./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2244524369 <...> Warning: Permanently added '10.128.1.55' (ED25519) to the list of known hosts. execve("./syz-executor2244524369", ["./syz-executor2244524369"], 0x7ffd7013c9d0 /* 10 vars */) = 0 brk(NULL) = 0x55555566f000 brk(0x55555566fd00) = 0x55555566fd00 arch_prctl(ARCH_SET_FS, 0x55555566f380) = 0 set_tid_address(0x55555566f650) = 293 set_robust_list(0x55555566f660, 24) = 0 rseq(0x55555566fca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2244524369", 4096) = 28 getrandom("\x42\xf6\x14\x7f\xda\x04\x34\x3a", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555566fd00 brk(0x555555690d00) = 0x555555690d00 brk(0x555555691000) = 0x555555691000 mprotect(0x7facb78ea000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 293 openat(AT_FDCWD, "/sys/kernel/debug/x86/nmi_longest_ns", O_WRONLY|O_CLOEXEC) = 3 write(3, "10000000000", 11) = 11 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/hung_task_check_interval_secs", O_WRONLY|O_CLOEXEC) = 3 write(3, "20", 2) = 2 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_kallsyms", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/net/core/bpf_jit_harden", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/kptr_restrict", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/softlockup_all_cpu_backtrace", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 write(3, "100", 3) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_dump_tasks", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/debug/exception-trace", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/printk", O_WRONLY|O_CLOEXEC) = 3 write(3, "7 4 1 3", 7) = 7 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/keys/gc_delay", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/vm/oom_kill_allocating_task", O_WRONLY|O_CLOEXEC) = 3 write(3, "1", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/ctrl-alt-del", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/proc/sys/kernel/cad_pid", O_WRONLY|O_CLOEXEC) = 3 write(3, "293", 3) = 3 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555566f650) = 294 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 294 attached ./strace-static-x86_64: Process 295 attached , child_tidptr=0x55555566f650) = 295 [pid 293] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 295] set_robust_list(0x55555566f660, 24 [pid 294] set_robust_list(0x55555566f660, 24./strace-static-x86_64: Process 296 attached [pid 293] <... clone resumed>, child_tidptr=0x55555566f650) = 296 [pid 293] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 296] set_robust_list(0x55555566f660, 24 [pid 295] <... set_robust_list resumed>) = 0 [pid 294] <... set_robust_list resumed>) = 0 ./strace-static-x86_64: Process 297 attached [pid 293] <... clone resumed>, child_tidptr=0x55555566f650) = 297 [pid 296] <... set_robust_list resumed>) = 0 [pid 295] mkdir("./syzkaller.iTibHI", 0700 [pid 293] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 294] mkdir("./syzkaller.taTGB0", 0700 [pid 296] mkdir("./syzkaller.4zVUHq", 0700 [pid 293] <... clone resumed>, child_tidptr=0x55555566f650) = 298 [pid 295] <... mkdir resumed>) = 0 ./strace-static-x86_64: Process 298 attached [pid 294] <... mkdir resumed>) = 0 [pid 298] set_robust_list(0x55555566f660, 24) = 0 [pid 296] <... mkdir resumed>) = 0 [pid 297] set_robust_list(0x55555566f660, 24 [pid 295] chmod("./syzkaller.iTibHI", 0777 [pid 294] chmod("./syzkaller.taTGB0", 0777 [pid 298] mkdir("./syzkaller.eqFovc", 0700 [pid 294] <... chmod resumed>) = 0 [pid 294] chdir("./syzkaller.taTGB0" [pid 296] chmod("./syzkaller.4zVUHq", 0777 [pid 294] <... chdir resumed>) = 0 [pid 294] mkdir("./0", 0777 [pid 296] <... chmod resumed>) = 0 [pid 298] <... mkdir resumed>) = 0 [pid 297] <... set_robust_list resumed>) = 0 [pid 296] chdir("./syzkaller.4zVUHq" [pid 295] <... chmod resumed>) = 0 [pid 298] chmod("./syzkaller.eqFovc", 0777 [pid 294] <... mkdir resumed>) = 0 [pid 294] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 298] <... chmod resumed>) = 0 [pid 297] mkdir("./syzkaller.WPEpDI", 0700 [pid 296] <... chdir resumed>) = 0 [pid 295] chdir("./syzkaller.iTibHI" [pid 296] mkdir("./0", 0777 [pid 295] <... chdir resumed>) = 0 [pid 296] <... mkdir resumed>) = 0 [pid 295] mkdir("./0", 0777 [pid 296] openat(AT_FDCWD, "/dev/loop2", O_RDWR [pid 295] <... mkdir resumed>) = 0 [pid 296] <... openat resumed>) = 3 [pid 295] openat(AT_FDCWD, "/dev/loop1", O_RDWR [pid 296] ioctl(3, LOOP_CLR_FD [pid 295] <... openat resumed>) = 3 [pid 296] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 