./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor768312304 <...> DUID 00:04:76:8b:f6:84:a4:3b:36:39:6c:68:e7:10:38:dd:b7:2c forked to background, child pid 4658 [ 36.516702][ T4659] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.548896][ T4659] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.1.56' (ECDSA) to the list of known hosts. execve("./syz-executor768312304", ["./syz-executor768312304"], 0x7fff0a532ae0 /* 10 vars */) = 0 brk(NULL) = 0x55555574b000 brk(0x55555574bc40) = 0x55555574bc40 arch_prctl(ARCH_SET_FS, 0x55555574b300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x55555574b5d0) = 4993 set_robust_list(0x55555574b5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7f974c1fc0c0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f974c1fc790}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7f974c1fc160, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f974c1fc790}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor768312304", 4096) = 27 brk(0x55555576cc40) = 0x55555576cc40 brk(0x55555576d000) = 0x55555576d000 mprotect(0x7f974c2c6000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 getpid() = 4993 mkdir("./syzkaller.3hIa7J", 0700) = 0 chmod("./syzkaller.3hIa7J", 0777) = 0 chdir("./syzkaller.3hIa7J") = 0 unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 4994 attached , child_tidptr=0x55555574b5d0) = 4994 [pid 4994] set_robust_list(0x55555574b5e0, 24) = 0 [pid 4994] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 4994] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 4994] setsid() = 1 [pid 4994] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 4994] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 4994] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 4994] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 4994] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 4994] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 4994] unshare(CLONE_NEWNS) = 0 [pid 4994] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 4994] unshare(CLONE_NEWIPC) = 0 [pid 4994] unshare(CLONE_NEWCGROUP) = 0 [pid 4994] unshare(CLONE_NEWUTS) = 0 [pid 4994] unshare(CLONE_SYSVSEM) = 0 [pid 4994] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 4994] write(3, "16777216", 8) = 8 [pid 4994] close(3) = 0 [pid 4994] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 4994] write(3, "536870912", 9) = 9 [pid 4994] close(3) = 0 [pid 4994] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 4994] write(3, "1024", 4) = 4 [pid 4994] close(3) = 0 [pid 4994] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 4994] write(3, "8192", 4) = 4 [pid 4994] close(3) = 0 [pid 4994] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 4994] write(3, "1024", 4) = 4 [pid 4994] close(3) = 0 [pid 4994] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 4994] write(3, "1024", 4) = 4 [pid 4994] close(3) = 0 [pid 4994] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 4994] write(3, "1024 1048576 500 1024", 21) = 21 [pid 4994] close(3) = 0 [pid 4994] getpid() = 1 [pid 4994] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 4997] futex(0x7f974c2cc7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 62.949967][ T1069] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 62.958642][ T900] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [pid 4997] futex(0x7f974c2cc7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=4, tv_nsec=50000000} [pid 4998] <... set_robust_list resumed>) = 0 [pid 4998] memfd_create("syzkaller", 0) = 3 [pid 4998] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9743dca000 [ 63.012129][ T4998] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4998 'syz-executor768' [pid 4998] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 32394836) = 32394836 [pid 4998] munmap(0x7f9743dca000, 32394836) = 0 [pid 4998] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 4998] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 4998] close(3) = 0 [pid 4998] mkdir("./bus", 0777) = 0 [ 63.422977][ T4998] loop0: detected capacity change from 0 to 63271 [ 63.435305][ T4998] F2FS-fs (loop0): Mismatch start address, segment0(512) cp_blkaddr(605) [ 63.443962][ T4998] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock [ 63.455294][ T4998] F2FS-fs (loop0): invalid crc value [ 63.464735][ T4998] F2FS-fs (loop0): Found nat_bits in checkpoint [pid 4998] mount("/dev/loop0", "./bus", "f2fs", MS_SYNCHRONOUS, "") = 0 [pid 4998] openat(AT_FDCWD, "./bus", O_RDONLY|O_DIRECTORY) = 3 [pid 4998] chdir("./bus") = 0 [pid 4998] ioctl(4, LOOP_CLR_FD) = 0 [pid 4998] close(4) = 0 [pid 4998] futex(0x7f974c2cc7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4997] <... futex resumed>) = 0 [pid 4997] futex(0x7f974c2cc7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4997] futex(0x7f974c2cc7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4998] <... futex resumed>) = 1 [pid 4998] open("./bus", O_RDONLY) = -1 ENOENT (No such file or directory) [pid 4998] futex(0x7f974c2cc7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4997] <... futex resumed>) = 0 [pid 4997] futex(0x7f974c2cc7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4997] futex(0x7f974c2cc7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4998] <... futex resumed>) = 1 [pid 4998] creat(NULL, 000) = -1 EFAULT (Bad address) [pid 4998] futex(0x7f974c2cc7ac, FUTEX_WAKE_PRIVATE, 1000000 [pid 4997] <... futex resumed>) = 0 [pid 4997] futex(0x7f974c2cc7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4997] futex(0x7f974c2cc7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4998] <... futex resumed>) = 1 [ 63.507800][ T4998] F2FS-fs (loop0): Try to recover 1th superblock, ret: 0 [ 63.514982][ T4998] F2FS-fs (loop0): Mounted with checkpoint version = 753bd00b [pid 4998] open("./bus", O_RDWR|O_CREAT|O_NONBLOCK|O_DIRECT|O_NOFOLLOW|O_NOATIME, 000) = 4 [pid 4998] futex(0x7f974c2cc7ac, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 4997] <... futex resumed>) = 0 [pid 4997] futex(0x7f974c2cc7a8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4997] futex(0x7f974c2cc7ac, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 4998] pwritev2(4, [{iov_base="\x85\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x2e\x2f\x62\x75\x73\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=3177984}], 1, 5120, RWF_HIPRI|RWF_DSYNC [pid 4997] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [pid 4997] futex(0x7f974c2cc7bc, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 63.546220][ T27] audit: type=1800 audit(1682908545.680:2): pid=4998 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="syz-executor768" name="bus" dev="loop0" ino=4 res=0 errno=0 [pid 4997] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f9745c8e000 [pid 4997] mprotect(0x7f9745c8f000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 4997] clone(child_stack=0x7f9745cae3f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[4], tls=0x7f9745cae700, child_tidptr=0x7f9745cae9d0) = 4 [pid 4997] futex(0x7f974c2cc7b8, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4997] futex(0x7f974c2cc7bc, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}./strace-static-x86_64: Process 5003 attached [pid 5003] set_robust_list(0x7f9745cae9e0, 24) = 0 [pid 5003] quotactl(QCMD(Q_QUOTAON, PRJQUOTA), "/dev/loop0", 0 /* QFMT_VFS_??? */, "./bus") = -1 ESRCH (No such process) [pid 5003] futex(0x7f974c2cc7bc, FUTEX_WAKE_PRIVATE, 1000000 [pid 4997] <... futex resumed>) = 0 [pid 5003] <... futex resumed>) = 1 [pid 5003] futex(0x7f974c2cc7b8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4998] <... pwritev2 resumed>) = -1 EIO (Input/output error) [ 63.629613][ T4998] syz-executor768: attempt to access beyond end of device [ 63.629613][ T4998] loop0: rw=2049, sector=77824, nr_sectors = 2048 limit=63271 [ 63.657537][ T4998] syz-executor768: attempt to access beyond end of device [ 63.657537][ T4998] loop0: rw=2049, sector=79872, nr_sectors = 2048 limit=63271 [ 63.692860][ T4998] [ 63.695227][ T4998] ================================================ [ 63.701715][ T4998] WARNING: lock held when returning to user space! [ 63.708224][ T4998] 6.3.0-syzkaller-12049-g58390c8ce1bd #0 Not tainted [ 63.714888][ T4998] ------------------------------------------------ [ 63.721380][ T4998] syz-executor768/4998 is leaving the kernel with locks still held! [ 63.729343][ T4998] 1 lock held by syz-executor768/4998: [pid 4998] futex(0x7f974c2cc7ac, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 4998] futex(0x7f974c2cc7a8, FUTEX_WAIT_PRIVATE, 0, NULL [pid 4997] close(3) = 0 [pid 4997] close(4) = 0 [pid 4997] close(5) = -1 EBADF (Bad file descriptor) [pid 4997] close(6) = -1 EBADF (Bad file descriptor) [pid 4997] close(7) = -1 EBADF (Bad file descriptor) [pid 4997] close(8) = -1 EBADF (Bad file descriptor) [pid 4997] close(9) = -1 EBADF (Bad file descriptor) [pid 4997] close(10) = -1 EBADF (Bad file descriptor) [pid 4997] close(11) = -1 EBADF (Bad file descriptor) [pid 4997] close(12) = -1 EBADF (Bad file descriptor) [pid 4997] close(13) = -1 EBADF (Bad file descriptor) [pid 4997] close(14) = -1 EBADF (Bad file descriptor) [pid 4997] close(15) = -1 EBADF (Bad file descriptor) [pid 4997] close(16) = -1 EBADF (Bad file descriptor) [pid 4997] close(17) = -1 EBADF (Bad file descriptor) [pid 4997] close(18) = -1 EBADF (Bad file descriptor) [pid 4997] close(19) = -1 EBADF (Bad file descriptor) [pid 4997] close(20) = -1 EBADF (Bad file descriptor) [pid 4997] close(21) = -1 EBADF (Bad file descriptor) [pid 4997] close(22) = -1 EBADF (Bad file descriptor) [pid 4997] close(23) = -1 EBADF (Bad file descriptor) [pid 4997] close(24) = -1 EBADF (Bad file descriptor) [pid 4997] close(25) = -1 EBADF (Bad file descriptor) [pid 4997] close(26) = -1 EBADF (Bad file descriptor) [pid 4997] close(27) = -1 EBADF (Bad file descriptor) [pid 4997] close(28) = -1 EBADF (Bad file descriptor) [pid 4997] close(29) = -1 EBADF (Bad file descriptor) [pid 4997] exit_group(0 [pid 5003] <... futex resumed>) = ? [pid 4997] <... exit_group resumed>) = ? [pid 5003] +++ exited with 0 +++ [pid 4998] <... futex resumed>) = ? [pid 4998] +++ exited with 0 +++ [pid 4997] +++ exited with 0 +++ [pid 4994] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=2, si_uid=0, si_status=0, si_utime=9 /* 0.09 s */, si_stime=46 /* 0.46 s */} --- [pid 4994] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 4994] umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) [pid 4994] openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 [pid 4994] fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 [pid 4994] getdents64(3, 0x55555574c620 /* 4 entries */, 32768) = 104 [ 63.734799][ T4998] #0: ffff88807e800448 (&sbi->node_write){++++}-{3:3}, at: f2fs_write_single_data_page+0xa10/0x1d50