exit_group(0) = ? [ 167.368192][ T5465] ? __fdget_pos+0x254/0x2f0 [ 167.372806][ T5465] ? gfs2_fallocate+0x490/0x490 [ 167.377672][ T5465] ? iterate_dir+0x228/0x570 [ 167.382280][ T5465] ? __down_read_common+0x184/0x2c0 [ 167.387499][ T5465] ? iterate_dir+0x10e/0x570 [ 167.392117][ T5465] iterate_dir+0x228/0x570 [ 167.396567][ T5465] ? gfs2_fallocate+0x490/0x490 [ 167.401444][ T5465] __se_sys_getdents64+0x20d/0x4f0 [ 167.406566][ T5465] ? _raw_spin_unlock_irq+0x2e/0x50 [ 167.411782][ T5465] ? __x64_sys_getdents64+0x80/0x80 [ 167.417008][ T5465] ? filldir+0x740/0x740 [ 167.421264][ T5465] ? syscall_enter_from_user_mode+0x32/0x230 [ 167.427264][ T5465] ? syscall_enter_from_user_mode+0x8c/0x230 [ 167.433288][ T5465] do_syscall_64+0x41/0xc0 [ 167.437725][ T5465] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 167.443644][ T5465] RIP: 0033:0x7f281a11eab9 [ 167.448062][ T5465] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5467] <... open resumed>) = ? [pid 5465] <... getdents64 resumed> ) = ? [pid 5465] +++ exited with 0 +++ [pid 5467] +++ exited with 0 +++ [pid 5464] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5464, si_uid=0, si_status=0, si_utime=0, si_stime=43 /* 0.43 s */} --- umount2("./115", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./115", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./115/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./115/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./115/binderfs") = 0 [ 167.467676][ T5465] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 167.476110][ T5465] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 167.484086][ T5465] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 167.492080][ T5465] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 167.500062][ T5465] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 167.508063][ T5465] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 167.516065][ T5465] umount2("./115/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./115/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./115/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./115/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./115/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./115/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./115") = 0 mkdir("./116", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5468 ./strace-static-x86_64: Process 5468 attached [pid 5468] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5468] chdir("./116") = 0 [pid 5468] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5468] setpgid(0, 0) = 0 [pid 5468] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5468] write(3, "1000", 4) = 4 [pid 5468] close(3) = 0 [pid 5468] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5468] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5468] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5468] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5468] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5469], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5469 [pid 5468] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5468] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5469 attached [pid 5469] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5469] memfd_create("syzkaller", 0) = 3 [pid 5469] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5469] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5469] munmap(0x7f2811caa000, 16777216) = 0 [pid 5469] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5469] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5469] close(3) = 0 [pid 5469] mkdir("./file0", 0777) = 0 [ 167.869351][ T5469] loop0: detected capacity change from 0 to 32768 [ 167.881087][ T5469] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 167.889488][ T5469] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 167.898866][ T5469] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 167.907755][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 167.914853][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5469] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5469] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5469] chdir("./file0") = 0 [pid 5469] ioctl(4, LOOP_CLR_FD) = 0 [pid 5469] close(4) = 0 [pid 5469] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5468] <... futex resumed>) = 0 [pid 5469] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5468] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5469] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5469] open(".", O_RDONLY) = 4 [pid 5468] <... futex resumed>) = 0 [pid 5469] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5468] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5469] <... futex resumed>) = 0 [pid 5468] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 167.953691][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 167.962889][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 167.968385][ T5469] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5469] getdents64(4, [pid 5468] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 167.994573][ T5469] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 168.003123][ T5469] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 168.003123][ T5469] inode = 12 2341 [ 168.003123][ T5469] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 168.022271][ T5469] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 168.031998][ T5469] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5469 [syz-executor171] iterate_dir+0x228/0x570 [pid 5468] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5468] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5468] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5468] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5468] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5471], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5471 [pid 5468] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5468] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5471 attached [pid 5471] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5471] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5471] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5468] <... futex resumed>) = 0 [pid 5471] <... futex resumed>) = 1 [ 168.042002][ T5469] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 168.050544][ T5469] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 168.058457][ T5469] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 168.068018][ T5469] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 168.074715][ T5469] gfs2: fsid=syz:syz.0: File system withdrawn [ 168.080806][ T5469] CPU: 0 PID: 5469 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 168.090886][ T5469] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 168.100973][ T5469] Call Trace: [ 168.104255][ T5469] [ 168.107192][ T5469] dump_stack_lvl+0x1e7/0x2d0 [ 168.111886][ T5469] ? nf_tcp_handle_invalid+0x650/0x650 [ 168.117351][ T5469] ? panic+0x770/0x770 [ 168.121416][ T5469] ? kobject_uevent_env+0x54e/0x8e0 [ 168.126622][ T5469] gfs2_withdraw+0xf48/0x1550 [ 168.131318][ T5469] ? gfs2_lm+0x240/0x240 [ 168.135564][ T5469] ? gfs2_dirent_scan+0xb2/0x640 [ 168.140500][ T5469] ? panic+0x770/0x770 [ 168.144580][ T5469] ? gfs2_consist_inode_i+0xf5/0x110 [ 168.149878][ T5469] gfs2_dirent_scan+0x512/0x640 [ 168.154741][ T5469] ? gfs2_dirent_scan+0x640/0x640 [ 168.159778][ T5469] gfs2_dir_read+0x82f/0x1af0 [ 168.164480][ T5469] ? inode_dio_wait+0x2ad/0x340 [ 168.169345][ T5469] ? inode_owner_or_capable+0x1c0/0x1c0 [ 168.174924][ T5469] ? gfs2_dir_hash_inval+0x80/0x80 [ 168.180041][ T5469] ? _raw_spin_unlock+0x28/0x40 [ 168.184890][ T5469] ? gfs2_glock_nq+0xcbf/0x16c0 [ 168.189767][ T5469] ? inode_go_held+0xea/0x200 [ 168.194448][ T5469] ? gfs2_glock_wait+0x21a/0x2b0 [ 168.199393][ T5469] gfs2_readdir+0x14e/0x1b0 [ 168.203906][ T5469] ? __fdget_pos+0x254/0x2f0 [ 168.208506][ T5469] ? gfs2_fallocate+0x490/0x490 [ 168.213374][ T5469] ? iterate_dir+0x228/0x570 [ 168.217981][ T5469] ? __down_read_common+0x184/0x2c0 [ 168.223205][ T5469] ? iterate_dir+0x10e/0x570 [ 168.227817][ T5469] iterate_dir+0x228/0x570 [ 168.232247][ T5469] ? gfs2_fallocate+0x490/0x490 [ 168.237114][ T5469] __se_sys_getdents64+0x20d/0x4f0 [ 168.242232][ T5469] ? _raw_spin_unlock_irq+0x2e/0x50 [ 168.247434][ T5469] ? __x64_sys_getdents64+0x80/0x80 [ 168.252638][ T5469] ? filldir+0x740/0x740 [ 168.256895][ T5469] ? syscall_enter_from_user_mode+0x32/0x230 [ 168.262903][ T5469] ? syscall_enter_from_user_mode+0x8c/0x230 [ 168.268891][ T5469] do_syscall_64+0x41/0xc0 [ 168.273324][ T5469] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 168.279219][ T5469] RIP: 0033:0x7f281a11eab9 [ 168.283634][ T5469] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 168.303235][ T5469] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 168.311654][ T5469] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 168.319625][ T5469] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 168.327596][ T5469] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 168.335590][ T5469] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5471] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5469] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5469] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5468] exit_group(0 [pid 5469] <... futex resumed>) = ? [pid 5468] <... exit_group resumed>) = ? [pid 5471] <... futex resumed>) = ? [pid 5469] +++ exited with 0 +++ [pid 5471] +++ exited with 0 +++ [pid 5468] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5468, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=33 /* 0.33 s */} --- umount2("./116", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./116", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./116/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./116/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./116/binderfs") = 0 [ 168.343575][ T5469] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 168.351566][ T5469] umount2("./116/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./116/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./116/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./116/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./116/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./116/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./116") = 0 mkdir("./117", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5472 ./strace-static-x86_64: Process 5472 attached [pid 5472] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5472] chdir("./117") = 0 [pid 5472] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5472] setpgid(0, 0) = 0 [pid 5472] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5472] write(3, "1000", 4) = 4 [pid 5472] close(3) = 0 [pid 5472] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5472] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5472] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5472] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5472] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5473 attached [pid 5473] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5473] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5472] <... clone resumed>, parent_tid=[5473], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5473 [pid 5472] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5473] <... futex resumed>) = 0 [pid 5472] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5473] memfd_create("syzkaller", 0) = 3 [pid 5473] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5473] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5473] munmap(0x7f2811caa000, 16777216) = 0 [pid 5473] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5473] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5473] close(3) = 0 [pid 5473] mkdir("./file0", 0777) = 0 [ 168.702508][ T5473] loop0: detected capacity change from 0 to 32768 [ 168.713979][ T5473] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 168.722159][ T5473] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 168.732183][ T5473] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 168.740891][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 168.747858][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5473] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5473] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5473] chdir("./file0") = 0 [pid 5473] ioctl(4, LOOP_CLR_FD) = 0 [pid 5473] close(4) = 0 [pid 5473] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5472] <... futex resumed>) = 0 [pid 5472] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5472] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5473] <... futex resumed>) = 1 [pid 5473] open(".", O_RDONLY) = 4 [pid 5473] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5472] <... futex resumed>) = 0 [pid 5472] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5473] <... futex resumed>) = 1 [pid 5472] <... futex resumed>) = 0 [pid 5473] getdents64(4, [ 168.793724][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 168.801950][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 168.807292][ T5473] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 168.822578][ T5473] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 168.831654][ T5473] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 168.831654][ T5473] inode = 12 2341 [pid 5472] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5472] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5472] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5472] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5472] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5475], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5475 [pid 5472] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5472] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5475 attached [pid 5475] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5475] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5475] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5472] <... futex resumed>) = 0 [pid 5475] <... futex resumed>) = 1 [ 168.831654][ T5473] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 168.850465][ T5473] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 168.859604][ T5473] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5473 [syz-executor171] iterate_dir+0x228/0x570 [ 168.869747][ T5473] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 168.879338][ T5473] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 168.886681][ T5473] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 168.895581][ T5473] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 168.902466][ T5473] gfs2: fsid=syz:syz.0: File system withdrawn [ 168.909164][ T5473] CPU: 0 PID: 5473 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 168.919234][ T5473] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 168.929323][ T5473] Call Trace: [ 168.932611][ T5473] [ 168.935541][ T5473] dump_stack_lvl+0x1e7/0x2d0 [ 168.940226][ T5473] ? nf_tcp_handle_invalid+0x650/0x650 [ 168.945699][ T5473] ? panic+0x770/0x770 [ 168.949769][ T5473] ? kobject_uevent_env+0x54e/0x8e0 [ 168.954980][ T5473] gfs2_withdraw+0xf48/0x1550 [ 168.959677][ T5473] ? gfs2_lm+0x240/0x240 [ 168.963922][ T5473] ? gfs2_dirent_scan+0xb2/0x640 [ 168.968863][ T5473] ? panic+0x770/0x770 [ 168.972932][ T5473] ? gfs2_consist_inode_i+0xf5/0x110 [ 168.978238][ T5473] gfs2_dirent_scan+0x512/0x640 [ 168.983122][ T5473] ? gfs2_dirent_scan+0x640/0x640 [ 168.988162][ T5473] gfs2_dir_read+0x82f/0x1af0 [ 168.992860][ T5473] ? inode_dio_wait+0x2ad/0x340 [ 168.997723][ T5473] ? inode_owner_or_capable+0x1c0/0x1c0 [ 169.003292][ T5473] ? gfs2_dir_hash_inval+0x80/0x80 [ 169.008422][ T5473] ? _raw_spin_unlock+0x28/0x40 [ 169.013288][ T5473] ? gfs2_glock_nq+0xcbf/0x16c0 [ 169.018180][ T5473] ? inode_go_held+0xea/0x200 [ 169.022874][ T5473] ? gfs2_glock_wait+0x21a/0x2b0 [ 169.027827][ T5473] gfs2_readdir+0x14e/0x1b0 [ 169.032344][ T5473] ? __fdget_pos+0x254/0x2f0 [ 169.036939][ T5473] ? gfs2_fallocate+0x490/0x490 [ 169.041798][ T5473] ? iterate_dir+0x228/0x570 [ 169.046397][ T5473] ? __down_read_common+0x184/0x2c0 [ 169.051611][ T5473] ? iterate_dir+0x10e/0x570 [ 169.056224][ T5473] iterate_dir+0x228/0x570 [ 169.060646][ T5473] ? gfs2_fallocate+0x490/0x490 [ 169.065501][ T5473] __se_sys_getdents64+0x20d/0x4f0 [ 169.070613][ T5473] ? _raw_spin_unlock_irq+0x2e/0x50 [ 169.075817][ T5473] ? __x64_sys_getdents64+0x80/0x80 [ 169.081020][ T5473] ? filldir+0x740/0x740 [ 169.085271][ T5473] ? syscall_enter_from_user_mode+0x32/0x230 [ 169.091255][ T5473] ? syscall_enter_from_user_mode+0x8c/0x230 [ 169.097234][ T5473] do_syscall_64+0x41/0xc0 [ 169.101656][ T5473] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 169.107573][ T5473] RIP: 0033:0x7f281a11eab9 [ 169.111993][ T5473] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 169.131604][ T5473] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5475] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5473] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5473] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5473] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5472] exit_group(0) = ? [pid 5473] <... futex resumed>) = ? [pid 5473] +++ exited with 0 +++ [pid 5475] <... futex resumed>) = ? [pid 5475] +++ exited with 0 +++ [pid 5472] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5472, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./117", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./117", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./117/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./117/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./117/binderfs") = 0 [ 169.140023][ T5473] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 169.147998][ T5473] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 169.155966][ T5473] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 169.163930][ T5473] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 169.171896][ T5473] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 169.179972][ T5473] umount2("./117/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./117/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./117/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./117/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./117/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./117/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./117") = 0 mkdir("./118", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5476 ./strace-static-x86_64: Process 5476 attached [pid 5476] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5476] chdir("./118") = 0 [pid 5476] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5476] setpgid(0, 0) = 0 [pid 5476] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5476] write(3, "1000", 4) = 4 [pid 5476] close(3) = 0 [pid 5476] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5476] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5476] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5476] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5476] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5477 attached [pid 5477] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5477] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5476] <... clone resumed>, parent_tid=[5477], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5477 [pid 5476] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5477] <... futex resumed>) = 0 [pid 5476] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5477] memfd_create("syzkaller", 0) = 3 [pid 5477] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5477] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5477] munmap(0x7f2811caa000, 16777216) = 0 [pid 5477] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5477] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5477] close(3) = 0 [pid 5477] mkdir("./file0", 0777) = 0 [ 169.531081][ T5477] loop0: detected capacity change from 0 to 32768 [ 169.541521][ T5477] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 169.549828][ T5477] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 169.559114][ T5477] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 169.567621][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 169.574677][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5477] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5477] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5477] chdir("./file0") = 0 [pid 5477] ioctl(4, LOOP_CLR_FD) = 0 [pid 5477] close(4) = 0 [pid 5477] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5476] <... futex resumed>) = 0 [pid 5476] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5476] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5477] open(".", O_RDONLY) = 4 [pid 5477] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5476] <... futex resumed>) = 0 [pid 5476] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5476] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5477] <... futex resumed>) = 1 [ 169.614803][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 169.623989][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 169.629249][ T5477] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 169.663989][ T5477] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 169.672529][ T5477] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 169.672529][ T5477] inode = 12 2341 [ 169.672529][ T5477] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 169.692160][ T5477] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 169.701518][ T5477] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5477 [syz-executor171] iterate_dir+0x228/0x570 [pid 5477] getdents64(4, [pid 5476] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5476] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5476] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5476] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5476] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5479], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5479 [pid 5476] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5476] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5479 attached [pid 5479] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5479] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5479] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5476] <... futex resumed>) = 0 [pid 5479] <... futex resumed>) = 1 [ 169.711656][ T5477] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 169.720349][ T5477] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 169.728581][ T5477] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 169.737964][ T5477] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 169.746484][ T5477] gfs2: fsid=syz:syz.0: File system withdrawn [ 169.752579][ T5477] CPU: 0 PID: 5477 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 169.762655][ T5477] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 169.772736][ T5477] Call Trace: [ 169.776031][ T5477] [ 169.778992][ T5477] dump_stack_lvl+0x1e7/0x2d0 [ 169.783715][ T5477] ? nf_tcp_handle_invalid+0x650/0x650 [ 169.789218][ T5477] ? panic+0x770/0x770 [ 169.793339][ T5477] ? kobject_uevent_env+0x54e/0x8e0 [ 169.798573][ T5477] gfs2_withdraw+0xf48/0x1550 [ 169.803290][ T5477] ? gfs2_lm+0x240/0x240 [ 169.807546][ T5477] ? gfs2_dirent_scan+0xb2/0x640 [pid 5479] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5476] exit_group(0 [pid 5479] <... futex resumed>) = ? [pid 5476] <... exit_group resumed>) = ? [pid 5479] +++ exited with 0 +++ [ 169.812528][ T5477] ? panic+0x770/0x770 [ 169.816616][ T5477] ? gfs2_consist_inode_i+0xf5/0x110 [ 169.821952][ T5477] gfs2_dirent_scan+0x512/0x640 [ 169.826811][ T5477] ? gfs2_dirent_scan+0x640/0x640 [ 169.831839][ T5477] gfs2_dir_read+0x82f/0x1af0 [ 169.836530][ T5477] ? inode_dio_wait+0x2ad/0x340 [ 169.841407][ T5477] ? inode_owner_or_capable+0x1c0/0x1c0 [ 169.846971][ T5477] ? gfs2_dir_hash_inval+0x80/0x80 [ 169.852106][ T5477] ? _raw_spin_unlock+0x28/0x40 [ 169.856968][ T5477] ? gfs2_glock_nq+0xcbf/0x16c0 [ 169.861825][ T5477] ? inode_go_held+0xea/0x200 [ 169.866503][ T5477] ? gfs2_glock_wait+0x21a/0x2b0 [ 169.871442][ T5477] gfs2_readdir+0x14e/0x1b0 [ 169.875947][ T5477] ? __fdget_pos+0x254/0x2f0 [ 169.880546][ T5477] ? gfs2_fallocate+0x490/0x490 [ 169.885423][ T5477] ? iterate_dir+0x228/0x570 [ 169.890020][ T5477] ? __down_read_common+0x184/0x2c0 [ 169.895235][ T5477] ? iterate_dir+0x10e/0x570 [ 169.899865][ T5477] iterate_dir+0x228/0x570 [ 169.904283][ T5477] ? gfs2_fallocate+0x490/0x490 [ 169.909143][ T5477] __se_sys_getdents64+0x20d/0x4f0 [ 169.914288][ T5477] ? _raw_spin_unlock_irq+0x2e/0x50 [ 169.919503][ T5477] ? __x64_sys_getdents64+0x80/0x80 [ 169.924707][ T5477] ? filldir+0x740/0x740 [ 169.928953][ T5477] ? syscall_enter_from_user_mode+0x32/0x230 [ 169.934945][ T5477] ? syscall_enter_from_user_mode+0x8c/0x230 [ 169.940971][ T5477] do_syscall_64+0x41/0xc0 [ 169.945442][ T5477] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 169.951377][ T5477] RIP: 0033:0x7f281a11eab9 [ 169.955798][ T5477] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 169.975402][ T5477] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 169.983814][ T5477] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 169.991779][ T5477] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 169.999743][ T5477] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 170.007724][ T5477] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5477] <... getdents64 resumed> ) = ? [pid 5477] +++ exited with 0 +++ [pid 5476] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5476, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./118", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./118", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./118/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./118/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./118/binderfs") = 0 [ 170.015714][ T5477] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 170.023693][ T5477] umount2("./118/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./118/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./118/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./118/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./118/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./118/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./118") = 0 mkdir("./119", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5480 ./strace-static-x86_64: Process 5480 attached [pid 5480] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5480] chdir("./119") = 0 [pid 5480] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5480] setpgid(0, 0) = 0 [pid 5480] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5480] write(3, "1000", 4) = 4 [pid 5480] close(3) = 0 [pid 5480] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5480] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5480] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5480] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5480] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5481], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5481 ./strace-static-x86_64: Process 5481 attached [pid 5480] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5481] set_robust_list(0x7f281a0ca9e0, 24 [pid 5480] <... futex resumed>) = 0 [pid 5480] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5481] <... set_robust_list resumed>) = 0 [pid 5481] memfd_create("syzkaller", 0) = 3 [pid 5481] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5481] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5481] munmap(0x7f2811caa000, 16777216) = 0 [pid 5481] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5481] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5481] close(3) = 0 [pid 5481] mkdir("./file0", 0777) = 0 [ 170.403838][ T5481] loop0: detected capacity change from 0 to 32768 [ 170.415935][ T5481] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 170.424171][ T5481] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 170.433887][ T5481] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 170.442497][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 170.449763][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5481] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5481] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5481] chdir("./file0") = 0 [pid 5481] ioctl(4, LOOP_CLR_FD) = 0 [pid 5481] close(4) = 0 [pid 5481] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5480] <... futex resumed>) = 0 [pid 5480] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5480] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5481] open(".", O_RDONLY) = 4 [pid 5481] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5480] <... futex resumed>) = 0 [pid 5481] <... futex resumed>) = 1 [pid 5480] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5480] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 170.499560][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 49ms [ 170.507380][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 170.512930][ T5481] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5481] getdents64(4, [pid 5480] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5480] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5480] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5480] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5480] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5480] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5483], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5483 [pid 5480] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 170.541618][ T5481] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 170.550114][ T5481] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 170.550114][ T5481] inode = 12 2341 [ 170.550114][ T5481] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 170.569098][ T5481] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 170.578274][ T5481] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5481 [syz-executor171] iterate_dir+0x228/0x570 [pid 5480] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5483 attached [pid 5483] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 170.589334][ T5481] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 170.594203][ T5483] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 170.606832][ T5483] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 170.606832][ T5483] inode = 12 2341 [ 170.606832][ T5483] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 170.625478][ T5481] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 170.625496][ T5481] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5483] open("./file0", O_RDONLY [pid 5480] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 170.625512][ T5481] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 170.628183][ T5481] gfs2: fsid=syz:syz.0: File system withdrawn [ 170.633060][ T5483] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 170.648016][ T5481] CPU: 0 PID: 5481 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 170.648043][ T5481] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 170.648057][ T5481] Call Trace: [ 170.648065][ T5481] [ 170.648075][ T5481] dump_stack_lvl+0x1e7/0x2d0 [ 170.656847][ T5483] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5481 [syz-executor171] iterate_dir+0x228/0x570 [ 170.663135][ T5481] ? nf_tcp_handle_invalid+0x650/0x650 [ 170.673835][ T5483] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5483 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 170.683250][ T5481] ? panic+0x770/0x770 [ 170.683279][ T5481] ? kobject_uevent_env+0x54e/0x8e0 [ 170.683318][ T5481] gfs2_withdraw+0xf48/0x1550 [ 170.683365][ T5481] ? gfs2_lm+0x240/0x240 [ 170.687423][ T5483] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 170.689556][ T5481] ? gfs2_dirent_scan+0xb2/0x640 [ 170.689587][ T5481] ? panic+0x770/0x770 [ 170.755320][ T5481] ? gfs2_consist_inode_i+0xf5/0x110 [ 170.760622][ T5481] gfs2_dirent_scan+0x512/0x640 [ 170.765499][ T5481] ? gfs2_dirent_scan+0x640/0x640 [ 170.770541][ T5481] gfs2_dir_read+0x82f/0x1af0 [ 170.775226][ T5481] ? inode_dio_wait+0x2ad/0x340 [ 170.780102][ T5481] ? inode_owner_or_capable+0x1c0/0x1c0 [ 170.785687][ T5481] ? gfs2_dir_hash_inval+0x80/0x80 [pid 5480] exit_group(0) = ? [ 170.790818][ T5481] ? _raw_spin_unlock+0x28/0x40 [ 170.795680][ T5481] ? gfs2_glock_nq+0xcbf/0x16c0 [ 170.800567][ T5481] ? inode_go_held+0xea/0x200 [ 170.805264][ T5481] ? gfs2_glock_wait+0x21a/0x2b0 [ 170.810222][ T5481] gfs2_readdir+0x14e/0x1b0 [ 170.814730][ T5481] ? __fdget_pos+0x254/0x2f0 [ 170.819341][ T5481] ? gfs2_fallocate+0x490/0x490 [ 170.824216][ T5481] ? iterate_dir+0x228/0x570 [ 170.828821][ T5481] ? __down_read_common+0x184/0x2c0 [ 170.834016][ T5481] ? iterate_dir+0x10e/0x570 [ 170.838613][ T5481] iterate_dir+0x228/0x570 [ 170.843049][ T5481] ? gfs2_fallocate+0x490/0x490 [ 170.847939][ T5481] __se_sys_getdents64+0x20d/0x4f0 [ 170.853070][ T5481] ? _raw_spin_unlock_irq+0x2e/0x50 [ 170.858296][ T5481] ? __x64_sys_getdents64+0x80/0x80 [ 170.863521][ T5481] ? filldir+0x740/0x740 [ 170.867793][ T5481] ? syscall_enter_from_user_mode+0x32/0x230 [ 170.873799][ T5481] ? syscall_enter_from_user_mode+0x8c/0x230 [ 170.879881][ T5481] do_syscall_64+0x41/0xc0 [ 170.884397][ T5481] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 170.890306][ T5481] RIP: 0033:0x7f281a11eab9 [ 170.894718][ T5481] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 170.914321][ T5481] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 170.922745][ T5481] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 170.930714][ T5481] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [pid 5483] <... open resumed>) = ? [pid 5481] <... getdents64 resumed> ) = ? [pid 5483] +++ exited with 0 +++ [pid 5481] +++ exited with 0 +++ [pid 