./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3451896918 <...> Warning: Permanently added '10.128.0.40' (ED25519) to the list of known hosts. execve("./syz-executor3451896918", ["./syz-executor3451896918"], 0x7fff65d9ba20 /* 10 vars */) = 0 brk(NULL) = 0x55558a511000 brk(0x55558a511d00) = 0x55558a511d00 arch_prctl(ARCH_SET_FS, 0x55558a511380) = 0 set_tid_address(0x55558a511650) = 290 set_robust_list(0x55558a511660, 24) = 0 rseq(0x55558a511ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3451896918", 4096) = 28 getrandom("\x34\x65\xfe\x06\x07\x92\xfc\x7e", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55558a511d00 brk(0x55558a532d00) = 0x55558a532d00 brk(0x55558a533000) = 0x55558a533000 mprotect(0x7f28f28f0000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 mkdir("./syzkaller.sDMgVc", 0700) = 0 chmod("./syzkaller.sDMgVc", 0777) = 0 chdir("./syzkaller.sDMgVc") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 292 ./strace-static-x86_64: Process 292 attached [pid 292] set_robust_list(0x55558a511660, 24) = 0 [pid 292] chdir("./0") = 0 [pid 292] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 292] setpgid(0, 0) = 0 [pid 292] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 292] write(3, "1000", 4executing program ) = 4 [pid 292] close(3) = 0 [pid 292] symlink("/dev/binderfs", "./binderfs") = 0 [pid 292] write(1, "executing program\n", 18) = 18 [pid 292] memfd_create("syzkaller", 0) = 3 [pid 292] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 292] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 292] munmap(0x7f28ea43d000, 138412032) = 0 [pid 292] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 25.007386][ T28] audit: type=1400 audit(1753032867.894:64): avc: denied { execmem } for pid=290 comm="syz-executor345" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 25.027498][ T28] audit: type=1400 audit(1753032867.894:65): avc: denied { read write } for pid=290 comm="syz-executor345" name="loop0" dev="devtmpfs" ino=118 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [pid 292] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 292] close(3) = 0 [pid 292] close(4) = 0 [pid 292] mkdir("./file1", 0777) = 0 [ 25.030568][ T292] loop0: detected capacity change from 0 to 1024 [ 25.053350][ T28] audit: type=1400 audit(1753032867.894:66): avc: denied { open } for pid=290 comm="syz-executor345" path="/dev/loop0" dev="devtmpfs" ino=118 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 25.062327][ T292] ======================================================= [ 25.062327][ T292] WARNING: The mand mount option has been deprecated and [ 25.062327][ T292] and is ignored by this kernel. Remove the mand [ 25.062327][ T292] option from the mount to silence this warning. [ 25.062327][ T292] ======================================================= [ 25.084379][ T28] audit: type=1400 audit(1753032867.894:67): avc: denied { ioctl } for pid=290 comm="syz-executor345" path="/dev/loop0" dev="devtmpfs" ino=118 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [pid 292] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 292] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 292] chdir("./file1") = 0 [pid 292] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 292] ioctl(4, LOOP_CLR_FD) = 0 [pid 292] close(4) = 0 [pid 292] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 25.144706][ T28] audit: type=1400 audit(1753032867.954:68): avc: denied { mounton } for pid=292 comm="syz-executor345" path="/root/syzkaller.sDMgVc/0/file1" dev="sda1" ino=2027 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 25.156859][ T292] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 25.177730][ T28] audit: type=1400 audit(1753032868.074:69): avc: denied { mount } for pid=292 comm="syz-executor345" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 25.196954][ T292] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 25.200242][ T28] audit: type=1400 audit(1753032868.074:70): avc: denied { write } for pid=292 comm="syz-executor345" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 25.214582][ T292] EXT4-fs (loop0): pa ffff88811010fc78: logic 256, phys. 385, len 8 [ 25.236102][ T28] audit: type=1400 audit(1753032868.074:71): avc: denied { add_name } for pid=292 comm="syz-executor345" name="memory.stat" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 25.244068][ T292] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, [ 25.265904][ T28] audit: type=1400 audit(1753032868.074:72): avc: denied { create } for pid=292 comm="syz-executor345" name="memory.stat" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [pid 292] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 292] ftruncate(4, 7) = 0 [pid 292] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 292] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 292] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 292] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 292] exit_group(0) = ? [pid 292] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=292, si_uid=0, si_status=0, si_utime=0, si_stime=16} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./0/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./0/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./0/file1/lost+found") = 0 umount2("./0/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./0/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file0/file0") = 0 umount2("./0/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./0/file1/file0") = 0 umount2("./0/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file1") = 0 umount2("./0/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file2") = 0 umount2("./0/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file3") = 0 umount2("./0/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/file.cold") = 0 umount2("./0/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/memory.stat") = 0 umount2("./0/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./0/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./0/file1") = -1 EBUSY (Device or resource busy) umount2("./0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./0/file1") = 0 umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 296 executing program ./strace-static-x86_64: Process 296 attached [pid 296] set_robust_list(0x55558a511660, 24) = 0 [pid 296] chdir("./1") = 0 [pid 296] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 296] setpgid(0, 0) = 0 [pid 296] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 296] write(3, "1000", 4) = 4 [pid 296] close(3) = 0 [pid 296] symlink("/dev/binderfs", "./binderfs") = 0 [pid 296] write(1, "executing program\n", 18) = 18 [pid 296] memfd_create("syzkaller", 0) = 3 [pid 296] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 296] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 296] munmap(0x7f28ea43d000, 138412032) = 0 [pid 296] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 25.265931][ T28] audit: type=1400 audit(1753032868.074:73): avc: denied { read append open } for pid=292 comm="syz-executor345" path="/root/syzkaller.sDMgVc/0/file1/memory.stat" dev="loop0" ino=18 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=file permissive=1 [ 25.322445][ T292] free 0, pa_free 1 [ 25.346647][ T290] EXT4-fs (loop0): unmounting filesystem. [pid 296] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 296] close(3) = 0 [pid 296] close(4) = 0 [pid 296] mkdir("./file1", 0777) = 0 [pid 296] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 296] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 296] chdir("./file1") = 0 [pid 296] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 296] ioctl(4, LOOP_CLR_FD) = 0 [pid 296] close(4) = 0 [pid 296] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 25.364542][ T296] loop0: detected capacity change from 0 to 1024 [ 25.375910][ T296] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 25.396049][ T296] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [pid 296] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 296] ftruncate(4, 7) = 0 [pid 296] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 296] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 296] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 296] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 296] exit_group(0) = ? [pid 296] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=296, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./1/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./1/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./1/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./1/file1/lost+found") = 0 umount2("./1/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./1/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./1/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file0/file0") = 0 umount2("./1/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./1/file1/file0") = 0 umount2("./1/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file1") = 0 umount2("./1/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file2") = 0 umount2("./1/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file3") = 0 umount2("./1/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/file.cold") = 0 umount2("./1/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 25.410601][ T296] EXT4-fs (loop0): pa ffff888124466000: logic 256, phys. 385, len 8 [ 25.418701][ T296] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 [ 25.445605][ T290] ================================================================== [ 25.453708][ T290] BUG: KASAN: use-after-free in ext4_ext_remove_space+0x2f43/0x3fb0 [ 25.461782][ T290] Read of size 4 at addr ffff8881252cddb8 by task syz-executor345/290 [ 25.470007][ T290] [ 25.472533][ T290] CPU: 1 PID: 290 Comm: syz-executor345 Not tainted 6.1.141-syzkaller-00039-g145c7fad733f #0 [ 25.482760][ T290] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 25.492993][ T290] Call Trace: [ 25.496346][ T290] [ 25.499276][ T290] __dump_stack+0x21/0x24 [ 25.503612][ T290] dump_stack_lvl+0xee/0x150 [ 25.508299][ T290] ? __cfi_dump_stack_lvl+0x8/0x8 [ 25.513320][ T290] ? ext4_inode_block_valid+0x2d7/0x3f0 [ 25.518865][ T290] ? ext4_ext_remove_space+0x2f43/0x3fb0 [ 25.524500][ T290] print_address_description+0x71/0x210 [ 25.530062][ T290] print_report+0x4a/0x60 [ 25.534385][ T290] kasan_report+0x122/0x150 [ 25.538969][ T290] ? ext4_ext_remove_space+0x2f43/0x3fb0 [ 25.544591][ T290] __asan_report_load4_noabort+0x14/0x20 [ 25.550233][ T290] ext4_ext_remove_space+0x2f43/0x3fb0 [ 25.555868][ T290] ? ext4_es_free_extent+0x3de/0x4c0 [ 25.561180][ T290] ? ext4_es_insert_extent+0x2d70/0x2d70 [ 25.566807][ T290] ? ext4_da_release_space+0x1d6/0x480 [ 25.572255][ T290] ? __cfi_ext4_ext_remove_space+0x10/0x10 [ 25.578147][ T290] ? ext4_es_remove_extent+0x1d9/0x330 [ 25.583673][ T290] ext4_ext_truncate+0x200/0x320 [ 25.588854][ T290] ext4_truncate+0x9a6/0xf90 [ 25.593465][ T290] ? __cfi_ext4_truncate+0x10/0x10 [ 25.598738][ T290] ext4_evict_inode+0xcc3/0x1460 [ 25.603759][ T290] ? _raw_spin_unlock+0x4c/0x70 [ 25.608613][ T290] ? __cfi_ext4_evict_inode+0x10/0x10 [ 25.613981][ T290] ? _raw_spin_unlock+0x4c/0x70 [ 25.618824][ T290] ? inode_io_list_del+0x19b/0x1b0 [ 25.623928][ T290] ? __cfi_ext4_evict_inode+0x10/0x10 [ 25.629373][ T290] evict+0x493/0x890 [ 25.633334][ T290] ? __kasan_check_write+0x14/0x20 [ 25.638427][ T290] ? proc_nr_inodes+0x2f0/0x2f0 [ 25.643345][ T290] ? lockref_put_return+0x152/0x1c0 [ 25.648610][ T290] ? __cfi_lockref_put_return+0x10/0x10 [ 25.654134][ T290] ? __kasan_check_write+0x14/0x20 [ 25.659317][ T290] iput+0x620/0x670 [ 25.663224][ T290] do_unlinkat+0x375/0x6b0 [ 25.667680][ T290] ? __cfi_do_unlinkat+0x10/0x10 [ 25.672609][ T290] ? getname_flags+0x206/0x500 [ 25.677354][ T290] __x64_sys_unlink+0x49/0x50 [ 25.682043][ T290] x64_sys_call+0x958/0x9a0 [ 25.686548][ T290] do_syscall_64+0x4c/0xa0 [ 25.690957][ T290] ? clear_bhb_loop+0x30/0x80 [ 25.695618][ T290] ? clear_bhb_loop+0x30/0x80 [ 25.700287][ T290] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 25.706199][ T290] RIP: 0033:0x7f28f287bd17 [ 25.710630][ T290] Code: 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 25.730216][ T290] RSP: 002b:00007ffd410e29d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 [ 25.738607][ T290] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f28f287bd17 [ 25.746557][ T290] RDX: 00007ffd410e2a00 RSI: 00007ffd410e2a90 RDI: 00007ffd410e2a90 [ 25.754511][ T290] RBP: 00007ffd410e2a90 R08: 0000000000000000 R09: 0000000000000000 [ 25.762556][ T290] R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffd410e3b80 [ 25.770508][ T290] R13: 000055558a51a700 R14: 431bde82d7b634db R15: 00007ffd410e4c10 [ 25.778486][ T290] [ 25.781491][ T290] [ 25.783790][ T290] The buggy address belongs to the physical page: [ 25.790176][ T290] page:ffffea000494b340 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x1252cd [ 25.800390][ T290] flags: 0x4000000000000000(zone=1) [ 25.805669][ T290] raw: 4000000000000000 ffffea000494b388 ffffea000494b308 0000000000000000 [ 25.814231][ T290] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 25.822874][ T290] page dumped because: kasan: bad access detected [ 25.829266][ T290] page_owner tracks the page as freed [ 25.834653][ T290] page last allocated via order 0, migratetype Movable, gfp_mask 0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), pid 292, tgid 292 (syz-executor345), ts 25028822502, free_ts 25354457353 [ 25.852445][ T290] post_alloc_hook+0x1f5/0x210 [ 25.857233][ T290] prep_new_page+0x1c/0x110 [ 25.861731][ T290] get_page_from_freelist+0x2c7b/0x2cf0 [ 25.867347][ T290] __alloc_pages+0x19e/0x3a0 [ 25.871915][ T290] __folio_alloc+0x12/0x40 [ 25.876310][ T290] shmem_alloc_and_acct_folio+0x650/0x870 [ 25.882092][ T290] shmem_get_folio_gfp+0x119f/0x2230 [ 25.887377][ T290] shmem_write_begin+0xea/0x2c0 [ 25.892203][ T290] generic_perform_write+0x2f6/0x6d0 [ 25.897482][ T290] __generic_file_write_iter+0x227/0x580 [ 25.903113][ T290] generic_file_write_iter+0xae/0x310 [ 25.908749][ T290] vfs_write+0x5db/0xca0 [ 25.913281][ T290] ksys_write+0x140/0x240 [ 25.917602][ T290] __x64_sys_write+0x7b/0x90 [ 25.922280][ T290] x64_sys_call+0x27b/0x9a0 [ 25.926783][ T290] do_syscall_64+0x4c/0xa0 [ 25.931198][ T290] page last free stack trace: [ 25.935863][ T290] free_unref_page_prepare+0x742/0x750 [ 25.941318][ T290] free_unref_page_list+0xba/0x7c0 [ 25.946420][ T290] release_pages+0xad1/0xb20 [ 25.951024][ T290] __pagevec_release+0x71/0xe0 [ 25.955886][ T290] shmem_undo_range+0x51a/0x1470 [ 25.960826][ T290] shmem_evict_inode+0x242/0xa10 [ 25.966168][ T290] evict+0x493/0x890 [ 25.970248][ T290] iput+0x620/0x670 [ 25.974045][ T290] dentry_unlink_inode+0x33d/0x3f0 [ 25.979147][ T290] __dentry_kill+0x460/0x670 [ 25.983720][ T290] dentry_kill+0xc0/0x2a0 [ 25.988029][ T290] dput+0x42/0x80 [ 25.991641][ T290] __fput+0x5be/0x8f0 [ 25.995598][ T290] ____fput+0x15/0x20 [ 25.999555][ T290] task_work_run+0x1db/0x240 [ 26.004124][ T290] ptrace_notify+0x221/0x250 [ 26.008707][ T290] [ 26.011010][ T290] Memory state around the buggy address: [ 26.016636][ T290] ffff8881252cdc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.024677][ T290] ffff8881252cdd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.032831][ T290] >ffff8881252cdd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.040876][ T290] ^ [ 26.046744][ T290] ffff8881252cde00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 26.054789][ T290] ffff8881252cde80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff unlink("./1/file1/memory.stat") = 0 umount2("./1/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./1/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./1/file1") = -1 EBUSY (Device or resource busy) umount2("./1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./1/file1") = 0 umount2("./1/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 299 ./strace-static-x86_64: Process 299 attached [pid 299] set_robust_list(0x55558a511660, 24) = 0 [pid 299] chdir("./2") = 0 [pid 299] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 299] setpgid(0, 0) = 0 [pid 299] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 299] write(3, "1000", 4) = 4 [pid 299] close(3) = 0 [pid 299] symlink("/dev/binderfs", "./binderfs"executing program ) = 0 [pid 299] write(1, "executing program\n", 18) = 18 [pid 299] memfd_create("syzkaller", 0) = 3 [pid 299] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 299] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 299] munmap(0x7f28ea43d000, 138412032) = 0 [pid 299] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 299] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 299] close(3) = 0 [pid 299] close(4) = 0 [pid 299] mkdir("./file1", 0777) = 0 [ 26.062948][ T290] ================================================================== [ 26.071207][ T290] Disabling lock debugging due to kernel taint [ 26.080620][ T290] EXT4-fs (loop0): unmounting filesystem. [ 26.099558][ T299] loop0: detected capacity change from 0 to 1024 [pid 299] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 299] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 299] chdir("./file1") = 0 [pid 299] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 299] ioctl(4, LOOP_CLR_FD) = 0 [pid 299] close(4) = 0 [pid 299] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 299] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 299] ftruncate(4, 7) = 0 [pid 299] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 299] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 299] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 299] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 299] exit_group(0) = ? [pid 299] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=299, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./2/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./2/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./2/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./2/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./2/file1/lost+found") = 0 umount2("./2/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./2/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./2/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file0/file0") = 0 umount2("./2/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./2/file1/file0") = 0 umount2("./2/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file1") = 0 umount2("./2/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file2") = 0 umount2("./2/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file3") = 0 umount2("./2/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/file.cold") = 0 umount2("./2/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/memory.stat") = 0 