295] ioctl(3, LOOP_CLR_FD [pid 296] close(3 [pid 295] <... ioctl resumed>) = -1 ENXIO (No such device or address) [pid 296] <... close resumed>) = 0 [pid 295] close(3 [pid 296] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 295] <... close resumed>) = 0 [pid 295] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 296] <... clone resumed>, child_tidptr=0x55555566f650) = 299 [pid 295] <... clone resumed>, child_tidptr=0x55555566f650) = 300 [pid 298] chdir("./syzkaller.eqFovc") = 0 [pid 298] mkdir("./0", 0777 [pid 297] <... mkdir resumed>) = 0 [pid 298] <... mkdir resumed>) = 0 [pid 297] chmod("./syzkaller.WPEpDI", 0777) = 0 [pid 297] chdir("./syzkaller.WPEpDI") = 0 [pid 298] openat(AT_FDCWD, "/dev/loop4", O_RDWR [pid 297] mkdir("./0", 0777 [pid 298] <... openat resumed>) = 3 [pid 298] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 298] close(3) = 0 [pid 297] <... mkdir resumed>) = 0 [pid 298] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 297] openat(AT_FDCWD, "/dev/loop3", O_RDWR) = 3 [pid 297] ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) [pid 297] close(3) = 0 [pid 297] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 298] <... clone resumed>, child_tidptr=0x55555566f650) = 301 [pid 297] <... clone resumed>, child_tidptr=0x55555566f650) = 302 [pid 294] <... openat resumed>) = 3 ./strace-static-x86_64: Process 302 attached [pid 302] set_robust_list(0x55555566f660, 24) = 0 [pid 302] chdir("./0") = 0 [pid 302] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 302] setpgid(0, 0) = 0 [pid 302] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 302] write(3, "1000", 4) = 4 [pid 302] close(3) = 0 [pid 302] symlink("/dev/binderfs", "./binderfs") = 0 [pid 302] memfd_create("syzkaller", 0) = 3 [pid 302] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7facaf435000 [pid 302] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576 [pid 302] munmap(0x7facaf435000, 138412032) = 0 [ 19.917346][ T28] audit: type=1400 audit(1713173633.261:66): avc: denied { execmem } for pid=293 comm="syz-executor224" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 19.932794][ T28] audit: type=1400 audit(1713173633.281:67): avc: denied { read write } for pid=294 comm="syz-executor224" name="loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [pid 302] openat(AT_FDCWD, "/dev/loop3", O_RDWR) = 4 [pid 302] ioctl(4, LOOP_SET_FD, 3 [pid 294] ioctl(3, LOOP_CLR_FD./strace-static-x86_64: Process 301 attached ./strace-static-x86_64: Process 300 attached ./strace-static-x86_64: Process 299 attached ) = -1 ENXIO (No such device or address) [pid 301] set_robust_list(0x55555566f660, 24 [pid 300] set_robust_list(0x55555566f660, 24 [pid 299] set_robust_list(0x55555566f660, 24 [pid 294] close(3 [pid 301] <... set_robust_list resumed>) = 0 [pid 300] <... set_robust_list resumed>) = 0 [pid 299] <... set_robust_list resumed>) = 0 [pid 299] chdir("./0" [pid 294] <... close resumed>) = 0 [pid 300] chdir("./0" [pid 301] chdir("./0" [pid 300] <... chdir resumed>) = 0 [pid 299] <... chdir resumed>) = 0 [pid 294] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 301] <... chdir resumed>) = 0 [pid 300] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 299] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 300] <... prctl resumed>) = 0 [pid 301] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 294] <... clone resumed>, child_tidptr=0x55555566f650) = 304 [pid 301] <... prctl resumed>) = 0 [pid 300] setpgid(0, 0 [pid 299] setpgid(0, 0 [pid 301] setpgid(0, 0 [pid 300] <... setpgid resumed>) = 0 [pid 299] <... setpgid resumed>) = 0 [pid 301] <... setpgid resumed>) = 0 [pid 300] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 299] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 301] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 300] <... openat resumed>) = 3 [pid 299] write(3, "1000", 4 [pid 300] write(3, "1000", 4 [pid 301] <... openat resumed>) = 3 [pid 300] <... write resumed>) = 4 [pid 299] <... write resumed>) = 4 [pid 301] write(3, "1000", 4 [pid 300] close(3 [pid 299] close(3 [pid 300] <... close resumed>) = 0 [pid 301] <... write resumed>) = 4 [pid 300] symlink("/dev/binderfs", "./binderfs" [pid 299] <... close resumed>) = 0 [pid 299] symlink("/dev/binderfs", "./binderfs") = 0 [pid 301] close(3 [pid 300] <... symlink resumed>) = 0 [pid 299] memfd_create("syzkaller", 0 [pid 300] memfd_create("syzkaller", 0 [pid 301] <... close resumed>) = 0 [pid 299] <... memfd_create resumed>) = 3 [pid 299] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 300] <... memfd_create