5480] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5480, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./119", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./119", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./119/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./119/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./119/binderfs") = 0 [ 170.938692][ T5481] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 170.946706][ T5481] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 170.954676][ T5481] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 170.962661][ T5481] umount2("./119/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./119/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./119/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./119/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./119/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./119/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./119") = 0 mkdir("./120", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5484 ./strace-static-x86_64: Process 5484 attached [pid 5484] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5484] chdir("./120") = 0 [pid 5484] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5484] setpgid(0, 0) = 0 [pid 5484] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5484] write(3, "1000", 4) = 4 [pid 5484] close(3) = 0 [pid 5484] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5484] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5484] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5484] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5484] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5485], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5485 [pid 5484] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5484] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5485 attached [pid 5485] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5485] memfd_create("syzkaller", 0) = 3 [pid 5485] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5485] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5485] munmap(0x7f2811caa000, 16777216) = 0 [pid 5485] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5485] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5485] close(3) = 0 [pid 5485] mkdir("./file0", 0777) = 0 [ 171.327231][ T5485] loop0: detected capacity change from 0 to 32768 [ 171.339818][ T5485] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 171.348496][ T5485] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 171.358629][ T5485] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 171.367467][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 171.374469][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5485] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5485] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5485] chdir("./file0") = 0 [pid 5485] ioctl(4, LOOP_CLR_FD) = 0 [pid 5485] close(4) = 0 [pid 5485] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5484] <... futex resumed>) = 0 [pid 5485] <... futex resumed>) = 1 [pid 5484] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5484] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5485] open(".", O_RDONLY) = 4 [pid 5485] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5484] <... futex resumed>) = 0 [pid 5484] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5485] getdents64(4, [ 171.409229][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 171.418359][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 171.423810][ T5485] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 171.452099][ T5485] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 171.460583][ T5485] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 171.460583][ T5485] inode = 12 2341 [ 171.460583][ T5485] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 171.479362][ T5485] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 171.489139][ T5485] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5485 [syz-executor171] iterate_dir+0x228/0x570 [pid 5484] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5484] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5484] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5484] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5484] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5487], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5487 [pid 5484] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5484] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5487 attached [pid 5487] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5487] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5487] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5484] <... futex resumed>) = 0 [pid 5487] <... futex resumed>) = 1 [ 171.499330][ T5485] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 171.508399][ T5485] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 171.515919][ T5485] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 171.525068][ T5485] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 171.531897][ T5485] gfs2: fsid=syz:syz.0: File system withdrawn [ 171.538447][ T5485] CPU: 1 PID: 5485 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 171.548519][ T5485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 171.558572][ T5485] Call Trace: [ 171.561849][ T5485] [ 171.564778][ T5485] dump_stack_lvl+0x1e7/0x2d0 [ 171.569457][ T5485] ? nf_tcp_handle_invalid+0x650/0x650 [ 171.574920][ T5485] ? panic+0x770/0x770 [ 171.578981][ T5485] ? kobject_uevent_env+0x54e/0x8e0 [ 171.584200][ T5485] gfs2_withdraw+0xf48/0x1550 [ 171.588898][ T5485] ? gfs2_lm+0x240/0x240 [ 171.593145][ T5485] ? gfs2_dirent_scan+0xb2/0x640 [ 171.598082][ T5485] ? panic+0x770/0x770 [ 171.602153][ T5485] ? gfs2_consist_inode_i+0xf5/0x110 [ 171.607438][ T5485] gfs2_dirent_scan+0x512/0x640 [ 171.612295][ T5485] ? gfs2_dirent_scan+0x640/0x640 [ 171.617319][ T5485] gfs2_dir_read+0x82f/0x1af0 [ 171.622001][ T5485] ? inode_dio_wait+0x2ad/0x340 [ 171.626861][ T5485] ? inode_owner_or_capable+0x1c0/0x1c0 [ 171.632412][ T5485] ? gfs2_dir_hash_inval+0x80/0x80 [ 171.637526][ T5485] ? _raw_spin_unlock+0x28/0x40 [ 171.642391][ T5485] ? gfs2_glock_nq+0xcbf/0x16c0 [ 171.647253][ T5485] ? inode_go_held+0xea/0x200 [ 171.652632][ T5485] ? gfs2_glock_wait+0x21a/0x2b0 [ 171.657637][ T5485] gfs2_readdir+0x14e/0x1b0 [ 171.662153][ T5485] ? __fdget_pos+0x254/0x2f0 [ 171.666753][ T5485] ? gfs2_fallocate+0x490/0x490 [ 171.671624][ T5485] ? iterate_dir+0x228/0x570 [ 171.676229][ T5485] ? __down_read_common+0x184/0x2c0 [ 171.681435][ T5485] ? iterate_dir+0x10e/0x570 [ 171.686049][ T5485] iterate_dir+0x228/0x570 [ 171.690479][ T5485] ? gfs2_fallocate+0x490/0x490 [ 171.695346][ T5485] __se_sys_getdents64+0x20d/0x4f0 [ 171.700469][ T5485] ? _raw_spin_unlock_irq+0x2e/0x50 [ 171.705690][ T5485] ? __x64_sys_getdents64+0x80/0x80 [ 171.710901][ T5485] ? filldir+0x740/0x740 [ 171.715166][ T5485] ? syscall_enter_from_user_mode+0x32/0x230 [ 171.721156][ T5485] ? syscall_enter_from_user_mode+0x8c/0x230 [ 171.727158][ T5485] do_syscall_64+0x41/0xc0 [ 171.731590][ T5485] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 171.737486][ T5485] RIP: 0033:0x7f281a11eab9 [ 171.741904][ T5485] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 171.761506][ T5485] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 171.769923][ T5485] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 171.777898][ T5485] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 171.785873][ T5485] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 171.793854][ T5485] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5487] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5485] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5485] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5484] exit_group(0 [pid 5487] <... futex resumed>) = ? [pid 5484] <... exit_group resumed>) = ? [pid 5487] +++ exited with 0 +++ [pid 5485] +++ exited with 0 +++ [pid 5484] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5484, si_uid=0, si_status=0, si_utime=0, si_stime=33 /* 0.33 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./120", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./120", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./120/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./120/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./120/binderfs") = 0 [ 171.801826][ T5485] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 171.809835][ T5485] umount2("./120/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./120/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./120/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./120/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./120/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./120/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./120") = 0 mkdir("./121", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5488 ./strace-static-x86_64: Process 5488 attached [pid 5488] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5488] chdir("./121") = 0 [pid 5488] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5488] setpgid(0, 0) = 0 [pid 5488] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5488] write(3, "1000", 4) = 4 [pid 5488] close(3) = 0 [pid 5488] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5488] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5488] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5488] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5488] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5489], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5489 [pid 5488] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5488] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5489 attached [pid 5489] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5489] memfd_create("syzkaller", 0) = 3 [pid 5489] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5489] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5489] munmap(0x7f2811caa000, 16777216) = 0 [pid 5489] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5489] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5489] close(3) = 0 [pid 5489] mkdir("./file0", 0777) = 0 [ 172.157292][ T5489] loop0: detected capacity change from 0 to 32768 [ 172.167985][ T5489] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 172.176684][ T5489] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 172.187174][ T5489] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 172.195925][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 172.202699][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5489] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5489] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5489] chdir("./file0") = 0 [pid 5489] ioctl(4, LOOP_CLR_FD) = 0 [pid 5489] close(4) = 0 [pid 5489] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5488] <... futex resumed>) = 0 [pid 5488] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5488] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5489] <... futex resumed>) = 1 [pid 5489] open(".", O_RDONLY) = 4 [pid 5489] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5488] <... futex resumed>) = 0 [pid 5488] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5488] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5489] <... futex resumed>) = 1 [ 172.240126][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 172.249189][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 172.254547][ T5489] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 172.275364][ T5489] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5489] getdents64(4, [pid 5488] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5488] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5488] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5488] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5488] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5491], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5491 [pid 5488] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5488] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5491 attached [pid 5491] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5491] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5491] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5488] <... futex resumed>) = 0 [pid 5491] <... futex resumed>) = 1 [ 172.283911][ T5489] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 172.283911][ T5489] inode = 12 2341 [ 172.283911][ T5489] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 172.302932][ T5489] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 172.313248][ T5489] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5489 [syz-executor171] iterate_dir+0x228/0x570 [ 172.323824][ T5489] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 172.332413][ T5489] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 172.340433][ T5489] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 172.349505][ T5489] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 172.356373][ T5489] gfs2: fsid=syz:syz.0: File system withdrawn [ 172.363103][ T5489] CPU: 0 PID: 5489 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 172.373214][ T5489] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 172.383286][ T5489] Call Trace: [ 172.386576][ T5489] [ 172.389503][ T5489] dump_stack_lvl+0x1e7/0x2d0 [ 172.394187][ T5489] ? nf_tcp_handle_invalid+0x650/0x650 [ 172.399657][ T5489] ? panic+0x770/0x770 [ 172.403747][ T5489] ? kobject_uevent_env+0x54e/0x8e0 [ 172.408972][ T5489] gfs2_withdraw+0xf48/0x1550 [ 172.413685][ T5489] ? gfs2_lm+0x240/0x240 [ 172.417946][ T5489] ? gfs2_dirent_scan+0xb2/0x640 [ 172.422900][ T5489] ? panic+0x770/0x770 [ 172.427004][ T5489] ? gfs2_consist_inode_i+0xf5/0x110 [ 172.432311][ T5489] gfs2_dirent_scan+0x512/0x640 [ 172.437183][ T5489] ? gfs2_dirent_scan+0x640/0x640 [ 172.442216][ T5489] gfs2_dir_read+0x82f/0x1af0 [ 172.446929][ T5489] ? inode_dio_wait+0x2ad/0x340 [ 172.451798][ T5489] ? inode_owner_or_capable+0x1c0/0x1c0 [ 172.457357][ T5489] ? gfs2_dir_hash_inval+0x80/0x80 [ 172.462484][ T5489] ? _raw_spin_unlock+0x28/0x40 [ 172.467351][ T5489] ? gfs2_glock_nq+0xcbf/0x16c0 [ 172.472232][ T5489] ? inode_go_held+0xea/0x200 [ 172.476925][ T5489] ? gfs2_glock_wait+0x21a/0x2b0 [ 172.481889][ T5489] gfs2_readdir+0x14e/0x1b0 [ 172.486395][ T5489] ? __fdget_pos+0x254/0x2f0 [ 172.491006][ T5489] ? gfs2_fallocate+0x490/0x490 [ 172.495876][ T5489] ? iterate_dir+0x228/0x570 [ 172.500490][ T5489] ? __down_read_common+0x184/0x2c0 [ 172.505716][ T5489] ? iterate_dir+0x10e/0x570 [ 172.510328][ T5489] iterate_dir+0x228/0x570 [ 172.514804][ T5489] ? gfs2_fallocate+0x490/0x490 [ 172.519688][ T5489] __se_sys_getdents64+0x20d/0x4f0 [ 172.524835][ T5489] ? _raw_spin_unlock_irq+0x2e/0x50 [ 172.530045][ T5489] ? __x64_sys_getdents64+0x80/0x80 [ 172.535262][ T5489] ? filldir+0x740/0x740 [ 172.539553][ T5489] ? syscall_enter_from_user_mode+0x32/0x230 [ 172.545555][ T5489] ? syscall_enter_from_user_mode+0x8c/0x230 [ 172.551536][ T5489] do_syscall_64+0x41/0xc0 [ 172.555965][ T5489] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 172.561876][ T5489] RIP: 0033:0x7f281a11eab9 [ 172.566319][ T5489] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5491] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5489] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5489] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5489] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5488] exit_group(0 [pid 5491] <... futex resumed>) = ? [pid 5488] <... exit_group resumed>) = ? [pid 5491] +++ exited with 0 +++ [pid 5489] <... futex resumed>) = ? [pid 5489] +++ exited with 0 +++ [pid 5488] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5488, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=31 /* 0.31 s */} --- umount2("./121", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./121", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./121/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./121/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./121/binderfs") = 0 [ 172.586044][ T5489] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 172.594496][ T5489] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 172.602484][ T5489] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 172.610449][ T5489] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 172.618433][ T5489] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 172.626430][ T5489] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 172.634417][ T5489] umount2("./121/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./121/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./121/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./121/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./121/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./121/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./121") = 0 mkdir("./122", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5492 ./strace-static-x86_64: Process 5492 attached [pid 5492] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5492] chdir("./122") = 0 [pid 5492] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5492] setpgid(0, 0) = 0 [pid 5492] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5492] write(3, "1000", 4) = 4 [pid 5492] close(3) = 0 [pid 5492] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5492] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5492] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5492] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5492] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5493 attached , parent_tid=[5493], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5493 [pid 5492] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5492] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5493] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5493] memfd_create("syzkaller", 0) = 3 [pid 5493] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5493] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5493] munmap(0x7f2811caa000, 16777216) = 0 [pid 5493] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5493] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5493] close(3) = 0 [pid 5493] mkdir("./file0", 0777) = 0 [ 173.006559][ T5493] loop0: detected capacity change from 0 to 32768 [ 173.027406][ T5493] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 173.035683][ T5493] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 173.045103][ T5493] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 173.053651][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 173.060431][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5493] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5493] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5493] chdir("./file0") = 0 [pid 5493] ioctl(4, LOOP_CLR_FD) = 0 [pid 5493] close(4) = 0 [pid 5493] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5492] <... futex resumed>) = 0 [pid 5493] open(".", O_RDONLY [pid 5492] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5493] <... open resumed>) = 4 [pid 5492] <... futex resumed>) = 0 [pid 5493] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5492] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5493] <... futex resumed>) = 0 [pid 5492] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5493] getdents64(4, [pid 5492] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 173.109165][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 48ms [ 173.116948][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 173.122182][ T5493] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 173.136199][ T5493] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 173.145186][ T5493] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 173.145186][ T5493] inode = 12 2341 [pid 5492] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5492] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5492] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5492] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5492] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5495], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5495 [pid 5492] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5492] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5495 attached [pid 5495] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5495] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5495] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5492] <... futex resumed>) = 0 [pid 5495] <... futex resumed>) = 1 [ 173.145186][ T5493] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 173.164702][ T5493] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 173.174086][ T5493] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5493 [syz-executor171] iterate_dir+0x228/0x570 [ 173.184288][ T5493] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 173.192744][ T5493] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 173.200579][ T5493] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 173.210206][ T5493] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 173.217017][ T5493] gfs2: fsid=syz:syz.0: File system withdrawn [ 173.223097][ T5493] CPU: 0 PID: 5493 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 173.233198][ T5493] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 173.243295][ T5493] Call Trace: [ 173.246592][ T5493] [ 173.249520][ T5493] dump_stack_lvl+0x1e7/0x2d0 [ 173.254206][ T5493] ? nf_tcp_handle_invalid+0x650/0x650 [ 173.259679][ T5493] ? panic+0x770/0x770 [ 173.263745][ T5493] ? kobject_uevent_env+0x54e/0x8e0 [ 173.268967][ T5493] gfs2_withdraw+0xf48/0x1550 [ 173.273680][ T5493] ? gfs2_lm+0x240/0x240 [ 173.277930][ T5493] ? gfs2_dirent_scan+0xb2/0x640 [ 173.282880][ T5493] ? panic+0x770/0x770 [ 173.286989][ T5493] ? gfs2_consist_inode_i+0xf5/0x110 [ 173.292297][ T5493] gfs2_dirent_scan+0x512/0x640 [ 173.297158][ T5493] ? gfs2_dirent_scan+0x640/0x640 [ 173.302187][ T5493] gfs2_dir_read+0x82f/0x1af0 [pid 5495] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5492] exit_group(0 [pid 5495] <... futex resumed>) = ? [pid 5492] <... exit_group resumed>) = ? [pid 5495] +++ exited with 0 +++ [ 173.306883][ T5493] ? inode_dio_wait+0x2ad/0x340 [ 173.311762][ T5493] ? inode_owner_or_capable+0x1c0/0x1c0 [ 173.317317][ T5493] ? gfs2_dir_hash_inval+0x80/0x80 [ 173.322441][ T5493] ? _raw_spin_unlock+0x28/0x40 [ 173.327425][ T5493] ? gfs2_glock_nq+0xcbf/0x16c0 [ 173.332294][ T5493] ? inode_go_held+0xea/0x200 [ 173.336988][ T5493] ? gfs2_glock_wait+0x21a/0x2b0 [ 173.341981][ T5493] gfs2_readdir+0x14e/0x1b0 [ 173.346504][ T5493] ? __fdget_pos+0x254/0x2f0 [ 173.351117][ T5493] ? gfs2_fallocate+0x490/0x490 [ 173.355979][ T5493] ? iterate_dir+0x228/0x570 [ 173.360590][ T5493] ? __down_read_common+0x184/0x2c0 [ 173.365824][ T5493] ? iterate_dir+0x10e/0x570 [ 173.370439][ T5493] iterate_dir+0x228/0x570 [ 173.374899][ T5493] ? gfs2_fallocate+0x490/0x490 [ 173.379876][ T5493] __se_sys_getdents64+0x20d/0x4f0 [ 173.384996][ T5493] ? _raw_spin_unlock_irq+0x2e/0x50 [ 173.390214][ T5493] ? __x64_sys_getdents64+0x80/0x80 [ 173.395439][ T5493] ? filldir+0x740/0x740 [ 173.399818][ T5493] ? syscall_enter_from_user_mode+0x32/0x230 [ 173.405815][ T5493] ? syscall_enter_from_user_mode+0x8c/0x230 [ 173.411814][ T5493] do_syscall_64+0x41/0xc0 [ 173.416241][ T5493] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 173.422141][ T5493] RIP: 0033:0x7f281a11eab9 [ 173.426578][ T5493] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 173.446198][ T5493] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5493] <... getdents64 resumed> ) = ? [pid 5493] +++ exited with 0 +++ [pid 5492] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5492, si_uid=0, si_status=0, si_utime=0, si_stime=34 /* 0.34 s */} --- umount2("./122", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./122", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./122/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./122/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./122/binderfs") = 0 [ 173.454617][ T5493] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 173.462601][ T5493] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 173.470594][ T5493] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 173.478592][ T5493] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 173.486566][ T5493] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 173.494566][ T5493] umount2("./122/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./122/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./122/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./122/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./122/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./122/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./122") = 0 mkdir("./123", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5496 ./strace-static-x86_64: Process 5496 attached [pid 5496] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5496] chdir("./123") = 0 [pid 5496] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5496] setpgid(0, 0) = 0 [pid 5496] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5496] write(3, "1000", 4) = 4 [pid 5496] close(3) = 0 [pid 5496] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5496] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5496] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5496] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5496] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5497 attached , parent_tid=[5497], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5497 [pid 5496] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5496] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5497] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5497] memfd_create("syzkaller", 0) = 3 [pid 5497] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5497] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5497] munmap(0x7f2811caa000, 16777216) = 0 [pid 5497] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5497] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5497] close(3) = 0 [pid 5497] mkdir("./file0", 0777) = 0 [ 173.858066][ T5497] loop0: detected capacity change from 0 to 32768 [ 173.871426][ T5497] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 173.879915][ T5497] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 173.889720][ T5497] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 173.898579][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 173.905895][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5497] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5497] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5497] chdir("./file0") = 0 [pid 5497] ioctl(4, LOOP_CLR_FD) = 0 [pid 5497] close(4) = 0 [pid 5497] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5496] <... futex resumed>) = 0 [pid 5496] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5496] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5497] <... futex resumed>) = 1 [pid 5497] open(".", O_RDONLY) = 4 [pid 5497] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5496] <... futex resumed>) = 0 [pid 5496] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5496] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5497] <... futex resumed>) = 1 [ 173.953241][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 47ms [ 173.961471][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 173.967202][ T5497] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 173.986261][ T5497] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 173.995019][ T5497] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5497] getdents64(4, [pid 5496] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5496] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5496] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5496] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5496] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5499], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5499 [pid 5496] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5496] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5499 attached [pid 5499] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5499] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5499] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5496] <... futex resumed>) = 0 [pid 5499] <... futex resumed>) = 1 [ 173.995019][ T5497] inode = 12 2341 [ 173.995019][ T5497] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 174.013789][ T5497] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 174.023090][ T5497] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5497 [syz-executor171] iterate_dir+0x228/0x570 [ 174.033378][ T5497] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 174.041879][ T5497] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 174.049882][ T5497] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 174.059039][ T5497] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 174.065727][ T5497] gfs2: fsid=syz:syz.0: File system withdrawn [ 174.071809][ T5497] CPU: 0 PID: 5497 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 174.081881][ T5497] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 174.091960][ T5497] Call Trace: [ 174.095254][ T5497] [ 174.098188][ T5497] dump_stack_lvl+0x1e7/0x2d0 [ 174.102889][ T5497] ? nf_tcp_handle_invalid+0x650/0x650 [ 174.108371][ T5497] ? panic+0x770/0x770 [ 174.112447][ T5497] ? kobject_uevent_env+0x54e/0x8e0 [ 174.117677][ T5497] gfs2_withdraw+0xf48/0x1550 [ 174.122402][ T5497] ? gfs2_lm+0x240/0x240 [ 174.126658][ T5497] ? gfs2_dirent_scan+0xb2/0x640 [ 174.131608][ T5497] ? panic+0x770/0x770 [ 174.135713][ T5497] ? gfs2_consist_inode_i+0xf5/0x110 [ 174.141028][ T5497] gfs2_dirent_scan+0x512/0x640 [ 174.145897][ T5497] ? gfs2_dirent_scan+0x640/0x640 [pid 5499] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5496] exit_group(0 [pid 5499] <... futex resumed>) = ? [pid 5496] <... exit_group resumed>) = ? [pid 5499] +++ exited with 0 +++ [ 174.150939][ T5497] gfs2_dir_read+0x82f/0x1af0 [ 174.155622][ T5497] ? inode_dio_wait+0x2ad/0x340 [ 174.160488][ T5497] ? inode_owner_or_capable+0x1c0/0x1c0 [ 174.166055][ T5497] ? gfs2_dir_hash_inval+0x80/0x80 [ 174.171206][ T5497] ? _raw_spin_unlock+0x28/0x40 [ 174.176074][ T5497] ? gfs2_glock_nq+0xcbf/0x16c0 [ 174.180961][ T5497] ? inode_go_held+0xea/0x200 [ 174.185652][ T5497] ? gfs2_glock_wait+0x21a/0x2b0 [ 174.190610][ T5497] gfs2_readdir+0x14e/0x1b0 [ 174.195136][ T5497] ? __fdget_pos+0x254/0x2f0 [ 174.199739][ T5497] ? gfs2_fallocate+0x490/0x490 [ 174.204616][ T5497] ? iterate_dir+0x228/0x570 [ 174.209238][ T5497] ? __down_read_common+0x184/0x2c0 [ 174.214490][ T5497] ? iterate_dir+0x10e/0x570 [ 174.219108][ T5497] iterate_dir+0x228/0x570 [ 174.223538][ T5497] ? gfs2_fallocate+0x490/0x490 [ 174.228412][ T5497] __se_sys_getdents64+0x20d/0x4f0 [ 174.233558][ T5497] ? _raw_spin_unlock_irq+0x2e/0x50 [ 174.238780][ T5497] ? __x64_sys_getdents64+0x80/0x80 [ 174.244013][ T5497] ? filldir+0x740/0x740 [ 174.248294][ T5497] ? syscall_enter_from_user_mode+0x32/0x230 [ 174.254287][ T5497] ? syscall_enter_from_user_mode+0x8c/0x230 [ 174.260274][ T5497] do_syscall_64+0x41/0xc0 [ 174.264711][ T5497] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 174.270633][ T5497] RIP: 0033:0x7f281a11eab9 [ 174.275064][ T5497] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 174.294683][ T5497] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5497] <... getdents64 resumed> ) = ? [pid 5497] +++ exited with 0 +++ [pid 5496] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5496, si_uid=0, si_status=0, si_utime=6 /* 0.06 s */, si_stime=30 /* 0.30 s */} --- umount2("./123", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./123", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./123/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./123/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./123/binderfs") = 0 [ 174.303098][ T5497] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 174.311166][ T5497] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 174.319151][ T5497] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 174.327166][ T5497] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 174.335142][ T5497] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 174.343163][ T5497] umount2("./123/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./123/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./123/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./123/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./123/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./123/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./123") = 0 mkdir("./124", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5500 ./strace-static-x86_64: Process 5500 attached [pid 5500] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5500] chdir("./124") = 0 [pid 5500] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5500] setpgid(0, 0) = 0 [pid 5500] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5500] write(3, "1000", 4) = 4 [pid 5500] close(3) = 0 [pid 5500] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5500] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5500] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5500] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5500] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5501], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5501 [pid 5500] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5500] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5501 attached [pid 5501] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5501] memfd_create("syzkaller", 0) = 3 [pid 5501] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5501] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5501] munmap(0x7f2811caa000, 16777216) = 0 [pid 5501] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5501] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5501] close(3) = 0 [pid 5501] mkdir("./file0", 0777) = 0 [ 174.695116][ T5501] loop0: detected capacity change from 0 to 32768 [ 174.706952][ T5501] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 174.715450][ T5501] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 