umount2("./2/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./2/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./2/file1") = -1 EBUSY (Device or resource busy) [ 26.115792][ T299] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 26.134109][ T299] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 26.148945][ T299] EXT4-fs (loop0): pa ffff888124466150: logic 256, phys. 385, len 8 [ 26.157150][ T299] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 umount2("./2/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./2/file1") = 0 umount2("./2/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDexecuting program , child_tidptr=0x55558a511650) = 302 ./strace-static-x86_64: Process 302 attached [pid 302] set_robust_list(0x55558a511660, 24) = 0 [pid 302] chdir("./3") = 0 [pid 302] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 302] setpgid(0, 0) = 0 [pid 302] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 302] write(3, "1000", 4) = 4 [pid 302] close(3) = 0 [pid 302] symlink("/dev/binderfs", "./binderfs") = 0 [pid 302] write(1, "executing program\n", 18) = 18 [pid 302] memfd_create("syzkaller", 0) = 3 [pid 302] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 302] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 302] munmap(0x7f28ea43d000, 138412032) = 0 [pid 302] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 302] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 302] close(3) = 0 [pid 302] close(4) = 0 [pid 302] mkdir("./file1", 0777) = 0 [pid 302] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 302] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 302] chdir("./file1") = 0 [pid 302] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 302] ioctl(4, LOOP_CLR_FD) = 0 [pid 302] close(4) = 0 [pid 302] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 26.182925][ T290] EXT4-fs (loop0): unmounting filesystem. [ 26.202413][ T302] loop0: detected capacity change from 0 to 1024 [ 26.215991][ T302] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [pid 302] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 302] ftruncate(4, 7) = 0 [pid 302] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 302] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 302] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 302] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 302] exit_group(0) = ? [pid 302] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=302, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./3/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./3/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./3/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./3/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./3/file1/lost+found") = 0 umount2("./3/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./3/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./3/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file0/file0") = 0 umount2("./3/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./3/file1/file0") = 0 umount2("./3/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file1") = 0 umount2("./3/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file2") = 0 umount2("./3/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file3") = 0 umount2("./3/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/file.cold") = 0 umount2("./3/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/memory.stat") = 0 umount2("./3/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./3/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./3/file1") = -1 EBUSY (Device or resource busy) [ 26.235169][ T302] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 26.250637][ T302] EXT4-fs (loop0): pa ffff88812449ec78: logic 256, phys. 385, len 8 [ 26.258657][ T302] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 umount2("./3/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./3/file1") = 0 umount2("./3/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 305 ./strace-static-x86_64: Process 305 attached [pid 305] set_robust_list(0x55558a511660, 24) = 0 [pid 305] chdir("./4") = 0 [pid 305] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 305] setpgid(0, 0) = 0 [pid 305] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 305] write(3, "1000", 4) = 4 [pid 305] close(3) = 0 [pid 305] symlink("/dev/binderfs", "./binderfs") = 0 [pid 305] write(1, "executing program\n", 18executing program ) = 18 [pid 305] memfd_create("syzkaller", 0) = 3 [pid 305] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 305] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 305] munmap(0x7f28ea43d000, 138412032) = 0 [pid 305] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 305] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 