resumed>) = 3 [pid 301] symlink("/dev/binderfs", "./binderfs" [pid 300] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0 [pid 299] <... mmap resumed>) = 0x7facaf435000 [pid 300] <... mmap resumed>) = 0x7facaf435000 [pid 301] <... symlink resumed>) = 0 [pid 301] memfd_create("syzkaller", 0 [pid 302] <... ioctl resumed>) = 0 [pid 302] close(3) = 0 [pid 301] <... memfd_create resumed>) = 3 [pid 301] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7facaf435000 [pid 302] close(4) = 0 [pid 302] mkdir("./file0", 0777) = 0 [pid 302] mount("/dev/loop3", "./file0", "ext4", MS_DIRSYNC|MS_NOATIME|MS_LAZYTIME, ",errors=continue"./strace-static-x86_64: Process 304 attached [pid 301] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576 [pid 300] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576 [pid 299] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576 [pid 304] set_robust_list(0x55555566f660, 24 [pid 301] <... write resumed>) = 1048576 [ 19.943891][ T28] audit: type=1400 audit(1713173633.281:68): avc: denied { open } for pid=296 comm="syz-executor224" path="/dev/loop2" dev="devtmpfs" ino=116 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 19.959693][ T302] loop3: detected capacity change from 0 to 2048 [ 19.987309][ T28] audit: type=1400 audit(1713173633.281:69): avc: denied { ioctl } for pid=296 comm="syz-executor224" path="/dev/loop2" dev="devtmpfs" ino=116 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [pid 304] <... set_robust_list resumed>) = 0 [pid 301] munmap(0x7facaf435000, 138412032 [pid 300] <... write resumed>) = 1048576 [pid 299] <... write resumed>) = 1048576 [pid 304] chdir("./0") = 0 [pid 304] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 304] setpgid(0, 0) = 0 [pid 304] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 304] write(3, "1000", 4) = 4 [pid 304] close(3) = 0 [pid 304] symlink("/dev/binderfs", "./binderfs") = 0 [pid 304] memfd_create("syzkaller", 0) = 3 [pid 304] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7facaf435000 [pid 304] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576 [pid 299] munmap(0x7facaf435000, 138412032) = 0 [pid 301] <... munmap resumed>) = 0 [pid 300] munmap(0x7facaf435000, 138412032) = 0 [pid 299] openat(AT_FDCWD, "/dev/loop2", O_RDWR [pid 301] openat(AT_FDCWD, "/dev/loop4", O_RDWR [pid 299] <... openat resumed>) = 4 [pid 301] <... openat resumed>) = 4 [pid 301] ioctl(4, LOOP_SET_FD, 3 [pid 299] ioctl(4, LOOP_SET_FD, 3 [pid 304] <... write resumed>) = 1048576 [pid 300] openat(AT_FDCWD, "/dev/loop1", O_RDWR [pid 299] <... ioctl resumed>) = 0 [pid 304] munmap(0x7facaf435000, 138412032) = 0 [pid 299] close(3) = 0 [pid 299] close(4 [pid 304] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 301] <... ioctl resumed>) = 0 [pid 300] <... openat resumed>) = 4 [pid 299] <... close resumed>) = 0 [pid 304] <... openat resumed>) = 4 [pid 300] ioctl(4, LOOP_SET_FD, 3 [pid 304] ioctl(4, LOOP_SET_FD, 3 [pid 301] close(3 [ 20.019091][ T28] audit: type=1400 audit(1713173633.331:70): avc: denied { mounton } for pid=302 comm="syz-executor224" path="/root/syzkaller.WPEpDI/0/file0" dev="sda1" ino=1941 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 20.028031][ T301] loop4: detected capacity change from 0 to 2048 [ 20.028387][ T299] loop2: detected capacity change from 0 to 2048 [ 20.058081][ T300] loop1: detected capacity change from 0 to 2048 [pid 299] mkdir("./file0", 0777 [pid 300] <... ioctl resumed>) = 0 [pid 301] <... close resumed>) = 0 [pid 300] close(3 [pid 299] <... mkdir resumed>) = 0 [pid 304] <... ioctl resumed>) = 0 [pid 304] close(3) = 0 [pid 304] close(4) = 0 [pid 304] mkdir("./file0", 0777) = 0 [pid 304] mount("/dev/loop0", "./file0", "ext4", MS_DIRSYNC|MS_NOATIME|MS_LAZYTIME, ",errors=continue" [pid 301] close(4) = 0 [pid 301] mkdir("./file0", 0777) = 0 [pid 301] mount("/dev/loop4", "./file0", "ext4", MS_DIRSYNC|MS_NOATIME|MS_LAZYTIME, ",errors=continue" [pid 300] <... close resumed>) = 0 [pid 300] close(4) = 0 [pid 300] mkdir("./file0", 0777) = 0 [pid 300] mount("/dev/loop1", "./file0", "ext4", MS_DIRSYNC|MS_NOATIME|MS_LAZYTIME, ",errors=continue" [pid 299] mount("/dev/loop2", "./file0", "ext4", MS_DIRSYNC|MS_NOATIME|MS_LAZYTIME, ",errors=continue" [pid 302] <... mount resumed>) = 0 [pid 302] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 302] chdir("./file0") = 0 [pid 302] openat(AT_FDCWD, "/dev/loop3", O_RDWR) = 4 [pid 302] ioctl(4, LOOP_CLR_FD) = 0 [pid 302] close(4) = 0 [ 20.061376][ T304] loop0: detected capacity change from 0 to 2048 [ 20.071703][ T302] EXT4-fs (loop3): mounted