174.725261][ T5501] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 174.733940][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 174.740740][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5501] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5501] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5501] chdir("./file0") = 0 [pid 5501] ioctl(4, LOOP_CLR_FD) = 0 [pid 5501] close(4) = 0 [pid 5501] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5500] <... futex resumed>) = 0 [pid 5500] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5500] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5501] <... futex resumed>) = 1 [pid 5501] open(".", O_RDONLY) = 4 [pid 5501] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5500] <... futex resumed>) = 0 [pid 5501] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5500] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5501] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5500] <... futex resumed>) = 0 [pid 5501] getdents64(4, [ 174.785008][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 44ms [ 174.793490][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 174.799084][ T5501] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 174.833368][ T5501] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 174.842085][ T5501] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 174.842085][ T5501] inode = 12 2341 [ 174.842085][ T5501] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 174.861435][ T5501] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 174.871119][ T5501] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5501 [syz-executor171] iterate_dir+0x228/0x570 [pid 5500] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5500] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5500] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5500] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5500] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5503 attached , parent_tid=[5503], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5503 [pid 5500] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5500] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5503] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5503] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5503] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5500] <... futex resumed>) = 0 [pid 5503] <... futex resumed>) = 1 [ 174.881468][ T5501] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 174.892306][ T5501] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 174.899602][ T5501] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 174.908421][ T5501] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 174.915190][ T5501] gfs2: fsid=syz:syz.0: File system withdrawn [ 174.921646][ T5501] CPU: 0 PID: 5501 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 174.931723][ T5501] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 174.941796][ T5501] Call Trace: [ 174.945086][ T5501] [ 174.948027][ T5501] dump_stack_lvl+0x1e7/0x2d0 [ 174.952741][ T5501] ? nf_tcp_handle_invalid+0x650/0x650 [ 174.958227][ T5501] ? panic+0x770/0x770 [ 174.962311][ T5501] ? kobject_uevent_env+0x54e/0x8e0 [ 174.967531][ T5501] gfs2_withdraw+0xf48/0x1550 [ 174.972254][ T5501] ? gfs2_lm+0x240/0x240 [ 174.976508][ T5501] ? gfs2_dirent_scan+0xb2/0x640 [ 174.981538][ T5501] ? panic+0x770/0x770 [ 174.985620][ T5501] ? gfs2_consist_inode_i+0xf5/0x110 [ 174.991009][ T5501] gfs2_dirent_scan+0x512/0x640 [ 174.995878][ T5501] ? gfs2_dirent_scan+0x640/0x640 [ 175.000919][ T5501] gfs2_dir_read+0x82f/0x1af0 [ 175.005617][ T5501] ? inode_dio_wait+0x2ad/0x340 [ 175.010508][ T5501] ? inode_owner_or_capable+0x1c0/0x1c0 [ 175.016096][ T5501] ? gfs2_dir_hash_inval+0x80/0x80 [ 175.021220][ T5501] ? _raw_spin_unlock+0x28/0x40 [ 175.026086][ T5501] ? gfs2_glock_nq+0xcbf/0x16c0 [ 175.030960][ T5501] ? inode_go_held+0xea/0x200 [ 175.035645][ T5501] ? gfs2_glock_wait+0x21a/0x2b0 [ 175.040605][ T5501] gfs2_readdir+0x14e/0x1b0 [ 175.045124][ T5501] ? __fdget_pos+0x254/0x2f0 [ 175.049727][ T5501] ? gfs2_fallocate+0x490/0x490 [ 175.054597][ T5501] ? iterate_dir+0x228/0x570 [ 175.059209][ T5501] ? __down_read_common+0x184/0x2c0 [ 175.064434][ T5501] ? iterate_dir+0x10e/0x570 [ 175.069053][ T5501] iterate_dir+0x228/0x570 [ 175.073488][ T5501] ? gfs2_fallocate+0x490/0x490 [ 175.078355][ T5501] __se_sys_getdents64+0x20d/0x4f0 [ 175.083503][ T5501] ? _raw_spin_unlock_irq+0x2e/0x50 [ 175.088716][ T5501] ? __x64_sys_getdents64+0x80/0x80 [ 175.093944][ T5501] ? filldir+0x740/0x740 [ 175.098206][ T5501] ? syscall_enter_from_user_mode+0x32/0x230 [ 175.104205][ T5501] ? syscall_enter_from_user_mode+0x8c/0x230 [ 175.110201][ T5501] do_syscall_64+0x41/0xc0 [ 175.114644][ T5501] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 175.120564][ T5501] RIP: 0033:0x7f281a11eab9 [ 175.124986][ T5501] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 175.144600][ T5501] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 175.153023][ T5501] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 175.161017][ T5501] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 175.168993][ T5501] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 175.176983][ T5501] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5503] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5501] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5501] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5501] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5500] exit_group(0 [pid 5503] <... futex resumed>) = ? [pid 5500] <... exit_group resumed>) = ? [pid 5501] <... futex resumed>) = ? [pid 5503] +++ exited with 0 +++ [pid 5501] +++ exited with 0 +++ [pid 5500] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5500, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./124", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./124", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./124/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./124/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./124/binderfs") = 0 [ 175.184960][ T5501] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 175.192964][ T5501] umount2("./124/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./124/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./124/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./124/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./124/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./124/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./124") = 0 mkdir("./125", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5504 ./strace-static-x86_64: Process 5504 attached [pid 5504] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5504] chdir("./125") = 0 [pid 5504] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5504] setpgid(0, 0) = 0 [pid 5504] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5504] write(3, "1000", 4) = 4 [pid 5504] close(3) = 0 [pid 5504] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5504] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5504] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5504] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5504] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5505], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5505 [pid 5504] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5504] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5505 attached [pid 5505] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5505] memfd_create("syzkaller", 0) = 3 [pid 5505] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5505] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5505] munmap(0x7f2811caa000, 16777216) = 0 [pid 5505] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5505] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5505] close(3) = 0 [pid 5505] mkdir("./file0", 0777) = 0 [ 175.566038][ T5505] loop0: detected capacity change from 0 to 32768 [ 175.577166][ T5505] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 175.585428][ T5505] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 175.595173][ T5505] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 175.603881][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 175.610668][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5505] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5505] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5505] chdir("./file0") = 0 [pid 5505] ioctl(4, LOOP_CLR_FD) = 0 [pid 5505] close(4) = 0 [pid 5505] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5504] <... futex resumed>) = 0 [pid 5505] open(".", O_RDONLY [pid 5504] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5505] <... open resumed>) = 4 [pid 5504] <... futex resumed>) = 0 [pid 5505] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5504] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5505] <... futex resumed>) = 0 [pid 5504] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5505] getdents64(4, [pid 5504] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 175.653818][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 43ms [ 175.661305][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 175.666660][ T5505] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 175.680351][ T5505] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 175.689394][ T5505] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 175.689394][ T5505] inode = 12 2341 [pid 5504] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [ 175.689394][ T5505] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 175.708465][ T5505] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 175.717956][ T5505] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5505 [syz-executor171] iterate_dir+0x228/0x570 [ 175.728083][ T5505] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 175.736724][ T5505] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 175.744161][ T5505] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5504] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5504] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5504] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5504] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5507], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5507 [pid 5504] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5504] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5507 attached [pid 5507] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5507] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5507] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5504] <... futex resumed>) = 0 [pid 5507] <... futex resumed>) = 1 [ 175.753679][ T5505] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 175.762980][ T5505] gfs2: fsid=syz:syz.0: File system withdrawn [ 175.769451][ T5505] CPU: 0 PID: 5505 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 175.779542][ T5505] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 175.789623][ T5505] Call Trace: [ 175.792903][ T5505] [ 175.795829][ T5505] dump_stack_lvl+0x1e7/0x2d0 [ 175.800525][ T5505] ? nf_tcp_handle_invalid+0x650/0x650 [ 175.806002][ T5505] ? panic+0x770/0x770 [ 175.810086][ T5505] ? kobject_uevent_env+0x54e/0x8e0 [ 175.815291][ T5505] gfs2_withdraw+0xf48/0x1550 [ 175.819986][ T5505] ? gfs2_lm+0x240/0x240 [ 175.824227][ T5505] ? gfs2_dirent_scan+0xb2/0x640 [ 175.829179][ T5505] ? panic+0x770/0x770 [ 175.833291][ T5505] ? gfs2_consist_inode_i+0xf5/0x110 [ 175.838606][ T5505] gfs2_dirent_scan+0x512/0x640 [ 175.843477][ T5505] ? gfs2_dirent_scan+0x640/0x640 [ 175.848529][ T5505] gfs2_dir_read+0x82f/0x1af0 [pid 5507] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5504] exit_group(0 [pid 5507] <... futex resumed>) = ? [pid 5504] <... exit_group resumed>) = ? [pid 5507] +++ exited with 0 +++ [ 175.853248][ T5505] ? inode_dio_wait+0x2ad/0x340 [ 175.858139][ T5505] ? inode_owner_or_capable+0x1c0/0x1c0 [ 175.863715][ T5505] ? gfs2_dir_hash_inval+0x80/0x80 [ 175.868845][ T5505] ? _raw_spin_unlock+0x28/0x40 [ 175.873702][ T5505] ? gfs2_glock_nq+0xcbf/0x16c0 [ 175.878586][ T5505] ? inode_go_held+0xea/0x200 [ 175.883303][ T5505] ? gfs2_glock_wait+0x21a/0x2b0 [ 175.888273][ T5505] gfs2_readdir+0x14e/0x1b0 [ 175.892785][ T5505] ? __fdget_pos+0x254/0x2f0 [ 175.897396][ T5505] ? gfs2_fallocate+0x490/0x490 [ 175.902259][ T5505] ? iterate_dir+0x228/0x570 [ 175.906855][ T5505] ? __down_read_common+0x184/0x2c0 [ 175.912063][ T5505] ? iterate_dir+0x10e/0x570 [ 175.916669][ T5505] iterate_dir+0x228/0x570 [ 175.921104][ T5505] ? gfs2_fallocate+0x490/0x490 [ 175.925981][ T5505] __se_sys_getdents64+0x20d/0x4f0 [ 175.931135][ T5505] ? _raw_spin_unlock_irq+0x2e/0x50 [ 175.936348][ T5505] ? __x64_sys_getdents64+0x80/0x80 [ 175.941567][ T5505] ? filldir+0x740/0x740 [ 175.945815][ T5505] ? syscall_enter_from_user_mode+0x32/0x230 [ 175.951812][ T5505] ? syscall_enter_from_user_mode+0x8c/0x230 [ 175.957835][ T5505] do_syscall_64+0x41/0xc0 [ 175.962261][ T5505] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 175.968163][ T5505] RIP: 0033:0x7f281a11eab9 [ 175.972609][ T5505] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 175.992229][ T5505] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5505] <... getdents64 resumed> ) = ? [pid 5505] +++ exited with 0 +++ [pid 5504] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5504, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./125", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./125", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./125/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./125/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./125/binderfs") = 0 [ 176.000641][ T5505] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 176.008615][ T5505] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 176.016605][ T5505] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 176.024588][ T5505] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 176.032565][ T5505] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 176.040562][ T5505] umount2("./125/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./125/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./125/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./125/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./125/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./125/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./125") = 0 mkdir("./126", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5508 ./strace-static-x86_64: Process 5508 attached [pid 5508] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5508] chdir("./126") = 0 [pid 5508] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5508] setpgid(0, 0) = 0 [pid 5508] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5508] write(3, "1000", 4) = 4 [pid 5508] close(3) = 0 [pid 5508] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5508] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5508] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5508] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5508] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5509], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5509 [pid 5508] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5508] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5509 attached [pid 5509] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5509] memfd_create("syzkaller", 0) = 3 [pid 5509] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5509] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5509] munmap(0x7f2811caa000, 16777216) = 0 [pid 5509] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5509] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5509] close(3) = 0 [pid 5509] mkdir("./file0", 0777) = 0 [ 176.415377][ T5509] loop0: detected capacity change from 0 to 32768 [ 176.425966][ T5509] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 176.434201][ T5509] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 176.443572][ T5509] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 176.451939][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 176.458823][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5509] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5509] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5509] chdir("./file0") = 0 [pid 5509] ioctl(4, LOOP_CLR_FD) = 0 [pid 5509] close(4) = 0 [pid 5509] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5508] <... futex resumed>) = 0 [pid 5509] open(".", O_RDONLY [pid 5508] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5509] <... open resumed>) = 4 [pid 5508] <... futex resumed>) = 0 [pid 5509] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5508] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5509] <... futex resumed>) = 0 [pid 5508] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5509] getdents64(4, [pid 5508] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 176.499355][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 176.506886][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 176.512122][ T5509] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 176.525851][ T5509] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 176.534695][ T5509] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 176.534695][ T5509] inode = 12 2341 [pid 5508] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5508] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5508] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5508] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5508] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5511], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5511 [pid 5508] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 176.534695][ T5509] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 176.554092][ T5509] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 176.563180][ T5509] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5509 [syz-executor171] iterate_dir+0x228/0x570 [ 176.573172][ T5509] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 176.581732][ T5509] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 176.589019][ T5509] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5508] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5511 attached [pid 5511] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5511] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5511] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5508] <... futex resumed>) = 0 [ 176.598569][ T5509] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 176.606025][ T5509] gfs2: fsid=syz:syz.0: File system withdrawn [ 176.612421][ T5509] CPU: 0 PID: 5509 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 176.622507][ T5509] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 176.632573][ T5509] Call Trace: [ 176.635890][ T5509] [ 176.638836][ T5509] dump_stack_lvl+0x1e7/0x2d0 [ 176.643546][ T5509] ? nf_tcp_handle_invalid+0x650/0x650 [ 176.649034][ T5509] ? panic+0x770/0x770 [ 176.653112][ T5509] ? kobject_uevent_env+0x54e/0x8e0 [ 176.658326][ T5509] gfs2_withdraw+0xf48/0x1550 [ 176.663023][ T5509] ? gfs2_lm+0x240/0x240 [ 176.667273][ T5509] ? gfs2_dirent_scan+0xb2/0x640 [ 176.672224][ T5509] ? panic+0x770/0x770 [ 176.676330][ T5509] ? gfs2_consist_inode_i+0xf5/0x110 [ 176.681641][ T5509] gfs2_dirent_scan+0x512/0x640 [ 176.686510][ T5509] ? gfs2_dirent_scan+0x640/0x640 [ 176.691565][ T5509] gfs2_dir_read+0x82f/0x1af0 [pid 5511] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5508] exit_group(0 [pid 5511] <... futex resumed>) = ? [pid 5508] <... exit_group resumed>) = ? [pid 5511] +++ exited with 0 +++ [ 176.696265][ T5509] ? inode_dio_wait+0x2ad/0x340 [ 176.701151][ T5509] ? inode_owner_or_capable+0x1c0/0x1c0 [ 176.706791][ T5509] ? gfs2_dir_hash_inval+0x80/0x80 [ 176.711913][ T5509] ? _raw_spin_unlock+0x28/0x40 [ 176.716796][ T5509] ? gfs2_glock_nq+0xcbf/0x16c0 [ 176.721677][ T5509] ? inode_go_held+0xea/0x200 [ 176.726367][ T5509] ? gfs2_glock_wait+0x21a/0x2b0 [ 176.731329][ T5509] gfs2_readdir+0x14e/0x1b0 [ 176.735851][ T5509] ? __fdget_pos+0x254/0x2f0 [ 176.740453][ T5509] ? gfs2_fallocate+0x490/0x490 [ 176.745342][ T5509] ? iterate_dir+0x228/0x570 [ 176.749934][ T5509] ? __down_read_common+0x184/0x2c0 [ 176.755132][ T5509] ? iterate_dir+0x10e/0x570 [ 176.759725][ T5509] iterate_dir+0x228/0x570 [ 176.764147][ T5509] ? gfs2_fallocate+0x490/0x490 [ 176.769001][ T5509] __se_sys_getdents64+0x20d/0x4f0 [ 176.774118][ T5509] ? _raw_spin_unlock_irq+0x2e/0x50 [ 176.779332][ T5509] ? __x64_sys_getdents64+0x80/0x80 [ 176.784552][ T5509] ? filldir+0x740/0x740 [ 176.788813][ T5509] ? syscall_enter_from_user_mode+0x32/0x230 [ 176.794792][ T5509] ? syscall_enter_from_user_mode+0x8c/0x230 [ 176.800785][ T5509] do_syscall_64+0x41/0xc0 [ 176.805214][ T5509] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 176.811103][ T5509] RIP: 0033:0x7f281a11eab9 [ 176.815550][ T5509] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 176.835162][ T5509] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5509] <... getdents64 resumed> ) = ? [pid 5509] +++ exited with 0 +++ [pid 5508] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5508, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=31 /* 0.31 s */} --- umount2("./126", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./126", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./126/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./126/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./126/binderfs") = 0 [ 176.843603][ T5509] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 176.851592][ T5509] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 176.859599][ T5509] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 176.867595][ T5509] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 176.875583][ T5509] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 176.883584][ T5509] umount2("./126/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./126/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./126/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./126/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./126/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./126/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./126") = 0 mkdir("./127", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5512 ./strace-static-x86_64: Process 5512 attached [pid 5512] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5512] chdir("./127") = 0 [pid 5512] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5512] setpgid(0, 0) = 0 [pid 5512] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5512] write(3, "1000", 4) = 4 [pid 5512] close(3) = 0 [pid 5512] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5512] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5512] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5512] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5512] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5513], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5513 [pid 5512] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5512] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5513 attached [pid 5513] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5513] memfd_create("syzkaller", 0) = 3 [pid 5513] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5513] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5513] munmap(0x7f2811caa000, 16777216) = 0 [pid 5513] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5513] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5513] close(3) = 0 [pid 5513] mkdir("./file0", 0777) = 0 [ 177.257575][ T5513] loop0: detected capacity change from 0 to 32768 [ 177.269094][ T5513] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 177.278120][ T5513] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 177.288807][ T5513] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 177.297608][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 177.304614][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5513] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5513] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5513] chdir("./file0") = 0 [pid 5513] ioctl(4, LOOP_CLR_FD) = 0 [pid 5513] close(4) = 0 [pid 5513] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5513] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5512] <... futex resumed>) = 0 [pid 5512] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5512] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5513] <... futex resumed>) = 0 [pid 5513] open(".", O_RDONLY) = 4 [pid 5513] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5512] <... futex resumed>) = 0 [pid 5512] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5512] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5513] <... futex resumed>) = 1 [ 177.342079][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 177.349623][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 177.354922][ T5513] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 177.387786][ T5513] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 177.396551][ T5513] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 177.396551][ T5513] inode = 12 2341 [ 177.396551][ T5513] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 177.415539][ T5513] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 177.424651][ T5513] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5513 [syz-executor171] iterate_dir+0x228/0x570 [pid 5513] getdents64(4, [pid 5512] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5512] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5512] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [ 177.434597][ T5513] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 177.443053][ T5513] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 177.450517][ T5513] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 177.459512][ T5513] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 177.466575][ T5513] gfs2: fsid=syz:syz.0: File system withdrawn [ 177.472915][ T5513] CPU: 0 PID: 5513 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 177.483005][ T5513] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 177.493064][ T5513] Call Trace: [ 177.496345][ T5513] [ 177.499278][ T5513] dump_stack_lvl+0x1e7/0x2d0 [ 177.503965][ T5513] ? nf_tcp_handle_invalid+0x650/0x650 [ 177.509430][ T5513] ? panic+0x770/0x770 [ 177.513504][ T5513] ? kobject_uevent_env+0x54e/0x8e0 [ 177.518734][ T5513] gfs2_withdraw+0xf48/0x1550 [ 177.523445][ T5513] ? gfs2_lm+0x240/0x240 [ 177.527693][ T5513] ? gfs2_dirent_scan+0xb2/0x640 [ 177.532637][ T5513] ? panic+0x770/0x770 [ 177.536730][ T5513] ? gfs2_consist_inode_i+0xf5/0x110 [ 177.542036][ T5513] gfs2_dirent_scan+0x512/0x640 [ 177.546896][ T5513] ? gfs2_dirent_scan+0x640/0x640 [ 177.551931][ T5513] gfs2_dir_read+0x82f/0x1af0 [ 177.556632][ T5513] ? inode_dio_wait+0x2ad/0x340 [ 177.561492][ T5513] ? inode_owner_or_capable+0x1c0/0x1c0 [ 177.567044][ T5513] ? gfs2_dir_hash_inval+0x80/0x80 [ 177.572156][ T5513] ? _raw_spin_unlock+0x28/0x40 [ 177.577011][ T5513] ? gfs2_glock_nq+0xcbf/0x16c0 [ 177.581873][ T5513] ? inode_go_held+0xea/0x200 [ 177.586554][ T5513] ? gfs2_glock_wait+0x21a/0x2b0 [ 177.591512][ T5513] gfs2_readdir+0x14e/0x1b0 [ 177.596019][ T5513] ? __fdget_pos+0x254/0x2f0 [ 177.600607][ T5513] ? gfs2_fallocate+0x490/0x490 [ 177.605466][ T5513] ? iterate_dir+0x228/0x570 [ 177.610061][ T5513] ? __down_read_common+0x184/0x2c0 [ 177.615266][ T5513] ? iterate_dir+0x10e/0x570 [ 177.619868][ T5513] iterate_dir+0x228/0x570 [ 177.624299][ T5513] ? gfs2_fallocate+0x490/0x490 [ 177.629161][ T5513] __se_sys_getdents64+0x20d/0x4f0 [ 177.634306][ T5513] ? _raw_spin_unlock_irq+0x2e/0x50 [ 177.639520][ T5513] ? __x64_sys_getdents64+0x80/0x80 [ 177.644727][ T5513] ? filldir+0x740/0x740 [ 177.648993][ T5513] ? syscall_enter_from_user_mode+0x32/0x230 [ 177.654984][ T5513] ? syscall_enter_from_user_mode+0x8c/0x230 [ 177.660968][ T5513] do_syscall_64+0x41/0xc0 [ 177.665389][ T5513] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 177.671282][ T5513] RIP: 0033:0x7f281a11eab9 [ 177.675698][ T5513] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 177.695327][ T5513] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 177.703754][ T5513] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 177.711731][ T5513] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 177.719709][ T5513] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 177.727708][ T5513] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5512] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE [pid 5513] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5512] <... mprotect resumed>) = 0 [pid 5513] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5512] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID [pid 5513] <... futex resumed>) = 0 [pid 5513] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL./strace-static-x86_64: Process 5515 attached [pid 5515] set_robust_list(0x7f2812ca99e0, 24 [pid 5512] <... clone resumed>, parent_tid=[5515], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5515 [pid 5512] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5512] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5515] <... set_robust_list resumed>) = 0 [pid 5515] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5515] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5512] <... futex resumed>) = 0 [pid 5515] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5512] exit_group(0 [pid 5513] <... futex resumed>) = ? [pid 5512] <... exit_group resumed>) = ? [pid 5513] +++ exited with 0 +++ [pid 5515] <... futex resumed>) = ? [pid 5515] +++ exited with 0 +++ [pid 5512] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5512, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- umount2("./127", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./127", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./127/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./127/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./127/binderfs") = 0 [ 177.735722][ T5513] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 177.743726][ T5513] umount2("./127/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./127/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./127/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./127/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./127/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./127/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./127") = 0 mkdir("./128", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5516 ./strace-static-x86_64: Process 5516 attached [pid 5516] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5516] chdir("./128") = 0 [pid 5516] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5516] setpgid(0, 0) = 0 [pid 5516] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5516] write(3, "1000", 4) = 4 [pid 5516] close(3) = 0 [pid 5516] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5516] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5516] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5516] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5516] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5517 attached [pid 5517] set_robust_list(0x7f281a0ca9e0, 24 [pid 5516] <... clone resumed>, parent_tid=[5517], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5517 [pid 5517] <... set_robust_list resumed>) = 0 [pid 5516] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5516] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5517] memfd_create("syzkaller", 0) = 3 [pid 5517] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5517] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5517] munmap(0x7f2811caa000, 16777216) = 0 [pid 5517] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5517] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5517] close(3) = 0 [pid 5517] mkdir("./file0", 0777) = 0 [ 178.129152][ T5517] loop0: detected capacity change from 0 to 32768 [ 178.140395][ T5517] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 178.149086][ T5517] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 178.158491][ T5517] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 178.167159][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 178.174226][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5517] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5517] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5517] chdir("./file0") = 0 [pid 5517] ioctl(4, LOOP_CLR_FD) = 0 [pid 5517] close(4) = 0 [pid 5517] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5516] <... futex resumed>) = 0 [pid 5516] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5516] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5517] <... futex resumed>) = 1 [pid 5517] open(".", O_RDONLY) = 4 [pid 5517] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5516] <... futex resumed>) = 0 [pid 5516] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5516] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5517] <... futex resumed>) = 1 [ 178.212589][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 178.220668][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 178.226408][ T5517] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 178.244544][ T5517] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 178.253310][ T5517] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5517] getdents64(4, [pid 5516] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5516] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5516] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5516] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5516] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5519], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5519 [pid 5516] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5516] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5519 attached [pid 5519] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5519] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5519] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5516] <... futex