filesystem without journal. Quota mode: none. [ 20.080415][ T28] audit: type=1400 audit(1713173633.431:71): avc: denied { mount } for pid=302 comm="syz-executor224" name="/" dev="loop3" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [pid 302] chdir("./file0") = 0 [ 20.114177][ T301] EXT4-fs (loop4): mounted filesystem without journal. Quota mode: none. [ 20.117179][ T28] audit: type=1400 audit(1713173633.461:72): avc: denied { write } for pid=302 comm="syz-executor224" name="file0" dev="loop3" ino=12 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 20.123757][ T299] EXT4-fs (loop2): mounted filesystem without journal. Quota mode: none. [pid 302] creat("./bus", 000 [pid 301] <... mount resumed>) = 0 [pid 301] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 301] chdir("./file0") = 0 [pid 301] openat(AT_FDCWD, "/dev/loop4", O_RDWR) = 4 [pid 301] ioctl(4, LOOP_CLR_FD) = 0 [pid 301] close(4) = 0 [pid 301] chdir("./file0") = 0 [pid 301] creat("./bus", 000) = 4 [pid 301] openat(AT_FDCWD, "memory.swap.events", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5 [pid 301] mount("/dev/loop4", "./bus", NULL, MS_BIND, NULL) = 0 [pid 301] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_DIRECT|O_CLOEXEC) = 6 [pid 301] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 6, 0) = 0x20000000 [pid 302] <... creat resumed>) = 4 [pid 301] write(-1, 0x20001dc0, 4102) = -1 EBADF (Bad file descriptor) [pid 302] openat(AT_FDCWD, "memory.swap.events", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5 [pid 304] <... mount resumed>) = 0 [pid 302] mount("/dev/loop3", "./bus", NULL, MS_BIND, NULL [pid 299] <... mount resumed>) = 0 [ 20.152384][ T28] audit: type=1400 audit(1713173633.501:73): avc: denied { add_name } for pid=301 comm="syz-executor224" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 20.153624][ T304] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 20.182815][ T28] audit: type=1400 audit(1713173633.521:74): avc: denied { create } for pid=301 comm="syz-executor224" name="bus" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [pid 301] openat(AT_FDCWD, 0x20000280, O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000 [pid 304] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 302] <... mount resumed>) = 0 [pid 299] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY [pid 304] <... openat resumed>) = 3 [pid 302] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_DIRECT|O_CLOEXEC [pid 299] <... openat resumed>) = 3 [pid 304] chdir("./file0" [pid 302] <... open resumed>) = 6 [pid 299] chdir("./file0" [pid 304] <... chdir resumed>) = 0 [pid 302] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 6, 0 [pid 299] <... chdir resumed>) = 0 [pid 304] openat(AT_FDCWD, "/dev/loop0", O_RDWR [pid 299] openat(AT_FDCWD, "/dev/loop2", O_RDWR [pid 304] <... openat resumed>) = 4 [pid 299] <... openat resumed>) = 4 [pid 304] ioctl(4, LOOP_CLR_FD [pid 299] ioctl(4, LOOP_CLR_FD [pid 304] <... ioctl resumed>) = 0 [pid 299] <... ioctl resumed>) = 0 [pid 304] close(4 [pid 299] close(4 [pid 304] <... close resumed>) = 0 [pid 299] <... close resumed>) = 0 [pid 304] chdir("./file0" [pid 299] chdir("./file0" [pid 304] <... chdir resumed>) = 0 [pid 299] <... chdir resumed>) = 0 [pid 304] creat("./bus", 000 [pid 299] creat("./bus", 000 [pid 304] <... creat resumed>) = 4 [pid 299] <... creat resumed>) = 4 [pid 304] openat(AT_FDCWD, "memory.swap.events", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000 [pid 299] openat(AT_FDCWD, "memory.swap.events", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000 [pid 304] <... openat resumed>) = 5 [pid 299] <... openat resumed>) = 5 [pid 304] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL [pid 299] mount("/dev/loop2", "./bus", NULL, MS_BIND, NULL [pid 304] <... mount resumed>) = 0 [pid 299] <... mount resumed>) = 0 [pid 304] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_DIRECT|O_CLOEXEC [pid 299] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_DIRECT|O_CLOEXEC [pid 304] <... open resumed>) = 6 [pid 299] <... open resumed>) = 6 [pid 304] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 6, 0 [pid 299] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 6, 0 [pid 301] <... openat resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 304] <... mmap resumed>) = 0x20000000 [pid 304] write(-1, 0x20001dc0, 4102) = -1 EBADF (Bad file descriptor) [pid 302] <... mmap resumed>) = 0x20000000 [pid 302] write(-1, 0x20001dc0, 4102 [pid 301] exit_group(0 [pid 302] <... write resumed>) = -1 EBADF (Bad file descriptor) [pid 301] <... exit_group resumed>) = ? [pid 302] openat(AT_FDCWD, 0x20000280, O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000 [pid 304] openat(AT_FDCWD, 0x20000280, O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000 [pid 301] +++ exited with 0 +++ [pid 298] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=301, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- [pid 298] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 298] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 298] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 298] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 298] getdents64(3, 0x5555556706f0 /* 4 entries */, 32768) = 112 [ 20.183638][ T301] EXT4-fs error (device loop4): ext4_find_dest_de:2112: inode #12: block 5: comm syz-executor224: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=1375716473, rec_len=40042, size=56 fake=0 [ 20.202947][ T28] audit: type=1400 audit(1713173633.521:75): avc: denied { write open } for pid=301 comm="syz-executor224" path="/root/syzkaller.eqFovc/0/file0/file0/bus" dev="loop4" ino=18 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 20.254827][ T302] ================================================================== [pid 298] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 298] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 298] unlink("./0/binderfs") = 0 [pid 298] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 298] newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0755, st_size=2048, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 298] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 298] openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [pid 298] newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=2048, ...}, AT_EMPTY_PATH) = 0 [pid 298] getdents64(4, 0x555555678730 /* 8 entries */, 32768) = 240 [pid 298] umount2("./0/file0/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW [pid 299] <... mmap resumed>) = 0x20000000 [pid 299] write(-1, 0x20001dc0, 4102) = -1 EBADF (Bad file descriptor) [ 20.258620][ T304] EXT4-fs error (device loop0): ext4_find_dest_de:2112: inode #12: block 5: comm syz-executor224: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=1375716473, rec_len=40042, size=56 fake=0 [ 20.262705][ T302] BUG: KASAN: use-after-free in ext4_search_dir+0xf7/0x1b0 [ 20.283598][ T298] EXT4-fs error (device loop4): ext4_lookup:1855: inode #11: comm syz-executor224: iget: bad extra_isize 1328 (inode size 256) [ 20.288916][ T302] Read of size 1 at addr ffff8881104f96e3 by task syz-executor224/302 [ 20.288931][ T302] [pid 299] openat(AT_FDCWD, 0x20000280, O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000 [pid 300] <... mount resumed>) = 0 [pid 300] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 300] chdir("./file0") = 0 [pid 300] openat(AT_FDCWD, "/dev/loop1", O_RDWR) = 4 [pid 300] ioctl(4, LOOP_CLR_FD) = 0 [pid 300] close(4) = 0 [pid 300] chdir("./file0") = 0 [pid 300] creat("./bus", 000) = 4 [pid 300] openat(AT_FDCWD, "memory.swap.events", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5 [pid 300] mount("/dev/loop1", "./bus", NULL, MS_BIND, NULL) = 0 [pid 300] open("./bus", O_RDWR|O_NOCTTY|O_SYNC|O_DIRECT|O_CLOEXEC) = 6 [pid 300] mmap(0x20000000, 11755520, PROT_WRITE, MAP_SHARED|MAP_FIXED|MAP_POPULATE|MAP_STACK, 6, 0) = 0x20000000 [pid 300] write(-1, 0x20001dc0, 4102) = -1 EBADF (Bad file descriptor) [pid 300] openat(AT_FDCWD, 0x20000280, O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = -1 EUCLEAN (Structure needs cleaning) [pid 300] exit_group(0) = ? [ 20.288936][ T302] CPU: 1 PID: 302 Comm: syz-executor224 Not tainted 6.1.75-syzkaller-00023-gb76ed1185975 #0 [ 20.288952][ T302] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 [ 20.288968][ T302] Call Trace: [ 20.288972][ T302] [ 20.288979][ T302] dump_stack_lvl+0x151/0x1b7 [ 20.321381][ T299] EXT4-fs error (device loop2): ext4_find_dest_de:2112: inode #12: block 5: comm syz-executor224: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=1375716473, rec_len=40042, size=56 fake=0 [ 20.321900][ T302] ? nf_tcp_handle_invalid+0x3f1/0x3f1 [ 20.321923][ T302] ? _printk+0xd1/0x111 [pid 300] +++ exited with 0 +++ [pid 295] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=300, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- [pid 295] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 295] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 295] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 295] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 295] getdents64(3, 0x5555556706f0 /* 4 entries */, 32768) = 112 [pid 295] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 295] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 295] unlink("./0/binderfs") = 0 [pid 295] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 295] newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0755, st_size=2048, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 295] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 295] openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [pid 295] newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=2048, ...