resumed>) = 0 [pid 5519] <... futex resumed>) = 1 [ 178.253310][ T5517] inode = 12 2341 [ 178.253310][ T5517] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 178.272475][ T5517] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 178.281943][ T5517] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5517 [syz-executor171] iterate_dir+0x228/0x570 [ 178.292159][ T5517] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 178.300803][ T5517] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 178.308954][ T5517] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 178.318572][ T5517] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 178.326840][ T5517] gfs2: fsid=syz:syz.0: File system withdrawn [ 178.332918][ T5517] CPU: 0 PID: 5517 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 178.342980][ T5517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 178.353033][ T5517] Call Trace: [ 178.356308][ T5517] [ 178.359248][ T5517] dump_stack_lvl+0x1e7/0x2d0 [ 178.363975][ T5517] ? nf_tcp_handle_invalid+0x650/0x650 [ 178.369467][ T5517] ? panic+0x770/0x770 [ 178.373565][ T5517] ? kobject_uevent_env+0x54e/0x8e0 [ 178.378822][ T5517] gfs2_withdraw+0xf48/0x1550 [ 178.383513][ T5517] ? gfs2_lm+0x240/0x240 [ 178.387762][ T5517] ? gfs2_dirent_scan+0xb2/0x640 [ 178.392714][ T5517] ? panic+0x770/0x770 [ 178.396812][ T5517] ? gfs2_consist_inode_i+0xf5/0x110 [ 178.402125][ T5517] gfs2_dirent_scan+0x512/0x640 [ 178.406994][ T5517] ? gfs2_dirent_scan+0x640/0x640 [pid 5519] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5516] exit_group(0 [pid 5519] <... futex resumed>) = ? [pid 5516] <... exit_group resumed>) = ? [pid 5519] +++ exited with 0 +++ [ 178.412055][ T5517] gfs2_dir_read+0x82f/0x1af0 [ 178.416771][ T5517] ? inode_dio_wait+0x2ad/0x340 [ 178.421642][ T5517] ? inode_owner_or_capable+0x1c0/0x1c0 [ 178.427189][ T5517] ? gfs2_dir_hash_inval+0x80/0x80 [ 178.432322][ T5517] ? _raw_spin_unlock+0x28/0x40 [ 178.437199][ T5517] ? gfs2_glock_nq+0xcbf/0x16c0 [ 178.442057][ T5517] ? inode_go_held+0xea/0x200 [ 178.446731][ T5517] ? gfs2_glock_wait+0x21a/0x2b0 [ 178.451674][ T5517] gfs2_readdir+0x14e/0x1b0 [ 178.456187][ T5517] ? __fdget_pos+0x254/0x2f0 [ 178.460791][ T5517] ? gfs2_fallocate+0x490/0x490 [ 178.465658][ T5517] ? iterate_dir+0x228/0x570 [ 178.470262][ T5517] ? __down_read_common+0x184/0x2c0 [ 178.475499][ T5517] ? iterate_dir+0x10e/0x570 [ 178.480138][ T5517] iterate_dir+0x228/0x570 [ 178.484560][ T5517] ? gfs2_fallocate+0x490/0x490 [ 178.489427][ T5517] __se_sys_getdents64+0x20d/0x4f0 [ 178.494561][ T5517] ? _raw_spin_unlock_irq+0x2e/0x50 [ 178.499763][ T5517] ? __x64_sys_getdents64+0x80/0x80 [ 178.504965][ T5517] ? filldir+0x740/0x740 [ 178.509213][ T5517] ? syscall_enter_from_user_mode+0x32/0x230 [ 178.515197][ T5517] ? syscall_enter_from_user_mode+0x8c/0x230 [ 178.521198][ T5517] do_syscall_64+0x41/0xc0 [ 178.525640][ T5517] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 178.531553][ T5517] RIP: 0033:0x7f281a11eab9 [ 178.535973][ T5517] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 178.555666][ T5517] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5517] <... getdents64 resumed> ) = ? [pid 5517] +++ exited with 0 +++ [pid 5516] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5516, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=27 /* 0.27 s */} --- umount2("./128", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./128", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./128/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./128/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./128/binderfs") = 0 [ 178.564088][ T5517] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 178.572076][ T5517] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 178.580335][ T5517] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 178.588324][ T5517] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 178.596292][ T5517] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 178.604273][ T5517] umount2("./128/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./128/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./128/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./128/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./128/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./128/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./128") = 0 mkdir("./129", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5520 ./strace-static-x86_64: Process 5520 attached [pid 5520] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5520] chdir("./129") = 0 [pid 5520] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5520] setpgid(0, 0) = 0 [pid 5520] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5520] write(3, "1000", 4) = 4 [pid 5520] close(3) = 0 [pid 5520] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5520] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5520] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5520] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5520] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5521], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5521 ./strace-static-x86_64: Process 5521 attached [pid 5520] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5520] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5521] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5521] memfd_create("syzkaller", 0) = 3 [pid 5521] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5521] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5521] munmap(0x7f2811caa000, 16777216) = 0 [pid 5521] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5521] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5521] close(3) = 0 [pid 5521] mkdir("./file0", 0777) = 0 [ 178.965471][ T5521] loop0: detected capacity change from 0 to 32768 [ 178.976951][ T5521] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 178.985408][ T5521] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 178.995104][ T5521] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 179.003669][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 179.010469][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5521] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5521] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5521] chdir("./file0") = 0 [pid 5521] ioctl(4, LOOP_CLR_FD) = 0 [pid 5521] close(4) = 0 [pid 5521] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5520] <... futex resumed>) = 0 [pid 5520] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5520] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5521] <... futex resumed>) = 1 [pid 5521] open(".", O_RDONLY) = 4 [pid 5521] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5520] <... futex resumed>) = 0 [pid 5520] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5520] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5521] <... futex resumed>) = 1 [ 179.046964][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 36ms [ 179.055520][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 179.060804][ T5521] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 179.077749][ T5521] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 179.086214][ T5521] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 179.086214][ T5521] inode = 12 2341 [pid 5521] getdents64(4, [pid 5520] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5520] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5520] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5520] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5520] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5523], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5523 [pid 5520] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5520] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5523 attached [pid 5523] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5523] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5523] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5520] <... futex resumed>) = 0 [pid 5523] <... futex resumed>) = 1 [ 179.086214][ T5521] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 179.105206][ T5521] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 179.114427][ T5521] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5521 [syz-executor171] iterate_dir+0x228/0x570 [ 179.124499][ T5521] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 179.133020][ T5521] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 179.140546][ T5521] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 179.149493][ T5521] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 179.156294][ T5521] gfs2: fsid=syz:syz.0: File system withdrawn [ 179.162380][ T5521] CPU: 1 PID: 5521 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 179.172461][ T5521] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 179.182544][ T5521] Call Trace: [ 179.185830][ T5521] [ 179.188798][ T5521] dump_stack_lvl+0x1e7/0x2d0 [ 179.193534][ T5521] ? nf_tcp_handle_invalid+0x650/0x650 [ 179.199003][ T5521] ? panic+0x770/0x770 [ 179.203089][ T5521] ? kobject_uevent_env+0x54e/0x8e0 [ 179.208318][ T5521] gfs2_withdraw+0xf48/0x1550 [ 179.213036][ T5521] ? gfs2_lm+0x240/0x240 [ 179.217315][ T5521] ? gfs2_dirent_scan+0xb2/0x640 [ 179.222267][ T5521] ? panic+0x770/0x770 [ 179.226359][ T5521] ? gfs2_consist_inode_i+0xf5/0x110 [ 179.231676][ T5521] gfs2_dirent_scan+0x512/0x640 [ 179.236544][ T5521] ? gfs2_dirent_scan+0x640/0x640 [ 179.241589][ T5521] gfs2_dir_read+0x82f/0x1af0 [ 179.246287][ T5521] ? inode_dio_wait+0x2ad/0x340 [ 179.251154][ T5521] ? inode_owner_or_capable+0x1c0/0x1c0 [ 179.256715][ T5521] ? gfs2_dir_hash_inval+0x80/0x80 [ 179.261830][ T5521] ? _raw_spin_unlock+0x28/0x40 [ 179.266679][ T5521] ? gfs2_glock_nq+0xcbf/0x16c0 [ 179.271548][ T5521] ? inode_go_held+0xea/0x200 [ 179.276239][ T5521] ? gfs2_glock_wait+0x21a/0x2b0 [ 179.281188][ T5521] gfs2_readdir+0x14e/0x1b0 [ 179.285696][ T5521] ? __fdget_pos+0x254/0x2f0 [ 179.290291][ T5521] ? gfs2_fallocate+0x490/0x490 [ 179.295149][ T5521] ? iterate_dir+0x228/0x570 [ 179.299738][ T5521] ? __down_read_common+0x184/0x2c0 [ 179.304937][ T5521] ? iterate_dir+0x10e/0x570 [ 179.309531][ T5521] iterate_dir+0x228/0x570 [ 179.313955][ T5521] ? gfs2_fallocate+0x490/0x490 [ 179.318817][ T5521] __se_sys_getdents64+0x20d/0x4f0 [ 179.323937][ T5521] ? _raw_spin_unlock_irq+0x2e/0x50 [ 179.329144][ T5521] ? __x64_sys_getdents64+0x80/0x80 [ 179.334355][ T5521] ? filldir+0x740/0x740 [ 179.338615][ T5521] ? syscall_enter_from_user_mode+0x32/0x230 [ 179.344610][ T5521] ? syscall_enter_from_user_mode+0x8c/0x230 [ 179.350602][ T5521] do_syscall_64+0x41/0xc0 [ 179.355031][ T5521] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 179.360929][ T5521] RIP: 0033:0x7f281a11eab9 [ 179.365346][ T5521] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 179.384953][ T5521] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5523] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5521] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5521] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5520] exit_group(0 [pid 5523] <... futex resumed>) = ? [pid 5520] <... exit_group resumed>) = ? [pid 5523] +++ exited with 0 +++ [pid 5521] +++ exited with 0 +++ [pid 5520] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5520, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=29 /* 0.29 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./129", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./129", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./129/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./129/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./129/binderfs") = 0 [ 179.393369][ T5521] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 179.401338][ T5521] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 179.409303][ T5521] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 179.417270][ T5521] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 179.425253][ T5521] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 179.433231][ T5521] umount2("./129/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./129/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./129/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./129/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./129/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./129/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./129") = 0 mkdir("./130", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5524 ./strace-static-x86_64: Process 5524 attached [pid 5524] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5524] chdir("./130") = 0 [pid 5524] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5524] setpgid(0, 0) = 0 [pid 5524] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5524] write(3, "1000", 4) = 4 [pid 5524] close(3) = 0 [pid 5524] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5524] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5524] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5524] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5524] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5525 attached [pid 5525] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5525] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5524] <... clone resumed>, parent_tid=[5525], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5525 [pid 5524] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5525] <... futex resumed>) = 0 [pid 5524] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5525] memfd_create("syzkaller", 0) = 3 [pid 5525] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5525] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5525] munmap(0x7f2811caa000, 16777216) = 0 [pid 5525] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5525] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5525] close(3) = 0 [pid 5525] mkdir("./file0", 0777) = 0 [ 179.817673][ T5525] loop0: detected capacity change from 0 to 32768 [ 179.828554][ T5525] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 179.836807][ T5525] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 179.846157][ T5525] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 179.854761][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 179.861547][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5525] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5525] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5525] chdir("./file0") = 0 [pid 5525] ioctl(4, LOOP_CLR_FD) = 0 [pid 5525] close(4) = 0 [pid 5525] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5524] <... futex resumed>) = 0 [pid 5524] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5524] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5525] <... futex resumed>) = 1 [pid 5525] open(".", O_RDONLY) = 4 [pid 5525] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5524] <... futex resumed>) = 0 [pid 5524] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5524] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5525] <... futex resumed>) = 1 [ 179.897067][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 35ms [ 179.904768][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 179.910036][ T5525] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 179.924143][ T5525] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 179.932526][ T5525] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 179.932526][ T5525] inode = 12 2341 [pid 5525] getdents64(4, [pid 5524] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5524] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5524] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5524] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5524] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5527], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5527 [pid 5524] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5524] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5527 attached [pid 5527] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5527] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5527] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5524] <... futex resumed>) = 0 [ 179.932526][ T5525] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 179.951650][ T5525] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 179.961271][ T5525] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5525 [syz-executor171] iterate_dir+0x228/0x570 [ 179.971481][ T5525] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 179.980274][ T5525] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 179.987730][ T5525] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 179.996725][ T5525] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 180.003347][ T5525] gfs2: fsid=syz:syz.0: File system withdrawn [ 180.009421][ T5525] CPU: 1 PID: 5525 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 180.019483][ T5525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 180.029552][ T5525] Call Trace: [ 180.032841][ T5525] [ 180.035789][ T5525] dump_stack_lvl+0x1e7/0x2d0 [ 180.040492][ T5525] ? nf_tcp_handle_invalid+0x650/0x650 [ 180.045960][ T5525] ? panic+0x770/0x770 [ 180.050046][ T5525] ? kobject_uevent_env+0x54e/0x8e0 [ 180.055286][ T5525] gfs2_withdraw+0xf48/0x1550 [ 180.060004][ T5525] ? gfs2_lm+0x240/0x240 [ 180.064254][ T5525] ? gfs2_dirent_scan+0xb2/0x640 [ 180.069195][ T5525] ? panic+0x770/0x770 [ 180.073277][ T5525] ? gfs2_consist_inode_i+0xf5/0x110 [ 180.078578][ T5525] gfs2_dirent_scan+0x512/0x640 [ 180.083443][ T5525] ? gfs2_dirent_scan+0x640/0x640 [ 180.088486][ T5525] gfs2_dir_read+0x82f/0x1af0 [ 180.093180][ T5525] ? inode_dio_wait+0x2ad/0x340 [ 180.098050][ T5525] ? inode_owner_or_capable+0x1c0/0x1c0 [ 180.103696][ T5525] ? gfs2_dir_hash_inval+0x80/0x80 [ 180.108821][ T5525] ? _raw_spin_unlock+0x28/0x40 [ 180.113668][ T5525] ? gfs2_glock_nq+0xcbf/0x16c0 [ 180.118531][ T5525] ? inode_go_held+0xea/0x200 [ 180.123220][ T5525] ? gfs2_glock_wait+0x21a/0x2b0 [ 180.128172][ T5525] gfs2_readdir+0x14e/0x1b0 [ 180.132686][ T5525] ? __fdget_pos+0x254/0x2f0 [ 180.137275][ T5525] ? gfs2_fallocate+0x490/0x490 [ 180.142128][ T5525] ? iterate_dir+0x228/0x570 [ 180.146724][ T5525] ? __down_read_common+0x184/0x2c0 [ 180.151947][ T5525] ? iterate_dir+0x10e/0x570 [ 180.156556][ T5525] iterate_dir+0x228/0x570 [ 180.160982][ T5525] ? gfs2_fallocate+0x490/0x490 [ 180.165834][ T5525] __se_sys_getdents64+0x20d/0x4f0 [ 180.170963][ T5525] ? _raw_spin_unlock_irq+0x2e/0x50 [ 180.176169][ T5525] ? __x64_sys_getdents64+0x80/0x80 [ 180.181379][ T5525] ? filldir+0x740/0x740 [ 180.185636][ T5525] ? syscall_enter_from_user_mode+0x32/0x230 [ 180.191623][ T5525] ? syscall_enter_from_user_mode+0x8c/0x230 [ 180.197617][ T5525] do_syscall_64+0x41/0xc0 [ 180.202043][ T5525] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 180.207944][ T5525] RIP: 0033:0x7f281a11eab9 [ 180.212366][ T5525] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 180.231997][ T5525] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 180.240421][ T5525] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [pid 5527] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5525] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5525] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5525] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5524] exit_group(0 [pid 5525] <... futex resumed>) = ? [pid 5524] <... exit_group resumed>) = ? [pid 5527] <... futex resumed>) = ? [pid 5525] +++ exited with 0 +++ [pid 5527] +++ exited with 0 +++ [pid 5524] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5524, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=35 /* 0.35 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./130", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./130", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./130/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./130/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./130/binderfs") = 0 [ 180.248394][ T5525] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 180.256376][ T5525] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 180.264346][ T5525] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 180.272319][ T5525] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 180.280305][ T5525] umount2("./130/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./130/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./130/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./130/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./130/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./130/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./130") = 0 mkdir("./131", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5528 ./strace-static-x86_64: Process 5528 attached [pid 5528] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5528] chdir("./131") = 0 [pid 5528] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5528] setpgid(0, 0) = 0 [pid 5528] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5528] write(3, "1000", 4) = 4 [pid 5528] close(3) = 0 [pid 5528] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5528] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5528] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5528] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5528] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5529 attached , parent_tid=[5529], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5529 [pid 5529] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5528] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5528] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5529] memfd_create("syzkaller", 0) = 3 [pid 5529] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5529] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5529] munmap(0x7f2811caa000, 16777216) = 0 [pid 5529] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5529] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5529] close(3) = 0 [pid 5529] mkdir("./file0", 0777) = 0 [ 180.653414][ T5529] loop0: detected capacity change from 0 to 32768 [ 180.664412][ T5529] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 180.673285][ T5529] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 180.683378][ T5529] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 180.692063][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 180.699226][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5529] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5529] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5529] chdir("./file0") = 0 [pid 5529] ioctl(4, LOOP_CLR_FD) = 0 [pid 5529] close(4) = 0 [pid 5529] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5529] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5528] <... futex resumed>) = 0 [pid 5528] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5528] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5529] <... futex resumed>) = 0 [pid 5529] open(".", O_RDONLY) = 4 [pid 5529] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5528] <... futex resumed>) = 0 [pid 5528] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5528] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5529] <... futex resumed>) = 1 [ 180.741229][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 180.748798][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 180.754220][ T5529] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 180.777721][ T5529] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5529] getdents64(4, [pid 5528] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5528] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5528] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5528] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5528] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5531], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5531 [pid 5528] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5528] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5531 attached [pid 5531] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5531] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5531] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5528] <... futex resumed>) = 0 [pid 5531] <... futex resumed>) = 1 [ 180.786370][ T5529] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 180.786370][ T5529] inode = 12 2341 [ 180.786370][ T5529] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 180.805689][ T5529] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 180.814932][ T5529] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5529 [syz-executor171] iterate_dir+0x228/0x570 [ 180.824990][ T5529] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 180.833957][ T5529] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 180.841248][ T5529] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 180.850090][ T5529] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 180.856688][ T5529] gfs2: fsid=syz:syz.0: File system withdrawn [ 180.862787][ T5529] CPU: 1 PID: 5529 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 180.872866][ T5529] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 180.882954][ T5529] Call Trace: [ 180.886251][ T5529] [ 180.889192][ T5529] dump_stack_lvl+0x1e7/0x2d0 [ 180.893893][ T5529] ? nf_tcp_handle_invalid+0x650/0x650 [ 180.899360][ T5529] ? panic+0x770/0x770 [ 180.903429][ T5529] ? kobject_uevent_env+0x54e/0x8e0 [ 180.908658][ T5529] gfs2_withdraw+0xf48/0x1550 [ 180.913398][ T5529] ? gfs2_lm+0x240/0x240 [ 180.917670][ T5529] ? gfs2_dirent_scan+0xb2/0x640 [ 180.922617][ T5529] ? panic+0x770/0x770 [ 180.926698][ T5529] ? gfs2_consist_inode_i+0xf5/0x110 [ 180.932001][ T5529] gfs2_dirent_scan+0x512/0x640 [ 180.936869][ T5529] ? gfs2_dirent_scan+0x640/0x640 [ 180.941908][ T5529] gfs2_dir_read+0x82f/0x1af0 [ 180.946598][ T5529] ? inode_dio_wait+0x2ad/0x340 [ 180.951465][ T5529] ? inode_owner_or_capable+0x1c0/0x1c0 [ 180.957031][ T5529] ? gfs2_dir_hash_inval+0x80/0x80 [ 180.962154][ T5529] ? _raw_spin_unlock+0x28/0x40 [ 180.967011][ T5529] ? gfs2_glock_nq+0xcbf/0x16c0 [ 180.971887][ T5529] ? inode_go_held+0xea/0x200 [ 180.976574][ T5529] ? gfs2_glock_wait+0x21a/0x2b0 [ 180.981532][ T5529] gfs2_readdir+0x14e/0x1b0 [ 180.986050][ T5529] ? __fdget_pos+0x254/0x2f0 [ 180.990658][ T5529] ? gfs2_fallocate+0x490/0x490 [ 180.995527][ T5529] ? iterate_dir+0x228/0x570 [ 181.000128][ T5529] ? __down_read_common+0x184/0x2c0 [ 181.005345][ T5529] ? iterate_dir+0x10e/0x570 [ 181.009956][ T5529] iterate_dir+0x228/0x570 [ 181.014391][ T5529] ? gfs2_fallocate+0x490/0x490 [ 181.019268][ T5529] __se_sys_getdents64+0x20d/0x4f0 [ 181.024396][ T5529] ? _raw_spin_unlock_irq+0x2e/0x50 [ 181.029604][ T5529] ? __x64_sys_getdents64+0x80/0x80 [ 181.034809][ T5529] ? filldir+0x740/0x740 [ 181.039065][ T5529] ? syscall_enter_from_user_mode+0x32/0x230 [ 181.045055][ T5529] ? syscall_enter_from_user_mode+0x8c/0x230 [ 181.051050][ T5529] do_syscall_64+0x41/0xc0 [ 181.055472][ T5529] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 181.061362][ T5529] RIP: 0033:0x7f281a11eab9 [ 181.065774][ T5529] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5531] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5529] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5529] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5529] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5528] exit_group(0 [pid 5529] <... futex resumed>) = ? [pid 5529] +++ exited with 0 +++ [pid 5528] <... exit_group resumed>) = ? [pid 5531] <... futex resumed>) = ? [pid 5531] +++ exited with 0 +++ [pid 5528] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5528, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=29 /* 0.29 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./131", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./131", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./131/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./131/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./131/binderfs") = 0 [ 181.085391][ T5529] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 181.093815][ T5529] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 181.101787][ T5529] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 181.109755][ T5529] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 181.117729][ T5529] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 181.125712][ T5529] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 181.133702][ T5529] umount2("./131/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./131/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./131/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./131/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./131/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./131/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./131") = 0 mkdir("./132", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5532 ./strace-static-x86_64: Process 5532 attached [pid 5532] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5532] chdir("./132") = 0 [pid 5532] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5532] setpgid(0, 0) = 0 [pid 5532] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5532] write(3, "1000", 4) = 4 [pid 5532] close(3) = 0 [pid 5532] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5532] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5532] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5532] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5532] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5533], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5533 ./strace-static-x86_64: Process 5533 attached [pid 5532] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5533] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5532] <... futex resumed>) = 0 [pid 5532] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5533] memfd_create("syzkaller", 0) = 3 [pid 5533] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5533] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5533] munmap(0x7f2811caa000, 16777216) = 0 [pid 5533] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5533] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5533] close(3) = 0 [pid 5533] mkdir("./file0", 0777) = 0 [ 181.538240][ T5533] loop0: detected capacity change from 0 to 32768 [ 181.551009][ T5533] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 181.559322][ T5533] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 181.569159][ T5533] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 181.577961][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 181.584924][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5533] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5533] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5533] chdir("./file0") = 0 [pid 5533] ioctl(4, LOOP_CLR_FD) = 0 [pid 5533] close(4) = 0 [pid 5533] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5532] <... futex resumed>) = 0 [pid 5532] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5532] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5533] <... futex resumed>) = 1 [pid 5533] open(".", O_RDONLY) = 4 [pid 5533] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5532] <... futex resumed>) = 0 [pid 5532] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5532] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5533] <... futex resumed>) = 1 [ 181.619848][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 181.628961][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 181.634294][ T5533] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 181.657869][ T5533] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5533] getdents64(4, [pid 5532] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5532] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5532] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5532] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5532] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5532] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5535], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5535 [ 181.667122][ T5533] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 181.667122][ T5533] inode = 12 2341 [ 181.667122][ T5533] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 181.686287][ T5533] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 181.695720][ T5533] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5533 [syz-executor171] iterate_dir+0x228/0x570 [ 181.705981][ T5533] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5532] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5532] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5535 attached [pid 5535] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5535] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5535] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5532] <... futex resumed>) = 0 [ 181.714532][ T5533] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 181.721756][ T5533] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 181.730849][ T5533] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 181.739440][ T5533] gfs2: fsid=syz:syz.0: File system withdrawn [ 181.745570][ T5533] CPU: 1 PID: 5533 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 181.755655][ T5533] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 181.765824][ T5533] Call Trace: [ 181.769109][ T5533] [ 181.772047][ T5533] dump_stack_lvl+0x1e7/0x2d0 [ 181.776750][ T5533] ? nf_tcp_handle_invalid+0x650/0x650 [ 181.782231][ T5533] ? panic+0x770/0x770 [ 181.786302][ T5533] ? kobject_uevent_env+0x54e/0x8e0 [ 181.791532][ T5533] gfs2_withdraw+0xf48/0x1550 [ 181.796235][ T5533] ? gfs2_lm+0x240/0x240 [ 181.800477][ T5533] ? gfs2_dirent_scan+0xb2/0x640 [ 181.805446][ T5533] ? panic+0x770/0x770 [ 181.809544][ T5533] ? gfs2_consist_inode_i+0xf5/0x110 [ 181.814838][ T5533] gfs2_dirent_scan+0x512/0x640 [ 181.819705][ T5533] ? gfs2_dirent_scan+0x640/0x640 [ 181.824748][ T5533] gfs2_dir_read+0x82f/0x1af0 [ 181.829443][ T5533] ? inode_dio_wait+0x2ad/0x340 [ 181.834319][ T5533] ? inode_owner_or_capable+0x1c0/0x1c0 [ 181.839917][ T5533] ? gfs2_dir_hash_inval+0x80/0x80 [ 181.845050][ T5533] ? _raw_spin_unlock+0x28/0x40 [ 181.849911][ T5533] ? gfs2_glock_nq+0xcbf/0x16c0 [ 181.854792][ T5533] ? inode_go_held+0xea/0x200 [ 181.859479][ T5533] ? gfs2_glock_wait+0x21a/0x2b0 [ 181.864432][ T5533] gfs2_readdir+0x14e/0x1b0 [ 181.868943][ T5533] ? __fdget_pos+0x254/0x2f0 [ 181.873536][ T5533] ? gfs2_fallocate+0x490/0x490 [ 181.878406][ T5533] ? iterate_dir+0x228/0x570 [ 181.883012][ T5533] ? __down_read_common+0x184/0x2c0 [ 181.888244][ T5533] ? iterate_dir+0x10e/0x570 [ 181.892856][ T5533] iterate_dir+0x228/0x570 [ 181.897310][ T5533] ? gfs2_fallocate+0x490/0x490 [ 181.902198][ T5533] __se_sys_getdents64+0x20d/0x4f0 [ 181.907321][ T5533] ? _raw_spin_unlock_irq+0x2e/0x50 [ 181.912550][ T5533] ? __x64_sys_getdents64+0x80/0x80 [ 181.917771][ T5533] ? filldir+0x740/0x740 [ 181.922054][ T5533] ? syscall_enter_from_user_mode+0x32/0x230 [ 181.928049][ T5533] ? syscall_enter_from_user_mode+0x8c/0x230 [ 181.934046][ T5533] do_syscall_64+0x41/0xc0 [ 181.938490][ T5533] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 181.944481][ T5533] RIP: 0033:0x7f281a11eab9 [ 181.948899][ T5533] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5535] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5533] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5533] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5533] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5532] exit_group(0 [pid 5535] <... futex resumed>) = ? [pid 5533] <... futex resumed>) = ? [pid 5533] +++ exited with 0 +++ [pid 5535] +++ exited with 0 +++ [pid 5532] <... exit_group resumed>) = ? [pid 5532] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5532, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./132", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./132", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./132/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./132/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./132/binderfs") = 0 [ 181.968523][ T5533] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 181.976951][ T5533] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 181.984935][ T5533] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 181.992906][ T5533] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 182.000877][ T5533] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 182.008851][ T5533] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 182.016839][ T5533] umount2("./132/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./132/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./132/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./132/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./132/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./132/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./132") = 0 mkdir("./133", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5536 ./strace-static-x86_64: Process 5536 attached [pid 5536] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5536] chdir("./133") = 0 [pid 5536] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5536] setpgid(0, 0) = 0 [pid 5536] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5536] write(3, "1000", 4) = 4 [pid 5536] close(3) = 0 [pid 5536] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5536] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5536] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5536] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5536] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5537 attached , parent_tid=[5537], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5537 [pid 5537] set_robust_list(0x7f281a0ca9e0, 24 [pid 5536] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5537] <... set_robust_list resumed>) = 0 [pid 5536] <... futex resumed>) = 0 [pid 5536] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5537] memfd_create("syzkaller", 0) = 3 [pid 5537] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5537] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5537] munmap(0x7f2811caa000, 16777216) = 0 [pid 5537] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5537] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5537] close(3) = 0 [pid 5537] mkdir("./file0", 0777) = 0 [ 182.392533][ T5537] loop0: detected capacity change from 0 to 32768 [ 182.404549][ T5537] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 182.413053][ T5537] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 182.422457][ T5537] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 182.431199][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 182.438325][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5537] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5537] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5537] chdir("./file0") = 0 [pid 5537] ioctl(4, LOOP_CLR_FD) = 0 [pid 5537] close(4) = 0 [pid 5537] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5536] <... futex resumed>) = 0 [pid 5537] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5536] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5537] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5536] <... futex resumed>) = 0 [pid 5537] open(".", O_RDONLY [pid 5536] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5537] <... open resumed>) = 4 [pid 5537] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5536] <... futex resumed>) = 0 [pid 5537] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5536] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5536] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5537] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [ 182.480847][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 182.489861][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 182.495322][ T5537] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 182.527162][ T5537] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 182.535760][ T5537] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 182.535760][ T5537] inode = 12 2341 [ 182.535760][ T5537] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 182.554699][ T5537] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 182.564001][ T5537] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5537 [syz-executor171] iterate_dir+0x228/0x570 [pid 5537] getdents64(4, [pid 5536] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5536] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5536] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5536] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5536] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5539], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5539 [pid 5536] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5536] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5539 attached [pid 5539] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5539] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5539] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5536] <... futex resumed>) = 0 [pid 5539] <... futex resumed>) = 1 [ 182.574047][ T5537] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 182.582806][ T5537] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 182.590382][ T5537] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 182.599886][ T5537] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 182.606505][ T5537] gfs2: fsid=syz:syz.0: File system withdrawn [ 182.612594][ T5537] CPU: 0 PID: 5537 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 182.622693][ T5537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 182.632766][ T5537] Call Trace: [ 182.636051][ T5537] [ 182.638987][ T5537] dump_stack_lvl+0x1e7/0x2d0 [ 182.643689][ T5537] ? nf_tcp_handle_invalid+0x650/0x650 [ 182.649181][ T5537] ? panic+0x770/0x770 [ 182.653275][ T5537] ? kobject_uevent_env+0x54e/0x8e0 [ 182.658509][ T5537] gfs2_withdraw+0xf48/0x1550 [ 182.663246][ T5537] ? gfs2_lm+0x240/0x240 [ 182.667516][ T5537] ? gfs2_dirent_scan+0xb2/0x640 [ 182.672489][ T5537] ? panic+0x770/0x770 [ 182.676578][ T5537] ? gfs2_consist_inode_i+0xf5/0x110 [ 182.681887][ T5537] gfs2_dirent_scan+0x512/0x640 [ 182.686757][ T5537] ? gfs2_dirent_scan+0x640/0x640 [ 182.691798][ T5537] gfs2_dir_read+0x82f/0x1af0 [ 182.696500][ T5537] ? inode_dio_wait+0x2ad/0x340 [ 182.701367][ T5537] ? inode_owner_or_capable+0x1c0/0x1c0 [ 182.706930][ T5537] ? gfs2_dir_hash_inval+0x80/0x80 [ 182.712058][ T5537] ? _raw_spin_unlock+0x28/0x40 [ 182.716919][ T5537] ? gfs2_glock_nq+0xcbf/0x16c0 [ 182.721787][ T5537] ? inode_go_held+0xea/0x200 [ 182.726475][ T5537] ? gfs2_glock_wait+0x21a/0x2b0 [ 182.731429][ T5537] gfs2_readdir+0x14e/0x1b0 [ 182.735945][ T5537] ? __fdget_pos+0x254/0x2f0 [ 182.740547][ T5537] ? gfs2_fallocate+0x490/0x490 [ 182.745411][ T5537] ? iterate_dir+0x228/0x570 [ 182.750016][ T5537] ? __down_read_common+0x184/0x2c0 [ 182.755225][ T5537] ? iterate_dir+0x10e/0x570 [ 182.759825][ T5537] iterate_dir+0x228/0x570 [ 182.764249][ T5537] ? gfs2_fallocate+0x490/0x490 [ 182.769114][ T5537] __se_sys_getdents64+0x20d/0x4f0 [ 182.774238][ T5537] ? _raw_spin_unlock_irq+0x2e/0x50 [ 182.779443][ T5537] ? __x64_sys_getdents64+0x80/0x80 [ 182.784650][ T5537] ? filldir+0x740/0x740 [ 182.788921][ T5537] ? syscall_enter_from_user_mode+0x32/0x230 [ 182.794908][ T5537] ? syscall_enter_from_user_mode+0x8c/0x230 [ 182.800893][ T5537] do_syscall_64+0x41/0xc0 [ 182.805326][ T5537] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 182.811227][ T5537] RIP: 0033:0x7f281a11eab9 [ 182.815645][ T5537] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 182.835273][ T5537] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 182.843687][ T5537] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 182.851655][ T5537] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 182.859627][ T5537] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 182.867617][ T5537] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5539] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5537] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5537] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5537] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5536] exit_group(0 [pid 5537] <... futex resumed>) = ? [pid 5536] <... exit_group resumed>) = ? [pid 5539] <... futex resumed>) = ? [pid 5537] +++ exited with 0 +++ [pid 5539] +++ exited with 0 +++ [pid 5536] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5536, si_uid=0, si_status=0, si_utime=4 /* 0.04 s */, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./133", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./133", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./133/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./133/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./133/binderfs") = 0 [ 182.875594][ T5537] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 182.883573][ T5537] umount2("./133/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./133/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./133/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./133/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./133/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./133/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./133") = 0 mkdir("./134", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5540 ./strace-static-x86_64: Process 5540 attached [pid 5540] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5540] chdir("./134") = 0 [pid 5540] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5540] setpgid(0, 0) = 0 [pid 5540] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5540] write(3, "1000", 4) = 4 [pid 5540] close(3) = 0 [pid 5540] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5540] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5540] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5540] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5540] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5541 attached [pid 5541] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5541] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5540] <... clone resumed>, parent_tid=[5541], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5541 [pid 5540] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5541] <... futex resumed>) = 0 [pid 5540] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5541] memfd_create("syzkaller", 0) = 3 [pid 5541] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5541] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5541] munmap(0x7f2811caa000, 16777216) = 0 [pid 5541] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5541] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5541] close(3) = 0 [pid 5541] mkdir("./file0", 0777) = 0 [ 183.238015][ T5541] loop0: detected capacity change from 0 to 32768 [ 183.249729][ T5541] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 183.258308][ T5541] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 183.268244][ T5541] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 183.276872][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 183.283963][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5541] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5541] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5541] chdir("./file0") = 0 [pid 5541] ioctl(4, LOOP_CLR_FD) = 0 [pid 5541] close(4) = 0 [pid 5541] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5540] <... futex resumed>) = 0 [pid 5540] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5540] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5541] <... futex resumed>) = 1 [pid 5541] open(".", O_RDONLY) = 4 [pid 5541] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5540] <... futex resumed>) = 0 [pid 5540] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5540] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5541] <... futex resumed>) = 1 [ 183.324032][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 183.332349][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 183.337791][ T5541] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 183.355902][ T5541] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 183.364854][ T5541] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5541] getdents64(4, [pid 5540] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5540] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5540] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5540] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5540] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5540] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5543], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5543 [pid 5540] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5540] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5543 attached [pid 5543] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5543] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5543] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5540] <... futex resumed>) = 0 [pid 5543] <... futex resumed>) = 1 [ 183.364854][ T5541] inode = 12 2341 [ 183.364854][ T5541] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 183.384107][ T5541] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 183.393702][ T5541] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5541 [syz-executor171] iterate_dir+0x228/0x570 [ 183.404207][ T5541] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 183.413388][ T5541] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 183.421042][ T5541] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 183.429861][ T5541] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 183.436421][ T5541] gfs2: fsid=syz:syz.0: File system withdrawn [ 183.442505][ T5541] CPU: 0 PID: 5541 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 183.452592][ T5541] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 183.462667][ T5541] Call Trace: [ 183.465962][ T5541] [ 183.468888][ T5541] dump_stack_lvl+0x1e7/0x2d0 [ 183.473581][ T5541] ? nf_tcp_handle_invalid+0x650/0x650 [ 183.479055][ T5541] ? panic+0x770/0x770 [ 183.483132][ T5541] ? kobject_uevent_env+0x54e/0x8e0 [ 183.488346][ T5541] gfs2_withdraw+0xf48/0x1550 [ 183.493051][ T5541] ? gfs2_lm+0x240/0x240 [ 183.497295][ T5541] ? gfs2_dirent_scan+0xb2/0x640 [ 183.502232][ T5541] ? panic+0x770/0x770 [ 183.506307][ T5541] ? gfs2_consist_inode_i+0xf5/0x110 [ 183.511604][ T5541] gfs2_dirent_scan+0x512/0x640 [ 183.516463][ T5541] ? gfs2_dirent_scan+0x640/0x640 [ 183.521493][ T5541] gfs2_dir_read+0x82f/0x1af0 [ 183.526183][ T5541] ? inode_dio_wait+0x2ad/0x340 [ 183.531055][ T5541] ? inode_owner_or_capable+0x1c0/0x1c0 [ 183.536613][ T5541] ? gfs2_dir_hash_inval+0x80/0x80 [ 183.541731][ T5541] ? _raw_spin_unlock+0x28/0x40 [ 183.546587][ T5541] ? gfs2_glock_nq+0xcbf/0x16c0 [ 183.551460][ T5541] ? inode_go_held+0xea/0x200 [ 183.556145][ T5541] ? gfs2_glock_wait+0x21a/0x2b0 [ 183.561097][ T5541] gfs2_readdir+0x14e/0x1b0 [ 183.565614][ T5541] ? __fdget_pos+0x254/0x2f0 [ 183.570207][ T5541] ? gfs2_fallocate+0x490/0x490 [ 183.575074][ T5541] ? iterate_dir+0x228/0x570 [ 183.579674][ T5541] ? __down_read_common+0x184/0x2c0 [ 183.584889][ T5541] ? iterate_dir+0x10e/0x570 [ 183.589495][ T5541] iterate_dir+0x228/0x570 [ 183.593926][ T5541] ? gfs2_fallocate+0x490/0x490 [ 183.598799][ T5541] __se_sys_getdents64+0x20d/0x4f0 [ 183.603923][ T5541] ? _raw_spin_unlock_irq+0x2e/0x50 [ 183.609129][ T5541] ? __x64_sys_getdents64+0x80/0x80 [ 183.614344][ T5541] ? filldir+0x740/0x740 [ 183.618598][ T5541] ? syscall_enter_from_user_mode+0x32/0x230 [ 183.624586][ T5541] ? syscall_enter_from_user_mode+0x8c/0x230 [ 183.630568][ T5541] do_syscall_64+0x41/0xc0 [ 183.634998][ T5541] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 183.640895][ T5541] RIP: 0033:0x7f281a11eab9 [ 183.645321][ T5541] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 183.664927][ T5541] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5543] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5541] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5541] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5541] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5540] exit_group(0 [pid 5541] <... futex resumed>) = ? [pid 5540] <... exit_group resumed>) = ? [pid 5543] <... futex resumed>) = ? [pid 5541] +++ exited with 0 +++ [pid 5543] +++ exited with 0 +++ [pid 5540] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5540, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- umount2("./134", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./134", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./134/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./134/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./134/binderfs") = 0 [ 183.673339][ T5541] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 183.681311][ T5541] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 183.689283][ T5541] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 183.697258][ T5541] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 183.705231][ T5541] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 183.713227][ T5541] umount2("./134/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./134/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./134/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./134/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./134/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./134/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./134") = 0 mkdir("./135", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5544 ./strace-static-x86_64: Process 5544 attached [pid 5544] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5544] chdir("./135") = 0 [pid 5544] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5544] setpgid(0, 0) = 0 [pid 5544] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5544] write(3, "1000", 4) = 4 [pid 5544] close(3) = 0 [pid 5544] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5544] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5544] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5544] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5544] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5545 attached , parent_tid=[5545], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5545 [pid 5544] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5544] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5545] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5545] memfd_create("syzkaller", 0) = 3 [pid 5545] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5545] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5545] munmap(0x7f2811caa000, 16777216) = 0 [pid 5545] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5545] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5545] close(3) = 0 [pid 5545] mkdir("./file0", 0777) = 0 [ 184.074293][ T5545] loop0: detected capacity change from 0 to 32768 [ 184.085069][ T5545] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 184.093297][ T5545] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 184.102258][ T5545] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 184.110990][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 184.118052][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5545] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5545] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5545] chdir("./file0") = 0 [pid 5545] ioctl(4, LOOP_CLR_FD) = 0 [pid 5545] close(4) = 0 [pid 5545] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5544] <... futex resumed>) = 0 [pid 5544] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5544] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5545] <... futex resumed>) = 1 [pid 5545] open(".", O_RDONLY) = 4 [pid 5545] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5544] <... futex resumed>) = 0 [pid 5544] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5544] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5545] <... futex resumed>) = 1 [ 184.152718][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 184.161614][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 184.167070][ T5545] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 184.189115][ T5545] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5545] getdents64(4, [pid 5544] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5544] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5544] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5544] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5544] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5544] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5547], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5547 [pid 5544] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5544] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5547 attached [pid 5547] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5547] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5547] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5544] <... futex resumed>) = 0 [pid 5547] <... futex resumed>) = 1 [ 184.198269][ T5545] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 184.198269][ T5545] inode = 12 2341 [ 184.198269][ T5545] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 184.217768][ T5545] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 184.227160][ T5545] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5545 [syz-executor171] iterate_dir+0x228/0x570 [ 184.237184][ T5545] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 184.246178][ T5545] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 184.253635][ T5545] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 184.262403][ T5545] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 184.269593][ T5545] gfs2: fsid=syz:syz.0: File system withdrawn [ 184.276031][ T5545] CPU: 0 PID: 5545 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 184.286093][ T5545] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 184.296136][ T5545] Call Trace: [ 184.299400][ T5545] [ 184.302320][ T5545] dump_stack_lvl+0x1e7/0x2d0 [ 184.307013][ T5545] ? nf_tcp_handle_invalid+0x650/0x650 [ 184.312494][ T5545] ? panic+0x770/0x770 [ 184.316565][ T5545] ? kobject_uevent_env+0x54e/0x8e0 [ 184.321771][ T5545] gfs2_withdraw+0xf48/0x1550 [ 184.326476][ T5545] ? gfs2_lm+0x240/0x240 [ 184.330726][ T5545] ? gfs2_dirent_scan+0xb2/0x640 [ 184.335692][ T5545] ? panic+0x770/0x770 [ 184.339775][ T5545] ? gfs2_consist_inode_i+0xf5/0x110 [ 184.345085][ T5545] gfs2_dirent_scan+0x512/0x640 [ 184.349949][ T5545] ? gfs2_dirent_scan+0x640/0x640 [ 184.354988][ T5545] gfs2_dir_read+0x82f/0x1af0 [ 184.359679][ T5545] ? inode_dio_wait+0x2ad/0x340 [ 184.364537][ T5545] ? inode_owner_or_capable+0x1c0/0x1c0 [ 184.370096][ T5545] ? gfs2_dir_hash_inval+0x80/0x80 [ 184.375223][ T5545] ? _raw_spin_unlock+0x28/0x40 [ 184.380071][ T5545] ? gfs2_glock_nq+0xcbf/0x16c0 [ 184.384935][ T5545] ? inode_go_held+0xea/0x200 [ 184.389616][ T5545] ? gfs2_glock_wait+0x21a/0x2b0 [ 184.394564][ T5545] gfs2_readdir+0x14e/0x1b0 [ 184.399089][ T5545] ? __fdget_pos+0x254/0x2f0 [ 184.403685][ T5545] ? gfs2_fallocate+0x490/0x490 [ 184.408550][ T5545] ? iterate_dir+0x228/0x570 [ 184.413151][ T5545] ? __down_read_common+0x184/0x2c0 [ 184.418358][ T5545] ? iterate_dir+0x10e/0x570 [ 184.422963][ T5545] iterate_dir+0x228/0x570 [ 184.427387][ T5545] ? gfs2_fallocate+0x490/0x490 [ 184.432246][ T5545] __se_sys_getdents64+0x20d/0x4f0 [ 184.437366][ T5545] ? _raw_spin_unlock_irq+0x2e/0x50 [ 184.442568][ T5545] ? __x64_sys_getdents64+0x80/0x80 [ 184.447790][ T5545] ? filldir+0x740/0x740 [ 184.452054][ T5545] ? syscall_enter_from_user_mode+0x32/0x230 [ 184.458049][ T5545] ? syscall_enter_from_user_mode+0x8c/0x230 [ 184.464053][ T5545] do_syscall_64+0x41/0xc0 [ 184.468478][ T5545] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 184.474381][ T5545] RIP: 0033:0x7f281a11eab9 [ 184.478807][ T5545] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5547] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5545] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5545] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5545] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5544] exit_group(0) = ? [pid 5545] <... futex resumed>) = ? [pid 5547] <... futex resumed>) = ? [pid 5545] +++ exited with 0 +++ [pid 5547] +++ exited with 0 +++ [pid 5544] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5544, si_uid=0, si_status=0, si_utime=0, si_stime=36 /* 0.36 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./135", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./135", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./135/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./135/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./135/binderfs") = 0 [ 184.498499][ T5545] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 184.506920][ T5545] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 184.514894][ T5545] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 184.522861][ T5545] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 184.530831][ T5545] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 184.538809][ T5545] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 184.546796][ T5545] umount2("./135/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./135/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./135/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./135/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./135/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./135/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./135") = 0 mkdir("./136", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5548 ./strace-static-x86_64: Process 5548 attached [pid 5548] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5548] chdir("./136") = 0 [pid 5548] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5548] setpgid(0, 0) = 0 [pid 5548] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5548] write(3, "1000", 4) = 4 [pid 5548] close(3) = 0 [pid 5548] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5548] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5548] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5548] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5548] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5549], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5549 [pid 5548] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5548] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5549 attached [pid 5549] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5549] memfd_create("syzkaller", 0) = 3 [pid 5549] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5549] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5549] munmap(0x7f2811caa000, 16777216) = 0 [pid 5549] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5549] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5549] close(3) = 0 [pid 5549] mkdir("./file0", 0777) = 0 [ 184.898937][ T5549] loop0: detected capacity change from 0 to 32768 [ 184.910237][ T5549] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 184.918792][ T5549] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 184.928235][ T5549] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 184.936932][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 184.943957][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5549] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5549] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5549] chdir("./file0") = 0 [pid 5549] ioctl(4, LOOP_CLR_FD) = 0 [pid 5549] close(4) = 0 [pid 5549] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5548] <... futex resumed>) = 0 [pid 5549] open(".", O_RDONLY [pid 5548] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5549] <... open resumed>) = 4 [pid 5548] <... futex resumed>) = 0 [pid 5548] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5549] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5548] <... futex resumed>) = 0 [pid 5548] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5549] <... futex resumed>) = 1 [pid 5548] <... futex resumed>) = 0 [pid 5549] getdents64(4, [ 184.986007][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 184.993689][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 184.998933][ T5549] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 185.012699][ T5549] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 185.021223][ T5549] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 185.021223][ T5549] inode = 12 2341 [pid 5548] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5548] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5548] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5548] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5548] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5551], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5551 [pid 5548] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5548] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5551 attached [pid 5551] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5551] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5551] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5548] <... futex resumed>) = 0 [pid 5551] <... futex resumed>) = 1 [ 185.021223][ T5549] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 185.040004][ T5549] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 185.049290][ T5549] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5549 [syz-executor171] iterate_dir+0x228/0x570 [ 185.059411][ T5549] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 185.068003][ T5549] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 185.075392][ T5549] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 185.084273][ T5549] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 185.090876][ T5549] gfs2: fsid=syz:syz.0: File system withdrawn [ 185.097079][ T5549] CPU: 1 PID: 5549 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 185.107157][ T5549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 185.117225][ T5549] Call Trace: [ 185.120510][ T5549] [ 185.123468][ T5549] dump_stack_lvl+0x1e7/0x2d0 [ 185.128193][ T5549] ? nf_tcp_handle_invalid+0x650/0x650 [ 185.133698][ T5549] ? panic+0x770/0x770 [ 185.137801][ T5549] ? kobject_uevent_env+0x54e/0x8e0 [ 185.143048][ T5549] gfs2_withdraw+0xf48/0x1550 [ 185.147767][ T5549] ? gfs2_lm+0x240/0x240 [ 185.152049][ T5549] ? gfs2_dirent_scan+0xb2/0x640 [ 185.157014][ T5549] ? panic+0x770/0x770 [ 185.161122][ T5549] ? gfs2_consist_inode_i+0xf5/0x110 [ 185.166436][ T5549] gfs2_dirent_scan+0x512/0x640 [ 185.171305][ T5549] ? gfs2_dirent_scan+0x640/0x640 [ 185.176385][ T5549] gfs2_dir_read+0x82f/0x1af0 [ 185.181084][ T5549] ? inode_dio_wait+0x2ad/0x340 [pid 5551] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5548] exit_group(0 [pid 5551] <... futex resumed>) = ? [pid 5548] <... exit_group resumed>) = ? [pid 5551] +++ exited with 0 +++ [ 185.185963][ T5549] ? inode_owner_or_capable+0x1c0/0x1c0 [ 185.191531][ T5549] ? gfs2_dir_hash_inval+0x80/0x80 [ 185.196681][ T5549] ? _raw_spin_unlock+0x28/0x40 [ 185.201551][ T5549] ? gfs2_glock_nq+0xcbf/0x16c0 [ 185.206456][ T5549] ? inode_go_held+0xea/0x200 [ 185.211167][ T5549] ? gfs2_glock_wait+0x21a/0x2b0 [ 185.216138][ T5549] gfs2_readdir+0x14e/0x1b0 [ 185.220678][ T5549] ? __fdget_pos+0x254/0x2f0 [ 185.225269][ T5549] ? gfs2_fallocate+0x490/0x490 [ 185.230143][ T5549] ? iterate_dir+0x228/0x570 [ 185.234755][ T5549] ? __down_read_common+0x184/0x2c0 [ 185.239965][ T5549] ? iterate_dir+0x10e/0x570 [ 185.244578][ T5549] iterate_dir+0x228/0x570 [ 185.248995][ T5549] ? gfs2_fallocate+0x490/0x490 [ 185.253864][ T5549] __se_sys_getdents64+0x20d/0x4f0 [ 185.259000][ T5549] ? _raw_spin_unlock_irq+0x2e/0x50 [ 185.264214][ T5549] ? __x64_sys_getdents64+0x80/0x80 [ 185.269426][ T5549] ? filldir+0x740/0x740 [ 185.273674][ T5549] ? syscall_enter_from_user_mode+0x32/0x230 [ 185.279689][ T5549] ? syscall_enter_from_user_mode+0x8c/0x230 [ 185.285676][ T5549] do_syscall_64+0x41/0xc0 [ 185.290115][ T5549] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 185.296002][ T5549] RIP: 0033:0x7f281a11eab9 [ 185.300409][ T5549] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 185.320017][ T5549] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 185.328437][ T5549] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [pid 5549] <... getdents64 resumed> ) = ? [pid 5549] +++ exited with 0 +++ [pid 5548] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5548, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- umount2("./136", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./136", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./136/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./136/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./136/binderfs") = 0 [ 185.336413][ T5549] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 185.344381][ T5549] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 185.352361][ T5549] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 185.360358][ T5549] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 185.368342][ T5549] umount2("./136/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./136/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./136/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./136/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./136/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./136/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./136") = 0 mkdir("./137", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5552 ./strace-static-x86_64: Process 5552 attached [pid 5552] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5552] chdir("./137") = 0 [pid 5552] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5552] setpgid(0, 0) = 0 [pid 5552] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5552] write(3, "1000", 4) = 4 [pid 5552] close(3) = 0 [pid 5552] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5552] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5552] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5552] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5552] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5553], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5553 ./strace-static-x86_64: Process 5553 attached [pid 5552] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5552] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5553] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5553] memfd_create("syzkaller", 0) = 3 [pid 5553] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5553] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5553] munmap(0x7f2811caa000, 16777216) = 0 [pid 5553] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5553] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5553] close(3) = 0 [pid 5553] mkdir("./file0", 0777) = 0 [ 185.716902][ T5553] loop0: detected capacity change from 0 to 32768 [ 185.730132][ T5553] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 185.738539][ T5553] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 185.747809][ T5553] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 185.756518][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 185.763669][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5553] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5553] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5553] chdir("./file0") = 0 [pid 5553] ioctl(4, LOOP_CLR_FD) = 0 [pid 5553] close(4) = 0 [pid 5553] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5552] <... futex resumed>) = 0 [pid 5552] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5552] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5553] <... futex resumed>) = 1 [pid 5553] open(".", O_RDONLY) = 4 [pid 5553] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5552] <... futex resumed>) = 0 [pid 5552] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5552] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5553] <... futex resumed>) = 1 [ 185.802657][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 185.810207][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 185.815562][ T5553] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 185.829622][ T5553] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 185.838130][ T5553] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 185.838130][ T5553] inode = 12 2341 [pid 5553] getdents64(4, [pid 5552] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5552] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5552] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5552] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5552] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5555], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5555 [pid 5552] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5552] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5555 attached [pid 5555] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5555] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5555] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5552] <... futex resumed>) = 0 [pid 5555] <... futex resumed>) = 1 [ 185.838130][ T5553] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 185.856928][ T5553] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 185.866025][ T5553] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5553 [syz-executor171] iterate_dir+0x228/0x570 [ 185.876062][ T5553] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 185.884589][ T5553] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 185.891827][ T5553] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 185.900832][ T5553] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 185.907430][ T5553] gfs2: fsid=syz:syz.0: File system withdrawn [ 185.913592][ T5553] CPU: 1 PID: 5553 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 185.923670][ T5553] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 185.933732][ T5553] Call Trace: [ 185.937033][ T5553] [ 185.939984][ T5553] dump_stack_lvl+0x1e7/0x2d0 [ 185.944719][ T5553] ? nf_tcp_handle_invalid+0x650/0x650 [ 185.950183][ T5553] ? panic+0x770/0x770 [ 185.954258][ T5553] ? kobject_uevent_env+0x54e/0x8e0 [ 185.959491][ T5553] gfs2_withdraw+0xf48/0x1550 [ 185.964220][ T5553] ? gfs2_lm+0x240/0x240 [ 185.968483][ T5553] ? gfs2_dirent_scan+0xb2/0x640 [ 185.973437][ T5553] ? panic+0x770/0x770 [ 185.977523][ T5553] ? gfs2_consist_inode_i+0xf5/0x110 [ 185.982839][ T5553] gfs2_dirent_scan+0x512/0x640 [ 185.987792][ T5553] ? gfs2_dirent_scan+0x640/0x640 [ 185.992825][ T5553] gfs2_dir_read+0x82f/0x1af0 [ 185.997521][ T5553] ? inode_dio_wait+0x2ad/0x340 [ 186.002385][ T5553] ? inode_owner_or_capable+0x1c0/0x1c0 [ 186.007948][ T5553] ? gfs2_dir_hash_inval+0x80/0x80 [ 186.013071][ T5553] ? _raw_spin_unlock+0x28/0x40 [ 186.017924][ T5553] ? gfs2_glock_nq+0xcbf/0x16c0 [ 186.022795][ T5553] ? inode_go_held+0xea/0x200 [ 186.027493][ T5553] ? gfs2_glock_wait+0x21a/0x2b0 [ 186.032450][ T5553] gfs2_readdir+0x14e/0x1b0 [ 186.036966][ T5553] ? __fdget_pos+0x254/0x2f0 [ 186.041563][ T5553] ? gfs2_fallocate+0x490/0x490 [ 186.046423][ T5553] ? iterate_dir+0x228/0x570 [ 186.051024][ T5553] ? __down_read_common+0x184/0x2c0 [ 186.056249][ T5553] ? iterate_dir+0x10e/0x570 [ 186.060856][ T5553] iterate_dir+0x228/0x570 [ 186.065392][ T5553] ? gfs2_fallocate+0x490/0x490 [ 186.070256][ T5553] __se_sys_getdents64+0x20d/0x4f0 [ 186.075388][ T5553] ? _raw_spin_unlock_irq+0x2e/0x50 [ 186.080621][ T5553] ? __x64_sys_getdents64+0x80/0x80 [ 186.085845][ T5553] ? filldir+0x740/0x740 [ 186.090104][ T5553] ? syscall_enter_from_user_mode+0x32/0x230 [ 186.096092][ T5553] ? syscall_enter_from_user_mode+0x8c/0x230 [ 186.102161][ T5553] do_syscall_64+0x41/0xc0 [ 186.106592][ T5553] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 186.112484][ T5553] RIP: 0033:0x7f281a11eab9 [ 186.116899][ T5553] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 186.136510][ T5553] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 186.144935][ T5553] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [pid 5555] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5553] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5553] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5552] exit_group(0 [pid 5553] <... futex resumed>) = ? [pid 5552] <... exit_group resumed>) = ? [pid 5553] +++ exited with 0 +++ [pid 5555] <... futex resumed>) = ? [pid 5555] +++ exited with 0 +++ [pid 5552] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5552, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./137", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./137", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./137/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./137/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./137/binderfs") = 0 [ 186.152912][ T5553] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 186.160889][ T5553] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 186.168865][ T5553] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 186.176838][ T5553] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 186.184833][ T5553] umount2("./137/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./137/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./137/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./137/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./137/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./137/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./137") = 0 mkdir("./138", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5556 ./strace-static-x86_64: Process 5556 attached [pid 5556] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5556] chdir("./138") = 0 [pid 5556] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5556] setpgid(0, 0) = 0 [pid 5556] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5556] write(3, "1000", 4) = 4 [pid 5556] close(3) = 0 [pid 5556] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5556] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5556] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5556] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5556] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5557 attached [pid 5557] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5557] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5556] <... clone resumed>, parent_tid=[5557], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5557 [pid 5556] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5557] <... futex resumed>) = 0 [pid 5556] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5557] memfd_create("syzkaller", 0) = 3 [pid 5557] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5557] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5557] munmap(0x7f2811caa000, 16777216) = 0 [pid 5557] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5557] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5557] close(3) = 0 [pid 5557] mkdir("./file0", 0777) = 0 [ 186.587454][ T5557] loop0: detected capacity change from 0 to 32768 [ 186.600709][ T5557] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 186.608935][ T5557] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 186.618995][ T5557] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 186.627702][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 186.634696][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5557] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5557] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5557] chdir("./file0") = 0 [pid 5557] ioctl(4, LOOP_CLR_FD) = 0 [pid 5557] close(4) = 0 [pid 5557] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5557] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5556] <... futex resumed>) = 0 [pid 5556] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5556] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5557] <... futex resumed>) = 0 [pid 5557] open(".", O_RDONLY) = 4 [pid 5557] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5556] <... futex resumed>) = 0 [pid 5556] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5556] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5557] <... futex resumed>) = 1 [ 186.677178][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 186.684736][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 186.689991][ T5557] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 186.712159][ T5557] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5557] getdents64(4, [pid 5556] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5556] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5556] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5556] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5556] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5556] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5559], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5559 [pid 5556] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5556] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5559 attached [pid 5559] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 186.721336][ T5557] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 186.721336][ T5557] inode = 12 2341 [ 186.721336][ T5557] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 186.740755][ T5557] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 186.750109][ T5557] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5557 [syz-executor171] iterate_dir+0x228/0x570 [ 186.763313][ T5557] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 186.769189][ T5559] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 186.771748][ T5557] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 186.771766][ T5557] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 186.771782][ T5557] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 186.781076][ T5559] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 186.789425][ T5557] gfs2: fsid=syz:syz.0: File system withdrawn [ 186.796835][ T5559] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5557 [syz-executor171] iterate_dir+0x228/0x570 [pid 5559] open("./file0", O_RDONLY [pid 5556] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 186.802620][ T5557] CPU: 1 PID: 5557 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 186.812307][ T5559] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5559 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 186.817668][ T5557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 186.817685][ T5557] Call Trace: [ 186.817694][ T5557] [ 186.817704][ T5557] dump_stack_lvl+0x1e7/0x2d0 [ 186.817743][ T5557] ? nf_tcp_handle_invalid+0x650/0x650 [ 186.829385][ T5559] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 186.837672][ T5557] ? panic+0x770/0x770 [ 186.837705][ T5557] ? kobject_uevent_env+0x54e/0x8e0 [ 186.837748][ T5557] gfs2_withdraw+0xf48/0x1550 [ 186.896477][ T5557] ? gfs2_lm+0x240/0x240 [ 186.900776][ T5557] ? gfs2_dirent_scan+0xb2/0x640 [ 186.905733][ T5557] ? panic+0x770/0x770 [ 186.909814][ T5557] ? gfs2_consist_inode_i+0xf5/0x110 [ 186.915109][ T5557] gfs2_dirent_scan+0x512/0x640 [ 186.919966][ T5557] ? gfs2_dirent_scan+0x640/0x640 [ 186.925007][ T5557] gfs2_dir_read+0x82f/0x1af0 [ 186.929707][ T5557] ? inode_dio_wait+0x2ad/0x340 [ 186.934562][ T5557] ? inode_owner_or_capable+0x1c0/0x1c0 [ 186.940119][ T5557] ? gfs2_dir_hash_inval+0x80/0x80 [ 186.945241][ T5557] ? _raw_spin_unlock+0x28/0x40 [ 186.950089][ T5557] ? gfs2_glock_nq+0xcbf/0x16c0 [ 186.954953][ T5557] ? inode_go_held+0xea/0x200 [ 186.959627][ T5557] ? gfs2_glock_wait+0x21a/0x2b0 [ 186.964568][ T5557] gfs2_readdir+0x14e/0x1b0 [ 186.969082][ T5557] ? __fdget_pos+0x254/0x2f0 [ 186.973677][ T5557] ? gfs2_fallocate+0x490/0x490 [ 186.978539][ T5557] ? iterate_dir+0x228/0x570 [ 186.983141][ T5557] ? __down_read_common+0x184/0x2c0 [ 186.988345][ T5557] ? iterate_dir+0x10e/0x570 [ 186.992948][ T5557] iterate_dir+0x228/0x570 [ 186.997372][ T5557] ? gfs2_fallocate+0x490/0x490 [ 187.002234][ T5557] __se_sys_getdents64+0x20d/0x4f0 [ 187.007351][ T5557] ? _raw_spin_unlock_irq+0x2e/0x50 [ 187.012567][ T5557] ? __x64_sys_getdents64+0x80/0x80 [ 187.017773][ T5557] ? filldir+0x740/0x740 [ 187.022034][ T5557] ? syscall_enter_from_user_mode+0x32/0x230 [ 187.029421][ T5557] ? syscall_enter_from_user_mode+0x8c/0x230 [ 187.035429][ T5557] do_syscall_64+0x41/0xc0 [ 187.039887][ T5557] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 187.045814][ T5557] RIP: 0033:0x7f281a11eab9 [ 187.050235][ T5557] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 187.069851][ T5557] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5557] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5557] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5557] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5559] <... open resumed>) = -1 EIO (Input/output error) [pid 5559] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5559] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5556] exit_group(0 [pid 5557] <... futex resumed>) = ? [pid 5556] <... exit_group resumed>) = ? [pid 5557] +++ exited with 0 +++ [pid 5559] <... futex resumed>) = ? [pid 5559] +++ exited with 0 +++ [pid 5556] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5556, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=43 /* 0.43 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./138", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./138", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./138/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./138/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./138/binderfs") = 0 [ 187.078274][ T5557] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 187.086253][ T5557] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 187.094228][ T5557] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 187.102233][ T5557] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 187.110207][ T5557] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 187.118196][ T5557] umount2("./138/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./138/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./138/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./138/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./138/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./138/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./138") = 0 mkdir("./139", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5560 ./strace-static-x86_64: Process 5560 attached [pid 5560] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5560] chdir("./139") = 0 [pid 5560] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5560] setpgid(0, 0) = 0 [pid 5560] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5560] write(3, "1000", 4) = 4 [pid 5560] close(3) = 0 [pid 5560] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5560] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5560] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5560] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5560] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5561], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5561 ./strace-static-x86_64: Process 5561 attached [pid 5560] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5561] set_robust_list(0x7f281a0ca9e0, 24 [pid 5560] <... futex resumed>) = 0 [pid 5560] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5561] <... set_robust_list resumed>) = 0 [pid 5561] memfd_create("syzkaller", 0) = 3 [pid 5561] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5561] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5561] munmap(0x7f2811caa000, 16777216) = 0 [pid 5561] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5561] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5561] close(3) = 0 [pid 5561] mkdir("./file0", 0777) = 0 [ 187.494585][ T5561] loop0: detected capacity change from 0 to 32768 [ 187.505254][ T5561] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 187.513485][ T5561] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 187.522486][ T5561] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 187.531331][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 187.538209][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5561] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5561] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5561] chdir("./file0") = 0 [pid 5561] ioctl(4, LOOP_CLR_FD) = 0 [pid 5561] close(4) = 0 [pid 5561] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5560] <... futex resumed>) = 0 [pid 5560] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5560] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5561] <... futex resumed>) = 1 [pid 5561] open(".", O_RDONLY) = 4 [pid 5561] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5560] <... futex resumed>) = 0 [pid 5560] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5560] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5561] <... futex resumed>) = 1 [ 187.575434][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 37ms [ 187.584447][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 187.589707][ T5561] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 187.608398][ T5561] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 187.616971][ T5561] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5561] getdents64(4, [pid 5560] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5560] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5560] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5560] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5560] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5563], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5563 [pid 5560] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5560] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5563 attached [pid 5563] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5563] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5563] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5560] <... futex resumed>) = 0 [pid 5563] <... futex resumed>) = 1 [ 187.616971][ T5561] inode = 12 2341 [ 187.616971][ T5561] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 187.635843][ T5561] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 187.645034][ T5561] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5561 [syz-executor171] iterate_dir+0x228/0x570 [ 187.655009][ T5561] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 187.663510][ T5561] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 187.670771][ T5561] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 187.679623][ T5561] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 187.686201][ T5561] gfs2: fsid=syz:syz.0: File system withdrawn [ 187.692292][ T5561] CPU: 1 PID: 5561 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 187.702388][ T5561] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 187.712448][ T5561] Call Trace: [ 187.715743][ T5561] [ 187.718680][ T5561] dump_stack_lvl+0x1e7/0x2d0 [ 187.723376][ T5561] ? nf_tcp_handle_invalid+0x650/0x650 [ 187.728852][ T5561] ? panic+0x770/0x770 [ 187.732939][ T5561] ? kobject_uevent_env+0x54e/0x8e0 [ 187.738155][ T5561] gfs2_withdraw+0xf48/0x1550 [ 187.742860][ T5561] ? gfs2_lm+0x240/0x240 [ 187.747117][ T5561] ? gfs2_dirent_scan+0xb2/0x640 [ 187.752067][ T5561] ? panic+0x770/0x770 [ 187.756152][ T5561] ? gfs2_consist_inode_i+0xf5/0x110 [ 187.761451][ T5561] gfs2_dirent_scan+0x512/0x640 [ 187.766312][ T5561] ? gfs2_dirent_scan+0x640/0x640 [ 187.771347][ T5561] gfs2_dir_read+0x82f/0x1af0 [ 187.776059][ T5561] ? inode_dio_wait+0x2ad/0x340 [ 187.780919][ T5561] ? inode_owner_or_capable+0x1c0/0x1c0 [ 187.786472][ T5561] ? gfs2_dir_hash_inval+0x80/0x80 [ 187.791591][ T5561] ? _raw_spin_unlock+0x28/0x40 [ 187.796444][ T5561] ? gfs2_glock_nq+0xcbf/0x16c0 [ 187.801304][ T5561] ? inode_go_held+0xea/0x200 [ 187.805981][ T5561] ? gfs2_glock_wait+0x21a/0x2b0 [ 187.810931][ T5561] gfs2_readdir+0x14e/0x1b0 [ 187.815445][ T5561] ? __fdget_pos+0x254/0x2f0 [ 187.820048][ T5561] ? gfs2_fallocate+0x490/0x490 [ 187.824905][ T5561] ? iterate_dir+0x228/0x570 [ 187.829500][ T5561] ? __down_read_common+0x184/0x2c0 [ 187.834710][ T5561] ? iterate_dir+0x10e/0x570 [ 187.839310][ T5561] iterate_dir+0x228/0x570 [ 187.843742][ T5561] ? gfs2_fallocate+0x490/0x490 [ 187.848603][ T5561] __se_sys_getdents64+0x20d/0x4f0 [ 187.853745][ T5561] ? _raw_spin_unlock_irq+0x2e/0x50 [ 187.858949][ T5561] ? __x64_sys_getdents64+0x80/0x80 [ 187.864164][ T5561] ? filldir+0x740/0x740 [ 187.868434][ T5561] ? syscall_enter_from_user_mode+0x32/0x230 [ 187.874436][ T5561] ? syscall_enter_from_user_mode+0x8c/0x230 [ 187.880419][ T5561] do_syscall_64+0x41/0xc0 [ 187.884855][ T5561] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 187.890764][ T5561] RIP: 0033:0x7f281a11eab9 [ 187.895187][ T5561] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 187.914799][ T5561] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5563] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5561] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5561] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5560] exit_group(0 [pid 5561] <... futex resumed>) = ? [pid 5560] <... exit_group resumed>) = ? [pid 5561] +++ exited with 0 +++ [pid 5563] <... futex resumed>) = ? [pid 5563] +++ exited with 0 +++ [pid 5560] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5560, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./139", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./139", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./139/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./139/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./139/binderfs") = 0 [ 187.923214][ T5561] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 187.931192][ T5561] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 187.939170][ T5561] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 187.947142][ T5561] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 187.955124][ T5561] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 187.963109][ T5561] umount2("./139/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./139/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./139/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./139/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./139/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./139/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./139") = 0 mkdir("./140", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5564 ./strace-static-x86_64: Process 5564 attached [pid 5564] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5564] chdir("./140") = 0 [pid 5564] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5564] setpgid(0, 0) = 0 [pid 5564] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5564] write(3, "1000", 4) = 4 [pid 5564] close(3) = 0 [pid 5564] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5564] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5564] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5564] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5564] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5565 attached , parent_tid=[5565], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5565 [pid 5565] set_robust_list(0x7f281a0ca9e0, 24 [pid 5564] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5565] <... set_robust_list resumed>) = 0 [pid 5564] <... futex resumed>) = 0 [pid 5564] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5565] memfd_create("syzkaller", 0) = 3 [pid 5565] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5565] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5565] munmap(0x7f2811caa000, 16777216) = 0 [pid 5565] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5565] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5565] close(3) = 0 [pid 5565] mkdir("./file0", 0777) = 0 [ 188.313990][ T5565] loop0: detected capacity change from 0 to 32768 [ 188.324908][ T5565] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 188.333101][ T5565] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 188.342431][ T5565] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 188.351035][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 188.357912][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5565] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5565] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5565] chdir("./file0") = 0 [pid 5565] ioctl(4, LOOP_CLR_FD) = 0 [pid 5565] close(4) = 0 [pid 5565] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5565] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5564] <... futex resumed>) = 0 [pid 5564] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5564] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5565] <... futex resumed>) = 0 [pid 5565] open(".", O_RDONLY) = 4 [pid 5565] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5564] <... futex resumed>) = 0 [pid 5564] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5565] <... futex resumed>) = 1 [pid 5564] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 188.398272][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 188.406487][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 188.411761][ T5565] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 188.437254][ T5565] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5565] getdents64(4, [pid 5564] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5564] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5564] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5564] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5564] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5567 attached , parent_tid=[5567], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5567 [pid 5564] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5564] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5567] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 188.446076][ T5565] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 188.446076][ T5565] inode = 12 2341 [ 188.446076][ T5565] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 188.465195][ T5565] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 188.474481][ T5565] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5565 [syz-executor171] iterate_dir+0x228/0x570 [ 188.484961][ T5565] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [pid 5567] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5567] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5564] <... futex resumed>) = 0 [pid 5567] <... futex resumed>) = 1 [ 188.496225][ T5565] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 188.503539][ T5565] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 188.512303][ T5565] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 188.518934][ T5565] gfs2: fsid=syz:syz.0: File system withdrawn [ 188.525088][ T5565] CPU: 1 PID: 5565 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 188.535163][ T5565] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 188.545215][ T5565] Call Trace: [ 188.548491][ T5565] [ 188.551424][ T5565] dump_stack_lvl+0x1e7/0x2d0 [ 188.556129][ T5565] ? nf_tcp_handle_invalid+0x650/0x650 [ 188.561619][ T5565] ? panic+0x770/0x770 [ 188.565703][ T5565] ? kobject_uevent_env+0x54e/0x8e0 [ 188.570919][ T5565] gfs2_withdraw+0xf48/0x1550 [ 188.575619][ T5565] ? gfs2_lm+0x240/0x240 [ 188.579866][ T5565] ? gfs2_dirent_scan+0xb2/0x640 [ 188.584804][ T5565] ? panic+0x770/0x770 [ 188.588898][ T5565] ? gfs2_consist_inode_i+0xf5/0x110 [ 188.594187][ T5565] gfs2_dirent_scan+0x512/0x640 [ 188.599039][ T5565] ? gfs2_dirent_scan+0x640/0x640 [ 188.604102][ T5565] gfs2_dir_read+0x82f/0x1af0 [ 188.608811][ T5565] ? inode_dio_wait+0x2ad/0x340 [ 188.613675][ T5565] ? inode_owner_or_capable+0x1c0/0x1c0 [ 188.619238][ T5565] ? gfs2_dir_hash_inval+0x80/0x80 [ 188.624356][ T5565] ? _raw_spin_unlock+0x28/0x40 [ 188.629230][ T5565] ? gfs2_glock_nq+0xcbf/0x16c0 [ 188.634096][ T5565] ? inode_go_held+0xea/0x200 [ 188.638789][ T5565] ? gfs2_glock_wait+0x21a/0x2b0 [ 188.643740][ T5565] gfs2_readdir+0x14e/0x1b0 [ 188.648253][ T5565] ? __fdget_pos+0x254/0x2f0 [ 188.652852][ T5565] ? gfs2_fallocate+0x490/0x490 [ 188.657716][ T5565] ? iterate_dir+0x228/0x570 [ 188.662319][ T5565] ? __down_read_common+0x184/0x2c0 [ 188.667529][ T5565] ? iterate_dir+0x10e/0x570 [ 188.672155][ T5565] iterate_dir+0x228/0x570 [ 188.676581][ T5565] ? gfs2_fallocate+0x490/0x490 [ 188.681440][ T5565] __se_sys_getdents64+0x20d/0x4f0 [ 188.686564][ T5565] ? _raw_spin_unlock_irq+0x2e/0x50 [ 188.691786][ T5565] ? __x64_sys_getdents64+0x80/0x80 [ 188.697011][ T5565] ? filldir+0x740/0x740 [ 188.701284][ T5565] ? syscall_enter_from_user_mode+0x32/0x230 [ 188.707361][ T5565] ? syscall_enter_from_user_mode+0x8c/0x230 [ 188.713370][ T5565] do_syscall_64+0x41/0xc0 [ 188.717804][ T5565] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 188.723713][ T5565] RIP: 0033:0x7f281a11eab9 [ 188.728134][ T5565] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5567] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5565] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5565] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5565] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5564] exit_group(0 [pid 5565] <... futex resumed>) = ? [pid 5564] <... exit_group resumed>) = ? [pid 5567] <... futex resumed>) = ? [pid 5565] +++ exited with 0 +++ [pid 5567] +++ exited with 0 +++ [pid 5564] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5564, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=32 /* 0.32 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./140", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./140", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./140/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./140/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./140/binderfs") = 0 [ 188.747749][ T5565] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 188.756170][ T5565] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 188.764140][ T5565] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 188.772108][ T5565] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 188.780079][ T5565] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 188.788055][ T5565] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 188.796041][ T5565] umount2("./140/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./140/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./140/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./140/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./140/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./140/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./140") = 0 mkdir("./141", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5568 ./strace-static-x86_64: Process 5568 attached [pid 5568] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5568] chdir("./141") = 0 [pid 5568] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5568] setpgid(0, 0) = 0 [pid 5568] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5568] write(3, "1000", 4) = 4 [pid 5568] close(3) = 0 [pid 5568] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5568] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5568] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5568] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5568] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5569 attached , parent_tid=[5569], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5569 [pid 5568] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5568] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5569] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5569] memfd_create("syzkaller", 0) = 3 [pid 5569] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5569] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5569] munmap(0x7f2811caa000, 16777216) = 0 [pid 5569] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5569] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5569] close(3) = 0 [pid 5569] mkdir("./file0", 0777) = 0 [ 189.186633][ T5569] loop0: detected capacity change from 0 to 32768 [ 189.198401][ T5569] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 189.206900][ T5569] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 189.216672][ T5569] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 189.225525][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 189.232583][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5569] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5569] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5569] chdir("./file0") = 0 [pid 5569] ioctl(4, LOOP_CLR_FD) = 0 [pid 5569] close(4) = 0 [pid 5569] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5568] <... futex resumed>) = 0 [pid 5569] open(".", O_RDONLY [pid 5568] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5569] <... open resumed>) = 4 [pid 5568] <... futex resumed>) = 0 [pid 5569] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5568] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5569] <... futex resumed>) = 0 [pid 5568] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5569] getdents64(4, [pid 5568] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 189.281704][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 49ms [ 189.289318][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 189.294621][ T5569] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 189.308345][ T5569] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 189.317324][ T5569] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 189.317324][ T5569] inode = 12 2341 [pid 5568] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5568] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5568] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5568] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5568] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5571], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5571 [pid 5568] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5568] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5571 attached [pid 5571] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5571] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [ 189.317324][ T5569] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 189.336828][ T5569] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 189.346219][ T5569] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5569 [syz-executor171] iterate_dir+0x228/0x570 [ 189.356606][ T5569] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 189.365406][ T5569] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 189.372700][ T5569] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [pid 5571] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5568] <... futex resumed>) = 0 [pid 5571] <... futex resumed>) = 1 [ 189.381917][ T5569] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 189.388928][ T5569] gfs2: fsid=syz:syz.0: File system withdrawn [ 189.395048][ T5569] CPU: 0 PID: 5569 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 189.405118][ T5569] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 189.415168][ T5569] Call Trace: [ 189.418455][ T5569] [ 189.421411][ T5569] dump_stack_lvl+0x1e7/0x2d0 [ 189.426125][ T5569] ? nf_tcp_handle_invalid+0x650/0x650 [ 189.431594][ T5569] ? panic+0x770/0x770 [ 189.435669][ T5569] ? kobject_uevent_env+0x54e/0x8e0 [ 189.440878][ T5569] gfs2_withdraw+0xf48/0x1550 [ 189.445678][ T5569] ? gfs2_lm+0x240/0x240 [ 189.449954][ T5569] ? gfs2_dirent_scan+0xb2/0x640 [ 189.454903][ T5569] ? panic+0x770/0x770 [ 189.458985][ T5569] ? gfs2_consist_inode_i+0xf5/0x110 [ 189.464307][ T5569] gfs2_dirent_scan+0x512/0x640 [ 189.469189][ T5569] ? gfs2_dirent_scan+0x640/0x640 [ 189.474241][ T5569] gfs2_dir_read+0x82f/0x1af0 [pid 5571] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5568] exit_group(0) = ? [pid 5571] <... futex resumed>) = ? [pid 5571] +++ exited with 0 +++ [ 189.478978][ T5569] ? inode_dio_wait+0x2ad/0x340 [ 189.483849][ T5569] ? inode_owner_or_capable+0x1c0/0x1c0 [ 189.489411][ T5569] ? gfs2_dir_hash_inval+0x80/0x80 [ 189.494529][ T5569] ? _raw_spin_unlock+0x28/0x40 [ 189.499391][ T5569] ? gfs2_glock_nq+0xcbf/0x16c0 [ 189.504312][ T5569] ? inode_go_held+0xea/0x200 [ 189.508998][ T5569] ? gfs2_glock_wait+0x21a/0x2b0 [ 189.513939][ T5569] gfs2_readdir+0x14e/0x1b0 [ 189.518461][ T5569] ? __fdget_pos+0x254/0x2f0 [ 189.523068][ T5569] ? gfs2_fallocate+0x490/0x490 [ 189.527938][ T5569] ? iterate_dir+0x228/0x570 [ 189.532566][ T5569] ? __down_read_common+0x184/0x2c0 [ 189.537784][ T5569] ? iterate_dir+0x10e/0x570 [ 189.542404][ T5569] iterate_dir+0x228/0x570 [ 189.546844][ T5569] ? gfs2_fallocate+0x490/0x490 [ 189.551741][ T5569] __se_sys_getdents64+0x20d/0x4f0 [ 189.556877][ T5569] ? _raw_spin_unlock_irq+0x2e/0x50 [ 189.562078][ T5569] ? __x64_sys_getdents64+0x80/0x80 [ 189.567308][ T5569] ? filldir+0x740/0x740 [ 189.571570][ T5569] ? syscall_enter_from_user_mode+0x32/0x230 [ 189.577600][ T5569] ? syscall_enter_from_user_mode+0x8c/0x230 [ 189.583614][ T5569] do_syscall_64+0x41/0xc0 [ 189.588074][ T5569] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 189.594003][ T5569] RIP: 0033:0x7f281a11eab9 [ 189.598435][ T5569] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 189.618044][ T5569] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5569] <... getdents64 resumed> ) = ? [pid 5569] +++ exited with 0 +++ [pid 5568] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5568, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=32 /* 0.32 s */} --- umount2("./141", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./141", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./141/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./141/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./141/binderfs") = 0 [ 189.626462][ T5569] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 189.634434][ T5569] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 189.642432][ T5569] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 189.650441][ T5569] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 189.658412][ T5569] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 189.666413][ T5569] umount2("./141/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./141/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./141/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./141/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./141/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./141/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./141") = 0 mkdir("./142", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5572 ./strace-static-x86_64: Process 5572 attached [pid 5572] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5572] chdir("./142") = 0 [pid 5572] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5572] setpgid(0, 0) = 0 [pid 5572] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5572] write(3, "1000", 4) = 4 [pid 5572] close(3) = 0 [pid 5572] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5572] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5572] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5572] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5572] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5573 attached , parent_tid=[5573], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5573 [pid 5572] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5572] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5573] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5573] memfd_create("syzkaller", 0) = 3 [pid 5573] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5573] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5573] munmap(0x7f2811caa000, 16777216) = 0 [pid 5573] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5573] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5573] close(3) = 0 [pid 5573] mkdir("./file0", 0777) = 0 [ 190.042949][ T5573] loop0: detected capacity change from 0 to 32768 [ 190.054520][ T5573] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 190.062983][ T5573] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 190.073642][ T5573] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 190.082540][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 190.089721][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5573] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5573] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5573] chdir("./file0") = 0 [pid 5573] ioctl(4, LOOP_CLR_FD) = 0 [pid 5573] close(4) = 0 [pid 5573] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5572] <... futex resumed>) = 0 [pid 5573] <... futex resumed>) = 1 [pid 5572] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5573] open(".", O_RDONLY [pid 5572] <... futex resumed>) = 0 [pid 5572] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5573] <... open resumed>) = 4 [pid 5573] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5572] <... futex resumed>) = 0 [pid 5572] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000 [pid 5573] getdents64(4, [pid 5572] <... futex resumed>) = 0 [ 190.132558][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 42ms [ 190.141513][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 190.146842][ T5573] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 190.181123][ T5573] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 190.189553][ T5573] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 190.189553][ T5573] inode = 12 2341 [ 190.189553][ T5573] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 190.208554][ T5573] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 190.217918][ T5573] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5573 [syz-executor171] iterate_dir+0x228/0x570 [pid 5572] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5572] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5572] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5572] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5572] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5575], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5575 [pid 5572] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5572] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5575 attached [pid 5575] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5575] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5575] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5572] <... futex resumed>) = 0 [pid 5575] <... futex resumed>) = 1 [ 190.228298][ T5573] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 190.237022][ T5573] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 190.244510][ T5573] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 190.253539][ T5573] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 190.260053][ T5573] gfs2: fsid=syz:syz.0: File system withdrawn [ 190.266383][ T5573] CPU: 0 PID: 5573 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 190.276485][ T5573] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 190.286532][ T5573] Call Trace: [ 190.289808][ T5573] [ 190.292732][ T5573] dump_stack_lvl+0x1e7/0x2d0 [ 190.297446][ T5573] ? nf_tcp_handle_invalid+0x650/0x650 [ 190.302911][ T5573] ? panic+0x770/0x770 [ 190.306987][ T5573] ? kobject_uevent_env+0x54e/0x8e0 [ 190.312190][ T5573] gfs2_withdraw+0xf48/0x1550 [ 190.316878][ T5573] ? gfs2_lm+0x240/0x240 [ 190.321114][ T5573] ? gfs2_dirent_scan+0xb2/0x640 [ 190.326045][ T5573] ? panic+0x770/0x770 [ 190.330124][ T5573] ? gfs2_consist_inode_i+0xf5/0x110 [ 190.335412][ T5573] gfs2_dirent_scan+0x512/0x640 [ 190.340260][ T5573] ? gfs2_dirent_scan+0x640/0x640 [ 190.345285][ T5573] gfs2_dir_read+0x82f/0x1af0 [ 190.349967][ T5573] ? inode_dio_wait+0x2ad/0x340 [ 190.354849][ T5573] ? inode_owner_or_capable+0x1c0/0x1c0 [ 190.360401][ T5573] ? gfs2_dir_hash_inval+0x80/0x80 [ 190.365537][ T5573] ? _raw_spin_unlock+0x28/0x40 [ 190.370394][ T5573] ? gfs2_glock_nq+0xcbf/0x16c0 [ 190.375256][ T5573] ? inode_go_held+0xea/0x200 [ 190.379943][ T5573] ? gfs2_glock_wait+0x21a/0x2b0 [ 190.384897][ T5573] gfs2_readdir+0x14e/0x1b0 [ 190.389405][ T5573] ? __fdget_pos+0x254/0x2f0 [ 190.394007][ T5573] ? gfs2_fallocate+0x490/0x490 [ 190.398868][ T5573] ? iterate_dir+0x228/0x570 [ 190.403459][ T5573] ? __down_read_common+0x184/0x2c0 [ 190.408658][ T5573] ? iterate_dir+0x10e/0x570 [ 190.413276][ T5573] iterate_dir+0x228/0x570 [ 190.417705][ T5573] ? gfs2_fallocate+0x490/0x490 [ 190.422564][ T5573] __se_sys_getdents64+0x20d/0x4f0 [ 190.427684][ T5573] ? _raw_spin_unlock_irq+0x2e/0x50 [ 190.432885][ T5573] ? __x64_sys_getdents64+0x80/0x80 [ 190.438086][ T5573] ? filldir+0x740/0x740 [ 190.442336][ T5573] ? syscall_enter_from_user_mode+0x32/0x230 [ 190.448321][ T5573] ? syscall_enter_from_user_mode+0x8c/0x230 [ 190.454302][ T5573] do_syscall_64+0x41/0xc0 [ 190.458752][ T5573] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 190.464656][ T5573] RIP: 0033:0x7f281a11eab9 [ 190.469061][ T5573] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 190.488665][ T5573] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 190.497077][ T5573] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 190.505040][ T5573] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 190.513005][ T5573] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 190.520979][ T5573] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5575] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5573] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5573] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5572] exit_group(0 [pid 5575] <... futex resumed>) = ? [pid 5572] <... exit_group resumed>) = ? [pid 5575] +++ exited with 0 +++ [pid 5573] <... futex resumed>) = ? [pid 5573] +++ exited with 0 +++ [pid 5572] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5572, si_uid=0, si_status=0, si_utime=2 /* 0.02 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./142", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./142", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./142/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./142/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./142/binderfs") = 0 [ 190.528966][ T5573] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 190.536946][ T5573] umount2("./142/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./142/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./142/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./142/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./142/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./142/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./142") = 0 mkdir("./143", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5576 ./strace-static-x86_64: Process 5576 attached [pid 5576] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5576] chdir("./143") = 0 [pid 5576] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5576] setpgid(0, 0) = 0 [pid 5576] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5576] write(3, "1000", 4) = 4 [pid 5576] close(3) = 0 [pid 5576] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5576] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5576] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5576] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5576] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5577 attached , parent_tid=[5577], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5577 [pid 5576] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5576] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5577] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5577] memfd_create("syzkaller", 0) = 3 [pid 5577] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5577] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5577] munmap(0x7f2811caa000, 16777216) = 0 [pid 5577] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5577] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5577] close(3) = 0 [pid 5577] mkdir("./file0", 0777) = 0 [ 190.889666][ T5577] loop0: detected capacity change from 0 to 32768 [ 190.901342][ T5577] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 190.909795][ T5577] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 190.920105][ T5577] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 190.929021][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 190.935956][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5577] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5577] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5577] chdir("./file0") = 0 [pid 5577] ioctl(4, LOOP_CLR_FD) = 0 [pid 5577] close(4) = 0 [pid 5577] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5576] <... futex resumed>) = 0 [pid 5576] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5576] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5577] <... futex resumed>) = 1 [pid 5577] open(".", O_RDONLY) = 4 [pid 5577] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5576] <... futex resumed>) = 0 [pid 5576] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5576] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5577] <... futex resumed>) = 1 [ 190.970381][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 34ms [ 190.978750][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 190.984150][ T5577] gfs2: fsid=syz:syz.0: first mount done, others may mount [pid 5577] getdents64(4, [pid 5576] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 191.014749][ T5577] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 191.023487][ T5577] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 191.023487][ T5577] inode = 12 2341 [ 191.023487][ T5577] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 191.042439][ T5577] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 191.051879][ T5577] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5577 [syz-executor171] iterate_dir+0x228/0x570 [pid 5576] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5576] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5576] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5576] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5579], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5579 [pid 5576] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5576] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5579 attached [pid 5579] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5579] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5579] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5576] <... futex resumed>) = 0 [pid 5579] <... futex resumed>) = 1 [ 191.062018][ T5577] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 191.070715][ T5577] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 191.078082][ T5577] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 191.087045][ T5577] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 191.094825][ T5577] gfs2: fsid=syz:syz.0: File system withdrawn [ 191.101287][ T5577] CPU: 0 PID: 5577 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 191.111371][ T5577] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 191.121433][ T5577] Call Trace: [ 191.124726][ T5577] [ 191.127658][ T5577] dump_stack_lvl+0x1e7/0x2d0 [ 191.132345][ T5577] ? nf_tcp_handle_invalid+0x650/0x650 [ 191.137808][ T5577] ? panic+0x770/0x770 [ 191.141878][ T5577] ? kobject_uevent_env+0x54e/0x8e0 [ 191.147343][ T5577] gfs2_withdraw+0xf48/0x1550 [ 191.152042][ T5577] ? gfs2_lm+0x240/0x240 [ 191.156290][ T5577] ? gfs2_dirent_scan+0xb2/0x640 [ 191.161229][ T5577] ? panic+0x770/0x770 [ 191.165302][ T5577] ? gfs2_consist_inode_i+0xf5/0x110 [ 191.170592][ T5577] gfs2_dirent_scan+0x512/0x640 [ 191.175458][ T5577] ? gfs2_dirent_scan+0x640/0x640 [ 191.180497][ T5577] gfs2_dir_read+0x82f/0x1af0 [ 191.185179][ T5577] ? inode_dio_wait+0x2ad/0x340 [ 191.190032][ T5577] ? inode_owner_or_capable+0x1c0/0x1c0 [ 191.195581][ T5577] ? gfs2_dir_hash_inval+0x80/0x80 [ 191.200707][ T5577] ? _raw_spin_unlock+0x28/0x40 [ 191.205571][ T5577] ? gfs2_glock_nq+0xcbf/0x16c0 [ 191.210434][ T5577] ? inode_go_held+0xea/0x200 [ 191.215110][ T5577] ? gfs2_glock_wait+0x21a/0x2b0 [ 191.220049][ T5577] gfs2_readdir+0x14e/0x1b0 [ 191.224554][ T5577] ? __fdget_pos+0x254/0x2f0 [ 191.229140][ T5577] ? gfs2_fallocate+0x490/0x490 [ 191.233990][ T5577] ? iterate_dir+0x228/0x570 [ 191.238595][ T5577] ? __down_read_common+0x184/0x2c0 [ 191.243808][ T5577] ? iterate_dir+0x10e/0x570 [ 191.248406][ T5577] iterate_dir+0x228/0x570 [ 191.252823][ T5577] ? gfs2_fallocate+0x490/0x490 [ 191.257677][ T5577] __se_sys_getdents64+0x20d/0x4f0 [ 191.262790][ T5577] ? _raw_spin_unlock_irq+0x2e/0x50 [ 191.267990][ T5577] ? __x64_sys_getdents64+0x80/0x80 [ 191.273194][ T5577] ? filldir+0x740/0x740 [ 191.277451][ T5577] ? syscall_enter_from_user_mode+0x32/0x230 [ 191.283426][ T5577] ? syscall_enter_from_user_mode+0x8c/0x230 [ 191.289399][ T5577] do_syscall_64+0x41/0xc0 [ 191.293812][ T5577] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 191.299706][ T5577] RIP: 0033:0x7f281a11eab9 [ 191.304122][ T5577] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 191.323719][ T5577] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 191.332135][ T5577] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 191.340103][ T5577] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 191.348071][ T5577] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 191.356042][ T5577] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [pid 5579] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5577] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5577] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5576] exit_group(0 [pid 5579] <... futex resumed>) = ? [pid 5576] <... exit_group resumed>) = ? [pid 5579] +++ exited with 0 +++ [pid 5577] <... futex resumed>) = ? [pid 5577] +++ exited with 0 +++ [pid 5576] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5576, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=34 /* 0.34 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./143", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./143", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./143/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./143/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./143/binderfs") = 0 [ 191.364010][ T5577] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 191.371989][ T5577] umount2("./143/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./143/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./143/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./143/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./143/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./143/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./143") = 0 mkdir("./144", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5580 ./strace-static-x86_64: Process 5580 attached [pid 5580] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5580] chdir("./144") = 0 [pid 5580] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5580] setpgid(0, 0) = 0 [pid 5580] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5580] write(3, "1000", 4) = 4 [pid 5580] close(3) = 0 [pid 5580] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5580] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5580] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5580] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5580] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5581], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5581 [pid 5580] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5580] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5581 attached [pid 5581] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5581] memfd_create("syzkaller", 0) = 3 [pid 5581] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5581] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5581] munmap(0x7f2811caa000, 16777216) = 0 [pid 5581] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5581] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5581] close(3) = 0 [pid 5581] mkdir("./file0", 0777) = 0 [ 191.736204][ T5581] loop0: detected capacity change from 0 to 32768 [ 191.746933][ T5581] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 191.755142][ T5581] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 191.764385][ T5581] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 191.773151][ T1840] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 191.780405][ T1840] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5581] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5581] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5581] chdir("./file0") = 0 [pid 5581] ioctl(4, LOOP_CLR_FD) = 0 [pid 5581] close(4) = 0 [pid 5581] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5580] <... futex resumed>) = 0 [pid 5580] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5580] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5581] <... futex resumed>) = 1 [pid 5581] open(".", O_RDONLY) = 4 [pid 5581] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5580] <... futex resumed>) = 0 [pid 5580] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5580] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5581] <... futex resumed>) = 1 [ 191.825464][ T1840] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 45ms [ 191.834869][ T1840] gfs2: fsid=syz:syz.0: jid=0: Done [ 191.840358][ T5581] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 191.855523][ T5581] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 191.864583][ T5581] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 191.864583][ T5581] inode = 12 2341 [pid 5581] getdents64(4, [pid 5580] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5580] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5580] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5580] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5580] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5583], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5583 [pid 5580] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5580] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5583 attached [pid 5583] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 191.864583][ T5581] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 191.883755][ T5581] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 191.893116][ T5581] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5581 [syz-executor171] iterate_dir+0x228/0x570 [ 191.903470][ T5581] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 191.909370][ T5583] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5583] open("./file0", O_RDONLY [pid 5580] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 191.912271][ T5581] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 191.921098][ T5583] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 191.936839][ T5581] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 191.936855][ T5581] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 191.945700][ T5583] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5581 [syz-executor171] iterate_dir+0x228/0x570 [ 191.962810][ T5583] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5583 [syz-executor171] __gfs2_lookup+0xa4/0x270 [ 191.965078][ T5581] gfs2: fsid=syz:syz.0: File system withdrawn [ 191.973156][ T5583] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 191.979354][ T5581] CPU: 1 PID: 5581 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 191.997441][ T5581] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 192.007498][ T5581] Call Trace: [ 192.010779][ T5581] [ 192.013706][ T5581] dump_stack_lvl+0x1e7/0x2d0 [ 192.018412][ T5581] ? nf_tcp_handle_invalid+0x650/0x650 [ 192.023909][ T5581] ? panic+0x770/0x770 [ 192.027985][ T5581] ? kobject_uevent_env+0x54e/0x8e0 [ 192.033226][ T5581] gfs2_withdraw+0xf48/0x1550 [ 192.037985][ T5581] ? gfs2_lm+0x240/0x240 [ 192.042263][ T5581] ? gfs2_dirent_scan+0xb2/0x640 [ 192.047209][ T5581] ? panic+0x770/0x770 [ 192.051302][ T5581] ? gfs2_consist_inode_i+0xf5/0x110 [ 192.056622][ T5581] gfs2_dirent_scan+0x512/0x640 [ 192.061508][ T5581] ? gfs2_dirent_scan+0x640/0x640 [ 192.066568][ T5581] gfs2_dir_read+0x82f/0x1af0 [ 192.071294][ T5581] ? inode_dio_wait+0x2ad/0x340 [pid 5580] exit_group(0) = ? [ 192.076173][ T5581] ? inode_owner_or_capable+0x1c0/0x1c0 [ 192.081726][ T5581] ? gfs2_dir_hash_inval+0x80/0x80 [ 192.086855][ T5581] ? _raw_spin_unlock+0x28/0x40 [ 192.091721][ T5581] ? gfs2_glock_nq+0xcbf/0x16c0 [ 192.096603][ T5581] ? inode_go_held+0xea/0x200 [ 192.101299][ T5581] ? gfs2_glock_wait+0x21a/0x2b0 [ 192.106243][ T5581] gfs2_readdir+0x14e/0x1b0 [ 192.110775][ T5581] ? __fdget_pos+0x254/0x2f0 [ 192.115398][ T5581] ? gfs2_fallocate+0x490/0x490 [ 192.120279][ T5581] ? iterate_dir+0x228/0x570 [ 192.124870][ T5581] ? __down_read_common+0x184/0x2c0 [ 192.130067][ T5581] ? iterate_dir+0x10e/0x570 [ 192.134666][ T5581] iterate_dir+0x228/0x570 [ 192.139084][ T5581] ? gfs2_fallocate+0x490/0x490 [ 192.143941][ T5581] __se_sys_getdents64+0x20d/0x4f0 [ 192.149065][ T5581] ? _raw_spin_unlock_irq+0x2e/0x50 [ 192.154283][ T5581] ? __x64_sys_getdents64+0x80/0x80 [ 192.159485][ T5581] ? filldir+0x740/0x740 [ 192.163734][ T5581] ? syscall_enter_from_user_mode+0x32/0x230 [ 192.169726][ T5581] ? syscall_enter_from_user_mode+0x8c/0x230 [ 192.175721][ T5581] do_syscall_64+0x41/0xc0 [ 192.180144][ T5581] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 192.186038][ T5581] RIP: 0033:0x7f281a11eab9 [ 192.190459][ T5581] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 192.210097][ T5581] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 192.218551][ T5581] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [pid 5583] <... open resumed>) = ? [pid 5581] <... getdents64 resumed> ) = ? [pid 5583] +++ exited with 0 +++ [pid 5581] +++ exited with 0 +++ [pid 5580] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5580, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=36 /* 0.36 s */} --- umount2("./144", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./144", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./144/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./144/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./144/binderfs") = 0 [ 192.226552][ T5581] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 192.234527][ T5581] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 192.242512][ T5581] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 192.250502][ T5581] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 192.258491][ T5581] umount2("./144/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./144/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./144/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./144/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./144/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./144/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./144") = 0 mkdir("./145", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5584 ./strace-static-x86_64: Process 5584 attached [pid 5584] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5584] chdir("./145") = 0 [pid 5584] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5584] setpgid(0, 0) = 0 [pid 5584] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5584] write(3, "1000", 4) = 4 [pid 5584] close(3) = 0 [pid 5584] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5584] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5584] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5584] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5584] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5585], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5585 [pid 5584] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5584] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5585 attached [pid 5585] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5585] memfd_create("syzkaller", 0) = 3 [pid 5585] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5585] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5585] munmap(0x7f2811caa000, 16777216) = 0 [pid 5585] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5585] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5585] close(3) = 0 [pid 5585] mkdir("./file0", 0777) = 0 [ 192.651023][ T5585] loop0: detected capacity change from 0 to 32768 [ 192.664010][ T5585] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 192.672503][ T5585] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 192.682256][ T5585] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 192.690955][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 192.698182][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5585] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5585] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5585] chdir("./file0") = 0 [pid 5585] ioctl(4, LOOP_CLR_FD) = 0 [pid 5585] close(4) = 0 [pid 5585] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5584] <... futex resumed>) = 0 [pid 5584] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5584] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5585] <... futex resumed>) = 1 [pid 5585] open(".", O_RDONLY) = 4 [pid 5585] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5584] <... futex resumed>) = 0 [pid 5584] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5584] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5585] <... futex resumed>) = 1 [ 192.736658][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 38ms [ 192.744991][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 192.750260][ T5585] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 192.767983][ T5585] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 192.776638][ T5585] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5585] getdents64(4, [pid 5584] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5584] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5584] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5584] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5584] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5584] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5587], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5587 [pid 5584] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5584] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5587 attached [pid 5587] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5587] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5587] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5584] <... futex resumed>) = 0 [pid 5587] <... futex resumed>) = 1 [ 192.776638][ T5585] inode = 12 2341 [ 192.776638][ T5585] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 192.795811][ T5585] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 192.805222][ T5585] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5585 [syz-executor171] iterate_dir+0x228/0x570 [ 192.815400][ T5585] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 192.824251][ T5585] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 192.831505][ T5585] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 192.840362][ T5585] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 192.847722][ T5585] gfs2: fsid=syz:syz.0: File system withdrawn [ 192.854288][ T5585] CPU: 0 PID: 5585 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 192.864371][ T5585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 192.874430][ T5585] Call Trace: [ 192.877704][ T5585] [ 192.880630][ T5585] dump_stack_lvl+0x1e7/0x2d0 [ 192.885309][ T5585] ? nf_tcp_handle_invalid+0x650/0x650 [ 192.890765][ T5585] ? panic+0x770/0x770 [ 192.894826][ T5585] ? kobject_uevent_env+0x54e/0x8e0 [ 192.900024][ T5585] gfs2_withdraw+0xf48/0x1550 [ 192.904709][ T5585] ? gfs2_lm+0x240/0x240 [ 192.908945][ T5585] ? gfs2_dirent_scan+0xb2/0x640 [ 192.913878][ T5585] ? panic+0x770/0x770 [ 192.917955][ T5585] ? gfs2_consist_inode_i+0xf5/0x110 [ 192.923278][ T5585] gfs2_dirent_scan+0x512/0x640 [ 192.928142][ T5585] ? gfs2_dirent_scan+0x640/0x640 [ 192.933187][ T5585] gfs2_dir_read+0x82f/0x1af0 [ 192.937911][ T5585] ? inode_dio_wait+0x2ad/0x340 [ 192.942796][ T5585] ? inode_owner_or_capable+0x1c0/0x1c0 [ 192.948367][ T5585] ? gfs2_dir_hash_inval+0x80/0x80 [ 192.953488][ T5585] ? _raw_spin_unlock+0x28/0x40 [ 192.958344][ T5585] ? gfs2_glock_nq+0xcbf/0x16c0 [ 192.963220][ T5585] ? inode_go_held+0xea/0x200 [ 192.967901][ T5585] ? gfs2_glock_wait+0x21a/0x2b0 [ 192.972854][ T5585] gfs2_readdir+0x14e/0x1b0 [ 192.977360][ T5585] ? __fdget_pos+0x254/0x2f0 [ 192.982094][ T5585] ? gfs2_fallocate+0x490/0x490 [ 192.986979][ T5585] ? iterate_dir+0x228/0x570 [ 192.991589][ T5585] ? __down_read_common+0x184/0x2c0 [ 192.996798][ T5585] ? iterate_dir+0x10e/0x570 [ 193.001409][ T5585] iterate_dir+0x228/0x570 [ 193.005842][ T5585] ? gfs2_fallocate+0x490/0x490 [ 193.010707][ T5585] __se_sys_getdents64+0x20d/0x4f0 [ 193.015828][ T5585] ? _raw_spin_unlock_irq+0x2e/0x50 [ 193.021032][ T5585] ? __x64_sys_getdents64+0x80/0x80 [ 193.026239][ T5585] ? filldir+0x740/0x740 [ 193.030496][ T5585] ? syscall_enter_from_user_mode+0x32/0x230 [ 193.036490][ T5585] ? syscall_enter_from_user_mode+0x8c/0x230 [ 193.042480][ T5585] do_syscall_64+0x41/0xc0 [ 193.046933][ T5585] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 193.052841][ T5585] RIP: 0033:0x7f281a11eab9 [ 193.057262][ T5585] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 193.076875][ T5585] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [pid 5587] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5585] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5585] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5584] exit_group(0 [pid 5587] <... futex resumed>) = ? [pid 5584] <... exit_group resumed>) = ? [pid 5587] +++ exited with 0 +++ [pid 5585] <... futex resumed>) = ? [pid 5585] +++ exited with 0 +++ [pid 5584] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5584, si_uid=0, si_status=0, si_utime=3 /* 0.03 s */, si_stime=30 /* 0.30 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./145", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./145", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./145/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./145/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./145/binderfs") = 0 [ 193.085311][ T5585] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 193.093282][ T5585] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 193.101252][ T5585] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 193.109486][ T5585] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 193.117456][ T5585] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 193.125443][ T5585] umount2("./145/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./145/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./145/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./145/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./145/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./145/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./145") = 0 mkdir("./146", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5588 ./strace-static-x86_64: Process 5588 attached [pid 5588] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5588] chdir("./146") = 0 [pid 5588] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5588] setpgid(0, 0) = 0 [pid 5588] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5588] write(3, "1000", 4) = 4 [pid 5588] close(3) = 0 [pid 5588] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5588] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5588] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5588] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5588] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5589], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5589 [pid 5588] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5588] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000}./strace-static-x86_64: Process 5589 attached [pid 5589] set_robust_list(0x7f281a0ca9e0, 24) = 0 [pid 5589] memfd_create("syzkaller", 0) = 3 [pid 5589] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [pid 5589] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5589] munmap(0x7f2811caa000, 16777216) = 0 [pid 5589] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5589] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5589] close(3) = 0 [pid 5589] mkdir("./file0", 0777) = 0 [ 193.475774][ T5589] loop0: detected capacity change from 0 to 32768 [ 193.487402][ T5589] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 193.495623][ T5589] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 193.505644][ T5589] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 193.514263][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 193.521048][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5589] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5589] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5589] chdir("./file0") = 0 [pid 5589] ioctl(4, LOOP_CLR_FD) = 0 [pid 5589] close(4) = 0 [pid 5589] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5588] <... futex resumed>) = 0 [pid 5588] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5588] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5589] <... futex resumed>) = 1 [pid 5589] open(".", O_RDONLY) = 4 [pid 5589] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5588] <... futex resumed>) = 0 [pid 5588] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5588] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5589] <... futex resumed>) = 1 [ 193.567544][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 46ms [ 193.575939][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 193.581222][ T5589] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 193.606028][ T5589] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [pid 5589] getdents64(4, [pid 5588] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5588] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5588] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5588] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5588] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5591], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5591 [pid 5588] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5588] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5591 attached [pid 5591] set_robust_list(0x7f2812ca99e0, 24) = 0 [pid 5591] open("./file0", O_RDONLY) = -1 EIO (Input/output error) [pid 5591] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 5588] <... futex resumed>) = 0 [pid 5591] <... futex resumed>) = 1 [ 193.614933][ T5589] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [ 193.614933][ T5589] inode = 12 2341 [ 193.614933][ T5589] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 193.634002][ T5589] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 193.643075][ T5589] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5589 [syz-executor171] iterate_dir+0x228/0x570 [ 193.653118][ T5589] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 193.661899][ T5589] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 193.669177][ T5589] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 193.678087][ T5589] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 193.685285][ T5589] gfs2: fsid=syz:syz.0: File system withdrawn [ 193.691751][ T5589] CPU: 0 PID: 5589 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 193.701816][ T5589] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 193.711862][ T5589] Call Trace: [ 193.715146][ T5589] [ 193.718071][ T5589] dump_stack_lvl+0x1e7/0x2d0 [ 193.722764][ T5589] ? nf_tcp_handle_invalid+0x650/0x650 [ 193.728232][ T5589] ? panic+0x770/0x770 [ 193.732304][ T5589] ? kobject_uevent_env+0x54e/0x8e0 [ 193.737514][ T5589] gfs2_withdraw+0xf48/0x1550 [ 193.742223][ T5589] ? gfs2_lm+0x240/0x240 [ 193.746480][ T5589] ? gfs2_dirent_scan+0xb2/0x640 [ 193.751430][ T5589] ? panic+0x770/0x770 [ 193.755522][ T5589] ? gfs2_consist_inode_i+0xf5/0x110 [ 193.760820][ T5589] gfs2_dirent_scan+0x512/0x640 [ 193.765680][ T5589] ? gfs2_dirent_scan+0x640/0x640 [ 193.770713][ T5589] gfs2_dir_read+0x82f/0x1af0 [ 193.775421][ T5589] ? inode_dio_wait+0x2ad/0x340 [ 193.780287][ T5589] ? inode_owner_or_capable+0x1c0/0x1c0 [ 193.785838][ T5589] ? gfs2_dir_hash_inval+0x80/0x80 [ 193.790953][ T5589] ? _raw_spin_unlock+0x28/0x40 [ 193.795806][ T5589] ? gfs2_glock_nq+0xcbf/0x16c0 [ 193.800674][ T5589] ? inode_go_held+0xea/0x200 [ 193.805379][ T5589] ? gfs2_glock_wait+0x21a/0x2b0 [ 193.810328][ T5589] gfs2_readdir+0x14e/0x1b0 [ 193.814835][ T5589] ? __fdget_pos+0x254/0x2f0 [ 193.819419][ T5589] ? gfs2_fallocate+0x490/0x490 [ 193.824273][ T5589] ? iterate_dir+0x228/0x570 [ 193.828862][ T5589] ? __down_read_common+0x184/0x2c0 [ 193.834070][ T5589] ? iterate_dir+0x10e/0x570 [ 193.838664][ T5589] iterate_dir+0x228/0x570 [ 193.843098][ T5589] ? gfs2_fallocate+0x490/0x490 [ 193.847966][ T5589] __se_sys_getdents64+0x20d/0x4f0 [ 193.853101][ T5589] ? _raw_spin_unlock_irq+0x2e/0x50 [ 193.858306][ T5589] ? __x64_sys_getdents64+0x80/0x80 [ 193.863509][ T5589] ? filldir+0x740/0x740 [ 193.867772][ T5589] ? syscall_enter_from_user_mode+0x32/0x230 [ 193.873762][ T5589] ? syscall_enter_from_user_mode+0x8c/0x230 [ 193.879753][ T5589] do_syscall_64+0x41/0xc0 [ 193.884183][ T5589] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 193.890085][ T5589] RIP: 0033:0x7f281a11eab9 [ 193.894509][ T5589] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 5591] futex(0x7f281a1b57b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5589] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5589] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5589] futex(0x7f281a1b57a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5588] exit_group(0 [pid 5591] <... futex resumed>) = ? [pid 5588] <... exit_group resumed>) = ? [pid 5591] +++ exited with 0 +++ [pid 5589] <... futex resumed>) = ? [pid 5589] +++ exited with 0 +++ [pid 5588] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5588, si_uid=0, si_status=0, si_utime=0, si_stime=31 /* 0.31 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./146", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./146", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(3, 0x5555571fb620 /* 4 entries */, 32768) = 112 umount2("./146/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./146/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0 unlink("./146/binderfs") = 0 [ 193.914123][ T5589] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 193.922532][ T5589] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 193.930496][ T5589] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 193.938471][ T5589] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [ 193.946437][ T5589] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 193.954418][ T5589] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 193.962396][ T5589] umount2("./146/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("./146/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) lstat("./146/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 umount2("./146/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./146/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getdents64(4, 0x555557203660 /* 2 entries */, 32768) = 48 getdents64(4, 0x555557203660 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./146/file0") = 0 getdents64(3, 0x5555571fb620 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./146") = 0 mkdir("./147", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555571fa5d0) = 5592 ./strace-static-x86_64: Process 5592 attached [pid 5592] set_robust_list(0x5555571fa5e0, 24) = 0 [pid 5592] chdir("./147") = 0 [pid 5592] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5592] setpgid(0, 0) = 0 [pid 5592] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5592] write(3, "1000", 4) = 4 [pid 5592] close(3) = 0 [pid 5592] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5592] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5592] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f281a0aa000 [pid 5592] mprotect(0x7f281a0ab000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5592] clone(child_stack=0x7f281a0ca3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 5593 attached , parent_tid=[5593], tls=0x7f281a0ca700, child_tidptr=0x7f281a0ca9d0) = 5593 [pid 5592] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5593] set_robust_list(0x7f281a0ca9e0, 24 [pid 5592] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 5593] <... set_robust_list resumed>) = 0 [pid 5593] memfd_create("syzkaller", 0) = 3 [pid 5593] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2811caa000 [ 194.125412][ T1215] ieee802154 phy0 wpan0: encryption failed: -22 [ 194.131744][ T1215] ieee802154 phy1 wpan1: encryption failed: -22 [pid 5593] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216 [pid 5593] munmap(0x7f2811caa000, 16777216) = 0 [pid 5593] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5593] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5593] close(3) = 0 [pid 5593] mkdir("./file0", 0777) = 0 [ 194.332588][ T5593] loop0: detected capacity change from 0 to 32768 [ 194.343541][ T5593] gfs2: fsid=syz:syz: Trying to join cluster "lock_nolock", "syz:syz" [ 194.352054][ T5593] gfs2: fsid=syz:syz: Now mounting FS (format 1801)... [ 194.362057][ T5593] gfs2: fsid=syz:syz.0: journal 0 mapped with 5 extents in 0ms [ 194.370999][ T7] gfs2: fsid=syz:syz.0: jid=0, already locked for use [ 194.377823][ T7] gfs2: fsid=syz:syz.0: jid=0: Looking at journal... [pid 5593] mount("/dev/loop0", "./file0", "gfs2", MS_RDONLY|MS_SYNCHRONOUS|MS_POSIXACL, "") = 0 [pid 5593] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 5593] chdir("./file0") = 0 [pid 5593] ioctl(4, LOOP_CLR_FD) = 0 [pid 5593] close(4) = 0 [pid 5593] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5592] <... futex resumed>) = 0 [pid 5592] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5592] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5593] <... futex resumed>) = 1 [pid 5593] open(".", O_RDONLY) = 4 [pid 5593] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 5592] <... futex resumed>) = 0 [pid 5592] futex(0x7f281a1b57a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5592] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5593] <... futex resumed>) = 1 [ 194.418236][ T7] gfs2: fsid=syz:syz.0: jid=0: Journal head lookup took 40ms [ 194.425735][ T7] gfs2: fsid=syz:syz.0: jid=0: Done [ 194.430962][ T5593] gfs2: fsid=syz:syz.0: first mount done, others may mount [ 194.447288][ T5593] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 194.458384][ T5593] gfs2: fsid=syz:syz.0: fatal: filesystem consistency error [pid 5593] getdents64(4, [pid 5592] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5592] futex(0x7f281a1b57ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=0}) = -1 ETIMEDOUT (Connection timed out) [pid 5592] futex(0x7f281a1b57bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5592] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f2812c89000 [pid 5592] mprotect(0x7f2812c8a000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5592] clone(child_stack=0x7f2812ca93f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[5595], tls=0x7f2812ca9700, child_tidptr=0x7f2812ca99d0) = 5595 [pid 5592] futex(0x7f281a1b57b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5592] futex(0x7f281a1b57bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5595 attached [pid 5595] set_robust_list(0x7f2812ca99e0, 24) = 0 [ 194.458384][ T5593] inode = 12 2341 [ 194.458384][ T5593] function = gfs2_dirent_scan, file = fs/gfs2/dir.c, line = 602 [ 194.477483][ T5593] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:3 m:20 p:1 [ 194.486793][ T5593] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5593 [syz-executor171] iterate_dir+0x228/0x570 [ 194.498537][ T5593] gfs2: fsid=syz:syz.0: I: n:12/2341 t:4 f:0x00 d:0x00000001 s:3864 p:0 [ 194.500980][ T5595] gfs2: fsid=syz:syz.0: gfs2_dirent_offset: wrong block type 1577058308 [ 194.507891][ T5593] gfs2: fsid=syz:syz.0: about to withdraw this file system [ 194.516175][ T5595] gfs2: fsid=syz:syz.0: G: s:SH n:2/925 f:qob t:SH d:EX/0 a:0 v:0 r:4 m:20 p:1 [ 194.531962][ T5593] gfs2: fsid=syz:syz.0: Journal recovery skipped for jid 0 until next mount. [ 194.531979][ T5593] gfs2: fsid=syz:syz.0: Glock dequeues delayed: 0 [ 194.534011][ T5593] gfs2: fsid=syz:syz.0: File system withdrawn [ 194.541226][ T5595] gfs2: fsid=syz:syz.0: H: s:SH f:H e:0 p:5593 [syz-executor171] iterate_dir+0x228/0x570 [ 194.547942][ T5593] CPU: 1 PID: 5593 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 194.573237][ T5593] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 194.583297][ T5593] Call Trace: [ 194.586583][ T5593] [ 194.589515][ T5593] dump_stack_lvl+0x1e7/0x2d0 [ 194.594211][ T5593] ? nf_tcp_handle_invalid+0x650/0x650 [ 194.599677][ T5593] ? panic+0x770/0x770 [ 194.603745][ T5593] ? kobject_uevent_env+0x54e/0x8e0 [ 194.608951][ T5593] gfs2_withdraw+0xf48/0x1550 [ 194.613644][ T5593] ? gfs2_lm+0x240/0x240 [ 194.617892][ T5593] ? gfs2_dirent_scan+0xb2/0x640 [ 194.622840][ T5593] ? panic+0x770/0x770 [ 194.626914][ T5593] ? gfs2_consist_inode_i+0xf5/0x110 [ 194.632229][ T5593] gfs2_dirent_scan+0x512/0x640 [ 194.637098][ T5593] ? gfs2_dirent_scan+0x640/0x640 [ 194.642129][ T5593] gfs2_dir_read+0x82f/0x1af0 [ 194.646824][ T5593] ? inode_dio_wait+0x2ad/0x340 [ 194.651690][ T5593] ? inode_owner_or_capable+0x1c0/0x1c0 [ 194.657251][ T5593] ? gfs2_dir_hash_inval+0x80/0x80 [ 194.662375][ T5593] ? _raw_spin_unlock+0x28/0x40 [ 194.667231][ T5593] ? gfs2_glock_nq+0xcbf/0x16c0 [ 194.672103][ T5593] ? inode_go_held+0xea/0x200 [ 194.676787][ T5593] ? gfs2_glock_wait+0x21a/0x2b0 [ 194.681743][ T5593] gfs2_readdir+0x14e/0x1b0 [ 194.686258][ T5593] ? __fdget_pos+0x254/0x2f0 [ 194.690858][ T5593] ? gfs2_fallocate+0x490/0x490 [ 194.695729][ T5593] ? iterate_dir+0x228/0x570 [ 194.700333][ T5593] ? __down_read_common+0x184/0x2c0 [ 194.705540][ T5593] ? iterate_dir+0x10e/0x570 [ 194.710156][ T5593] iterate_dir+0x228/0x570 [ 194.714612][ T5593] ? gfs2_fallocate+0x490/0x490 [ 194.719480][ T5593] __se_sys_getdents64+0x20d/0x4f0 [ 194.724608][ T5593] ? _raw_spin_unlock_irq+0x2e/0x50 [ 194.729830][ T5593] ? __x64_sys_getdents64+0x80/0x80 [ 194.735050][ T5593] ? filldir+0x740/0x740 [ 194.739309][ T5593] ? syscall_enter_from_user_mode+0x32/0x230 [ 194.745314][ T5593] ? syscall_enter_from_user_mode+0x8c/0x230 [ 194.751317][ T5593] do_syscall_64+0x41/0xc0 [ 194.755761][ T5593] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 194.761659][ T5593] RIP: 0033:0x7f281a11eab9 [ 194.766076][ T5593] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 194.785678][ T5593] RSP: 002b:00007f281a0ca318 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9 [ 194.794090][ T5593] RAX: ffffffffffffffda RBX: 00007f281a1b57a8 RCX: 00007f281a11eab9 [ 194.802060][ T5593] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 194.810024][ T5593] RBP: 00007f281a1b57a0 R08: 0000000000000000 R09: 0000000000000000 [pid 5595] open("./file0", O_RDONLY [pid 5592] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 5593] <... getdents64 resumed>NULL, 0) = -1 EIO (Input/output error) [pid 5593] futex(0x7f281a1b57ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 194.818000][ T5593] R10: 0000000000000000 R11: 0000000000000246 R12: 0030656c69662f2e [ 194.825972][ T5593] R13: 00007ffe3f30c9ef R14: 00007f281a0ca400 R15: 0000000000022000 [ 194.833953][ T5593] [ 194.838473][ T5595] ================================================================== [ 194.846559][ T5595] BUG: KASAN: stack-out-of-bounds in gfs2_dump_glock+0x14b3/0x1ad0 [ 194.854496][ T5595] Read of size 8 at addr ffffc9000462fcc0 by task syz-executor171/5595 [ 194.862720][ T5595] [ 194.865032][ T5595] CPU: 0 PID: 5595 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 194.875089][ T5595] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 194.885157][ T5595] Call Trace: [ 194.888452][ T5595] [ 194.891391][ T5595] dump_stack_lvl+0x1e7/0x2d0 [ 194.896084][ T5595] ? irq_work_queue+0xca/0x150 [ 194.900852][ T5595] ? nf_tcp_handle_invalid+0x650/0x650 [ 194.906308][ T5595] ? panic+0x770/0x770 [ 194.910372][ T5595] ? _printk+0xd5/0x120 [ 194.914533][ T5595] print_report+0x163/0x540 [ 194.919058][ T5595] ? __virt_addr_valid+0xbd/0x2e0 [ 194.924088][ T5595] ? gfs2_dump_glock+0x14b3/0x1ad0 [ 194.929242][ T5595] kasan_report+0x176/0x1b0 [ 194.933747][ T5595] ? gfs2_dump_glock+0x14b3/0x1ad0 [ 194.938869][ T5595] gfs2_dump_glock+0x14b3/0x1ad0 [ 194.943804][ T5595] ? gfs2_glock_free+0xe60/0xe60 [ 194.948754][ T5595] ? preempt_schedule+0xdd/0xf0 [ 194.953627][ T5595] ? gfs2_dirent_scan+0xb2/0x640 [ 194.958554][ T5595] ? panic+0x770/0x770 [ 194.962617][ T5595] gfs2_consist_inode_i+0xf5/0x110 [ 194.967733][ T5595] gfs2_dirent_scan+0x512/0x640 [ 194.972583][ T5595] ? gfs2_permission+0x268/0x3c0 [ 194.977528][ T5595] ? gfs2_dirent_search+0x8c0/0x8c0 [ 194.982734][ T5595] gfs2_dirent_search+0x30e/0x8c0 [ 194.987756][ T5595] ? gfs2_dirent_search+0x8c0/0x8c0 [ 194.992953][ T5595] ? generic_permission+0x1df/0x550 [ 194.998150][ T5595] ? gfs2_dir_search+0x2f0/0x2f0 [ 195.003086][ T5595] ? gfs2_permission+0x34a/0x3c0 [ 195.008054][ T5595] gfs2_dir_search+0xb2/0x2f0 [ 195.012729][ T5595] ? do_filldir_main+0x520/0x520 [ 195.017660][ T5595] ? inode_go_held+0xea/0x200 [ 195.022351][ T5595] ? gfs2_glock_wait+0x21a/0x2b0 [ 195.027311][ T5595] gfs2_lookupi+0x460/0x5d0 [ 195.031824][ T5595] ? gfs2_lookup_simple+0x180/0x180 [ 195.037029][ T5595] ? __gfs2_lookup+0xa4/0x270 [ 195.041705][ T5595] __gfs2_lookup+0xa4/0x270 [ 195.046229][ T5595] ? gfs2_atomic_open+0x230/0x230 [ 195.051254][ T5595] ? __d_lookup+0x675/0x730 [ 195.055761][ T5595] ? d_hash_and_lookup+0x1b0/0x1b0 [ 195.060891][ T5595] gfs2_atomic_open+0x9e/0x230 [ 195.065646][ T5595] path_openat+0x103c/0x3170 [ 195.070232][ T5595] ? gfs2_rename2+0x25a0/0x25a0 [ 195.075082][ T5595] ? do_filp_open+0x490/0x490 [ 195.079775][ T5595] do_filp_open+0x234/0x490 [ 195.084274][ T5595] ? vfs_tmpfile+0x4a0/0x4a0 [ 195.088866][ T5595] ? _raw_spin_unlock+0x28/0x40 [ 195.093710][ T5595] ? alloc_fd+0x59c/0x640 [ 195.098052][ T5595] do_sys_openat2+0x13f/0x500 [ 195.102734][ T5595] ? print_irqtrace_events+0x220/0x220 [ 195.108198][ T5595] ? do_sys_open+0x230/0x230 [ 195.112792][ T5595] ? lockdep_hardirqs_on+0x98/0x140 [ 195.117987][ T5595] ? _raw_spin_unlock_irq+0x2e/0x50 [ 195.123183][ T5595] ? ptrace_notify+0x278/0x380 [ 195.127955][ T5595] __x64_sys_open+0x225/0x270 [ 195.132633][ T5595] ? do_sys_openat2+0x500/0x500 [ 195.137532][ T5595] ? syscall_enter_from_user_mode+0x32/0x230 [ 195.143543][ T5595] ? syscall_enter_from_user_mode+0x8c/0x230 [ 195.149524][ T5595] do_syscall_64+0x41/0xc0 [ 195.153943][ T5595] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 195.159864][ T5595] RIP: 0033:0x7f281a11eab9 [ 195.164277][ T5595] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 195.183877][ T5595] RSP: 002b:00007f2812ca9318 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 195.192283][ T5595] RAX: ffffffffffffffda RBX: 00007f281a1b57b8 RCX: 00007f281a11eab9 [ 195.200245][ T5595] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200025c0 [ 195.208210][ T5595] RBP: 00007f281a1b57b0 R08: 00007f2812ca9700 R09: 0000000000000000 [ 195.216178][ T5595] R10: 00007f2812ca9700 R11: 0000000000000246 R12: 0030656c69662f2e [ 195.224171][ T5595] R13: 00007ffe3f30c9ef R14: 00007f2812ca9400 R15: 0000000000022000 [ 195.232254][ T5595] [ 195.235268][ T5595] [ 195.237601][ T5595] The buggy address belongs to the virtual mapping at [ 195.237601][ T5595] [ffffc90004628000, ffffc90004631000) created by: [ 195.237601][ T5595] copy_process+0x5c8/0x42f0 [ 195.255227][ T5595] [ 195.257547][ T5595] The buggy address belongs to the physical page: [ 195.263967][ T5595] page:ffffea0000878840 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21e21 [ 195.274109][ T5595] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 195.281215][ T5595] page_type: 0xffffffff() [ 195.285538][ T5595] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 195.294108][ T5595] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 195.302669][ T5595] page dumped because: kasan: bad access detected [ 195.309067][ T5595] page_owner tracks the page as allocated [ 195.314764][ T5595] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5528, tgid 5528 (syz-executor171), ts 180831089462, free_ts 180333438413 [ 195.334369][ T5595] post_alloc_hook+0x1e6/0x210 [ 195.339129][ T5595] get_page_from_freelist+0x321c/0x33a0 [ 195.344666][ T5595] __alloc_pages+0x255/0x670 [ 195.349250][ T5595] __vmalloc_node_range+0x9ab/0x14e0 [ 195.354531][ T5595] dup_task_struct+0x3e5/0x7d0 [ 195.359291][ T5595] copy_process+0x5c8/0x42f0 [ 195.363877][ T5595] kernel_clone+0x222/0x800 [ 195.368378][ T5595] __x64_sys_clone+0x258/0x2a0 [ 195.373138][ T5595] do_syscall_64+0x41/0xc0 [ 195.377550][ T5595] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 195.383453][ T5595] page last free stack trace: [ 195.388112][ T5595] free_unref_page_prepare+0x903/0xa30 [ 195.393566][ T5595] free_unref_page_list+0x596/0x830 [ 195.398769][ T5595] release_pages+0x2193/0x2470 [ 195.403523][ T5595] __pagevec_release+0x84/0x100 [ 195.408388][ T5595] truncate_inode_pages_range+0x45d/0x11b0 [ 195.414190][ T5595] blkdev_flush_mapping+0x15a/0x2b0 [ 195.419386][ T5595] blkdev_put+0x4b8/0x750 [ 195.423710][ T5595] deactivate_locked_super+0xa4/0x110 [ 195.429070][ T5595] cleanup_mnt+0x426/0x4c0 [ 195.433477][ T5595] task_work_run+0x24a/0x300 [ 195.438055][ T5595] ptrace_notify+0x2cd/0x380 [ 195.442635][ T5595] syscall_exit_to_user_mode+0x157/0x280 [ 195.448257][ T5595] do_syscall_64+0x4d/0xc0 [ 195.452672][ T5595] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 195.458556][ T5595] [ 195.460866][ T5595] Memory state around the buggy address: [ 195.466483][ T5595] ffffc9000462fb80: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 [ 195.474533][ T5595] ffffc9000462fc00: 00 f2 f2 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00 00 [ 195.482576][ T5595] >ffffc9000462fc80: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 [ 195.490638][ T5595] ^ [ 195.496779][ T5595] ffffc9000462fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 195.504825][ T5595] ffffc9000462fd80: f1 f1 f1 f1 04 f3 f3 f3 00 00 00 00 00 00 00 00 [ 195.512872][ T5595] ================================================================== [ 195.522227][ T5595] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 195.529441][ T5595] CPU: 0 PID: 5595 Comm: syz-executor171 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0 [ 195.539517][ T5595] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023 [ 195.549564][ T5595] Call Trace: [ 195.552831][ T5595] [ 195.555757][ T5595] dump_stack_lvl+0x1e7/0x2d0 [ 195.560436][ T5595] ? nf_tcp_handle_invalid+0x650/0x650 [ 195.565893][ T5595] ? panic+0x770/0x770 [ 195.569955][ T5595] ? preempt_schedule_common+0x83/0xc0 [ 195.575413][ T5595] ? vscnprintf+0x5d/0x80 [ 195.579737][ T5595] panic+0x30f/0x770 [ 195.583630][ T5595] ? check_panic_on_warn+0x21/0xa0 [ 195.588752][ T5595] ? __memcpy_flushcache+0x2b0/0x2b0 [ 195.594046][ T5595] ? _raw_spin_unlock_irqrestore+0x12c/0x140 [ 195.600018][ T5595] ? _raw_spin_unlock+0x40/0x40 [ 195.604880][ T5595] ? print_report+0x4fb/0x540 [ 195.609553][ T5595] check_panic_on_warn+0x82/0xa0 [ 195.614489][ T5595] ? gfs2_dump_glock+0x14b3/0x1ad0 [ 195.619596][ T5595] end_report+0x63/0x110 [ 195.623842][ T5595] kasan_report+0x183/0x1b0 [ 195.628360][ T5595] ? gfs2_dump_glock+0x14b3/0x1ad0 [ 195.633494][ T5595] gfs2_dump_glock+0x14b3/0x1ad0 [ 195.638441][ T5595] ? gfs2_glock_free+0xe60/0xe60 [ 195.643399][ T5595] ? preempt_schedule+0xdd/0xf0 [ 195.648270][ T5595] ? gfs2_dirent_scan+0xb2/0x640 [ 195.653219][ T5595] ? panic+0x770/0x770 [ 195.657294][ T5595] gfs2_consist_inode_i+0xf5/0x110 [ 195.662415][ T5595] gfs2_dirent_scan+0x512/0x640 [ 195.667267][ T5595] ? gfs2_permission+0x268/0x3c0 [ 195.672217][ T5595] ? gfs2_dirent_search+0x8c0/0x8c0 [ 195.677422][ T5595] gfs2_dirent_search+0x30e/0x8c0 [ 195.682458][ T5595] ? gfs2_dirent_search+0x8c0/0x8c0 [ 195.687682][ T5595] ? generic_permission+0x1df/0x550 [ 195.692885][ T5595] ? gfs2_dir_search+0x2f0/0x2f0 [ 195.697826][ T5595] ? gfs2_permission+0x34a/0x3c0 [ 195.702779][ T5595] gfs2_dir_search+0xb2/0x2f0 [ 195.707468][ T5595] ? do_filldir_main+0x520/0x520 [ 195.712404][ T5595] ? inode_go_held+0xea/0x200 [ 195.717079][ T5595] ? gfs2_glock_wait+0x21a/0x2b0 [ 195.722022][ T5595] gfs2_lookupi+0x460/0x5d0 [ 195.726535][ T5595] ? gfs2_lookup_simple+0x180/0x180 [ 195.731745][ T5595] ? __gfs2_lookup+0xa4/0x270 [ 195.736420][ T5595] __gfs2_lookup+0xa4/0x270 [ 195.740916][ T5595] ? gfs2_atomic_open+0x230/0x230 [ 195.745933][ T5595] ? __d_lookup+0x675/0x730 [ 195.750438][ T5595] ? d_hash_and_lookup+0x1b0/0x1b0 [ 195.755554][ T5595] gfs2_atomic_open+0x9e/0x230 [ 195.760313][ T5595] path_openat+0x103c/0x3170 [ 195.764910][ T5595] ? gfs2_rename2+0x25a0/0x25a0 [ 195.769763][ T5595] ? do_filp_open+0x490/0x490 [ 195.774448][ T5595] do_filp_open+0x234/0x490 [ 195.778948][ T5595] ? vfs_tmpfile+0x4a0/0x4a0 [ 195.783542][ T5595] ? _raw_spin_unlock+0x28/0x40 [ 195.788390][ T5595] ? alloc_fd+0x59c/0x640 [ 195.792732][ T5595] do_sys_openat2+0x13f/0x500 [ 195.797408][ T5595] ? print_irqtrace_events+0x220/0x220 [ 195.802864][ T5595] ? do_sys_open+0x230/0x230 [ 195.807451][ T5595] ? lockdep_hardirqs_on+0x98/0x140 [ 195.812647][ T5595] ? _raw_spin_unlock_irq+0x2e/0x50 [ 195.817843][ T5595] ? ptrace_notify+0x278/0x380 [ 195.822608][ T5595] __x64_sys_open+0x225/0x270 [ 195.827283][ T5595] ? do_sys_openat2+0x500/0x500 [ 195.832139][ T5595] ? syscall_enter_from_user_mode+0x32/0x230 [ 195.838123][ T5595] ? syscall_enter_from_user_mode+0x8c/0x230 [ 195.844105][ T5595] do_syscall_64+0x41/0xc0 [ 195.848528][ T5595] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 195.854435][ T5595] RIP: 0033:0x7f281a11eab9 [ 195.858845][ T5595] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 195.878447][ T5595] RSP: 002b:00007f2812ca9318 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 195.886869][ T5595] RAX: ffffffffffffffda RBX: 00007f281a1b57b8 RCX: 00007f281a11eab9 [ 195.894845][ T5595] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200025c0 [ 195.902815][ T5595] RBP: 00007f281a1b57b0 R08: 00007f2812ca9700 R09: 0000000000000000 [ 195.910786][ T5595] R10: 00007f2812ca9700 R11: 0000000000000246 R12: 0030656c69662f2e [ 195.918757][ T5595] R13: 00007ffe3f30c9ef R14: 00007f2812ca9400 R15: 0000000000022000 [ 195.926756][ T5595] [ 195.930086][ T5595] Kernel Offset: disabled [ 195.934427][ T5595] Rebooting in 86400 seconds..