}, AT_EMPTY_PATH) = 0 [pid 295] getdents64(4, 0x555555678730 /* 8 entries */, 32768) = 240 [pid 295] umount2("./0/file0/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW [pid 298] <... umount2 resumed>) = -1 EUCLEAN (Structure needs cleaning) [ 20.333071][ T300] EXT4-fs (loop1): mounted filesystem without journal. Quota mode: none. [ 20.334917][ T302] ? __virt_addr_valid+0x242/0x2f0 [ 20.359191][ T300] EXT4-fs error (device loop1): ext4_find_dest_de:2112: inode #12: block 5: comm syz-executor224: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=1375716473, rec_len=40042, size=56 fake=0 [ 20.361392][ T302] print_report+0x158/0x4e0 [ 20.361422][ T302] ? __virt_addr_valid+0x242/0x2f0 [pid 298] newfstatat(AT_FDCWD, "./0/file0/lost+found", [pid 299] <... openat resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 299] exit_group(0) = ? [pid 299] +++ exited with 0 +++ [pid 296] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=299, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- [pid 296] restart_syscall(<... resuming interrupted clone ...> [pid 295] <... umount2 resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 296] <... restart_syscall resumed>) = 0 [pid 296] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 296] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 296] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 296] getdents64(3, 0x5555556706f0 /* 4 entries */, 32768) = 112 [pid 296] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 296] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 296] unlink("./0/binderfs") = 0 [pid 296] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 296] newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0755, st_size=2048, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 296] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 296] openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [pid 296] newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=2048, ...}, AT_EMPTY_PATH) = 0 [pid 296] getdents64(4, 0x555555678730 /* 8 entries */, 32768) = 240 [pid 296] umount2("./0/file0/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW [ 20.389004][ T295] EXT4-fs error (device loop1): ext4_lookup:1855: inode #11: comm syz-executor224: iget: bad extra_isize 1328 (inode size 256) [ 20.403062][ T302] ? kasan_addr_to_slab+0xd/0x80 [ 20.403090][ T302] ? ext4_search_dir+0xf7/0x1b0 [ 20.403106][ T302] kasan_report+0x13c/0x170 [ 20.403124][ T302] ? ext4_search_dir+0xf7/0x1b0 [ 20.409380][ T298] EXT4-fs error (device loop4): ext4_lookup:1855: inode #11: comm syz-executor224: iget: bad extra_isize 1328 (inode size 256) [ 20.412342][ T302] __asan_report_load1_noabort+0x14/0x20 [pid 295] newfstatat(AT_FDCWD, "./0/file0/lost+found", [pid 304] <... openat resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 304] exit_group(0) = ? [pid 304] +++ exited with 0 +++ [pid 294] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=304, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- [pid 294] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 294] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 294] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 294] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 294] getdents64(3, 0x5555556706f0 /* 4 entries */, 32768) = 112 [pid 294] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 294] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 294] unlink("./0/binderfs") = 0 [pid 294] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 294] newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0755, st_size=2048, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 294] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 294] openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [pid 294] newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=2048, ...}, AT_EMPTY_PATH) = 0 [pid 294] getdents64(4, 0x555555678730 /* 8 entries */, 32768) = 240 [pid 294] umount2("./0/file0/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW [pid 296] <... umount2 resumed>) = -1 EUCLEAN (Structure needs cleaning) [ 20.446899][ T296] EXT4-fs error (device loop2): ext4_lookup:1855: inode #11: comm syz-executor224: iget: bad extra_isize 1328 (inode size 256) [ 20.456691][ T302] ext4_search_dir+0xf7/0x1b0 [ 20.456717][ T302] ext4_find_inline_entry+0x4b6/0x5e0 [ 20.456735][ T302] ? ext4_try_create_inline_dir+0x320/0x320 [ 20.456751][ T302] ? avc_has_perm_noaudit+0x2dd/0x430 [ 20.463255][ T295] EXT4-fs error (device loop1): ext4_lookup:1855: inode #11: comm syz-executor224: iget: bad extra_isize 1328 (inode size 256) [ 20.475094][ T302] __ext4_find_entry+0x2b0/0x1af0 [ 20.475121][ T302] ? __kasan_slab_alloc+0x6c/0x80 [pid 296] newfstatat(AT_FDCWD, "./0/file0/lost+found", [pid 298] <... newfstatat resumed>0x7fff74989180, AT_SYMLINK_NOFOLLOW) = -1 EUCLEAN (Structure needs cleaning) [pid 298] exit_group(1) = ? [pid 298] +++ exited with 1 +++ [pid 294] <... umount2 resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 294] newfstatat(AT_FDCWD, "./0/file0/lost+found", [pid 296] <... newfstatat resumed>0x7fff74989180, AT_SYMLINK_NOFOLLOW) = -1 EUCLEAN (Structure needs cleaning) [pid 296] exit_group(1) = ? [pid 296] +++ exited with 1 +++ [pid 295] <... newfstatat resumed>0x7fff74989180, AT_SYMLINK_NOFOLLOW) = -1 EUCLEAN (Structure needs cleaning) [pid 295] exit_group(1 [pid 294] <... newfstatat resumed>0x7fff74989180, AT_SYMLINK_NOFOLLOW) = -1 EUCLEAN (Structure needs cleaning) [pid 295] <... exit_group resumed>) = ? [pid 294] exit_group(1 [pid 295] +++ exited with 1 +++ [pid 294] <... exit_group resumed>) = ? [pid 294] +++ exited with 1 +++ [pid 293] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=298, si_uid=0, si_status=1, si_utime=0, si_stime=3} --- [ 20.475143][ T302] ? ext4_fname_setup_ci_filename+0x70/0x480 [ 20.475158][ T302] ? ext4_ci_compare+0x660/0x660 [ 20.475172][ T302] ? memcpy+0x56/0x70 [ 20.475191][ T302] ? ext4_fname_prepare_lookup+0x3b5/0x4e0 [ 20.475210][ T302] ? may_create+0x65a/0x900 [ 20.475227][ T302] ? generic_set_encrypted_ci_d_ops+0x91/0xf0 [ 20.499726][ T294] EXT4-fs error (device loop0): ext4_lookup:1855: inode #11: comm syz-executor224: iget: bad extra_isize 1328 (inode size 256) [ 20.508681][ T302] ext4_lookup+0x176/0x740 [ 20.508706][ T302] ? show_sid+0x270/0x270 [ 20.508722][ T302] ? ext4_add_entry+0xed0/0xed0 [ 20.508740][ T302] ? selinux_inode_create+0x22/0x30 [ 20.514572][ T296] EXT4-fs error (device loop2): ext4_lookup:1855: inode #11: comm syz-executor224: iget: bad extra_isize 1328 (inode size 256) [ 20.518399][ T302] ? security_inode_create+0xbc/0x100 [ 20.518425][ T302] ? ext4_add_entry+0xed0/0xed0 [ 20.518442][ T302] path_openat+0x10fd/0x2d60 [ 20.518462][ T302] ? do_filp_open+0x480/0x480 [ 20.518481][ T302] do_filp_open+0x230/0x480 [ 20.518498][ T302] ? vfs_tmpfile+0x480/0x480 [ 20.518518][ T302] ? alloc_fd+0x4fa/0x5a0 [ 20.518541][ T302] do_sys_openat2+0x13f/0x850 [ 20.518559][ T302] ? memset+0x35/0x40 [ 20.518581][ T302] ? do_sys_open+0x220/0x220 [ 20.527018][ T294] EXT4-fs error (device loop0): ext4_lookup:1855: inode #11: comm syz-executor224: iget: bad extra_isize 1328 (inode size 256) [ 20.529128][ T302] ? ptrace_notify+0x249/0x350 [ 20.529151][ T302] __x64_sys_openat+0x243/0x290 [ 20.659583][ T302] ? __ia32_sys_open+0x270/0x270 [ 20.664354][ T302] ? fpregs_assert_state_consistent+0xb6/0xe0 [ 20.670251][ T302] ? exit_to_user_mode_prepare+0x39/0xa0 [ 20.675725][ T302] ? syscall_enter_from_user_mode+0x6a/0x190 [ 20.681539][ T302] do_syscall_64+0x3d/0xb0 [ 20.685791][ T302] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 20.691515][ T302] RIP: 0033:0x7facb787c109 [ 20.695769][ T302] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 01 1b 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 20.715212][ T302] RSP: 002b:00007fff7498b328 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 20.723455][ T302] RAX: ffffffffffffffda RBX: 0030656c69662f2e RCX: 00007facb787c109 [ 20.731271][ T302] RDX: 000000000000275a RSI: 0000000020000280 RDI: 00000000ffffff9c [ 20.739082][ T302] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 20.746889][ T302] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff7498b5c0 [ 20.754701][ T302] R13: 0000000000000000 R14: 431bde82d7b634db R15: 00007fff7498b390 [ 20.762519][ T302] [ 20.765379][ T302] [ 20.767545][ T302] The buggy address belongs to the physical page: [ 20.773798][ T302] page:ffffea0004413e40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1104f9 [ 20.783951][ T302] flags: 0x4000000000000000(zone=1) [ 20.788996][ T302] raw: 4000000000000000 ffffea00043e28c8 ffffea0004565788 0000000000000000 [ 20.797409][ T302] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 20.805823][ T302] page dumped because: kasan: bad access detected [ 20.812088][ T302] page_owner tracks the page as freed [ 20.817282][ T302] page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 301, tgid 301 (syz-executor224), ts 19976640089, free_ts 20254560752 [ 20.834911][ T302] post_alloc_hook+0x213/0x220 [ 20.839496][ T302] prep_new_page+0x1b/0x110 [ 20.843836][ T302] get_page_from_freelist+0x27ea/0x2870 [ 20.849218][ T302] __alloc_pages+0x3a1/0x780 [ 20.853644][ T302] __folio_alloc+0x15/0x40 [ 20.857896][ T302] wp_page_copy+0x261/0x1690 [ 20.862326][ T302] do_wp_page+0xc25/0xdf0 [ 20.866492][ T302] handle_mm_fault+0x15a2/0x2f40 [ 20.871264][ T302] exc_page_fault+0x3b3/0x700 [ 20.875779][ T302] asm_exc_page_fault+0x27/0x30 [ 20.880555][ T302] page last free stack trace: [ 20.885151][ T302] free_unref_page_prepare+0x83d/0x850 [ 20.890444][ T302] free_unref_page_list+0xf1/0x7b0 [ 20.895391][ T302] release_pages+0xf7f/0xfe0 [ 20.899818][ T302] free_pages_and_swap_cache+0x8a/0xa0 [ 20.905127][ T302] tlb_finish_mmu+0x1e0/0x3f0 [ 20.909626][ T302] exit_mmap+0x421/0x940 [ 20.913705][ T302] __mmput+0x95/0x310 [ 20.917525][ T302] mmput+0x56/0x170 [ 20.921171][ T302] do_exit+0xb29/0x2b80 [ 20.925163][ T302] do_group_exit+0x21a/0x2d0 [ 20.929589][ T302] __x64_sys_exit_group+0x3f/0x40 [ 20.934537][ T302] do_syscall_64+0x3d/0xb0 [ 20.938789][ T302] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 20.944518][ T302] [ 20.947035][ T302] Memory state around the buggy address: [ 20.952508][ T302] ffff8881104f9580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.960397][ T302] ffff8881104f9600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.968292][ T302] >ffff8881104f9680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.976187][ T302] ^ [ 20.983219][ T302] ffff8881104f9700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.991121][ T302] ffff8881104f9780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 20.999015][ T302] ================================================================== [ 21.008246][ T302] Disabling lock debugging due to kernel taint [pid 293] restart_syscall(<... resuming interrupted clone ...> [pid 302] <... openat resumed>) = -1 EUCLEAN (Structure needs cleaning) [pid 302] exit_group(0) = ? [pid 302] +++ exited with 0 +++ [pid 297] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=302, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- [pid 297] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 297] umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 297] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 297] newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 [pid 297] getdents64(3, 0x5555556706f0 /* 4 entries */, 32768) = 112 [pid 297] umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 297] newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 297] unlink("./0/binderfs") = 0 [pid 297] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 297] newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0755, st_size=2048, ...}, AT_SYMLINK_NOFOLLOW) = 0 [pid 297] umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) [pid 297] openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 [pid 297] newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=2048, ...}, AT_EMPTY_PATH) = 0 [pid 297] getdents64(4, 0x555555678730 /* 8 entries */, 32768) = 240 [pid 297] umount2("./0/file0/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EUCLEAN (Structure needs cleaning) [pid 297] newfstatat(AT_FDCWD, "./0/file0/lost+found", 0x7fff74989180, AT_SYMLINK_NOFOLLOW) = -1 EUCLEAN (Structure needs cleaning) [pid 297] exit_group(1) = ? [pid 297] +++ exited with 1 +++ <... restart_syscall resumed>) = ? ERESTART_RESTARTBLOCK (Interrupted by signal) --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=297, si_uid=0, si_status=1, si_utime=0, si_stime=3} --- [ 21.014290][ T302] EXT4-fs error (device loop3): ext4_find_dest_de:2112: inode #12: block 5: comm syz-executor224: bad entry in directory: rec_len % 4 != 0 - offset=0, inode=1375716473, rec_len=40042, size=56 fake=0 [ 21.040612][ T297] EXT4-fs error (device loop3): ext4_lookup:1855: inode #11: comm syz-executor224: iget: bad extra_isize 1328 (inode size 256) [ 21.054273][ T297] EXT4-fs error (device loop3): ext4_lookup:1855: inode #11: comm syz-executor224: iget: bad extra_isize 1328 (inode size 256)