305] close(3) = 0 [pid 305] close(4) = 0 [pid 305] mkdir("./file1", 0777) = 0 [pid 305] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 305] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 305] chdir("./file1") = 0 [pid 305] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 305] ioctl(4, LOOP_CLR_FD) = 0 [pid 305] close(4) = 0 [pid 305] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 26.287046][ T290] EXT4-fs (loop0): unmounting filesystem. [ 26.310034][ T305] loop0: detected capacity change from 0 to 1024 [ 26.325968][ T305] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [pid 305] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 305] ftruncate(4, 7) = 0 [pid 305] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 305] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 305] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 305] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 305] exit_group(0) = ? [pid 305] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=305, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./4", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./4/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./4/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./4/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./4/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./4/file1/lost+found") = 0 umount2("./4/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./4/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./4/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file0/file0") = 0 umount2("./4/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./4/file1/file0") = 0 umount2("./4/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file1") = 0 umount2("./4/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file2") = 0 umount2("./4/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file3") = 0 umount2("./4/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/file.cold") = 0 umount2("./4/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 26.344835][ T305] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 26.359745][ T305] EXT4-fs (loop0): pa ffff8881244d8930: logic 256, phys. 385, len 8 [ 26.368046][ T305] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 [ 26.395904][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 1121070427392, count = 16 [ 26.410892][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 1121070426627, count = 772 [ 26.425907][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 1121070426624, count = 16 [ 26.441238][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 6296506030080, count = 16 [ 26.456532][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 6296506009100, count = 20995 [ 26.471817][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 6296506009088, count = 16 [ 26.486920][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 1121070428672, count = 16 [ 26.501837][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 1121070427907, count = 772 unlink("./4/file1/memory.stat") = 0 umount2("./4/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./4/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./4/file1") = -1 EBUSY (Device or resource busy) umount2("./4/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./4/file1") = 0 umount2("./4/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./4") = 0 mkdir("./5", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 308 ./strace-static-x86_64: Process 308 attached [pid 308] set_robust_list(0x55558a511660, 24) = 0 [pid 308] chdir("./5") = 0 [pid 308] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 308] setpgid(0, 0) = 0 [pid 308] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 308] write(3, "1000", 4) = 4 [pid 308] close(3) = 0 [pid 308] symlink("/dev/binderfs", "./binderfs") = 0 [pid 308] write(1, "executing program\n", 18executing program ) = 18 [pid 308] memfd_create("syzkaller", 0) = 3 [pid 308] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 308] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 308] munmap(0x7f28ea43d000, 138412032) = 0 [pid 308] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 308] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 308] close(3) = 0 [pid 308] close(4) = 0 [pid 308] mkdir("./file1", 0777) = 0 [ 26.764891][ T290] EXT4-fs (loop0): unmounting filesystem. [ 26.796045][ T308] loop0: detected capacity change from 0 to 1024 [pid 308] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 308] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 308] chdir("./file1") = 0 [pid 308] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 308] ioctl(4, LOOP_CLR_FD) = 0 [pid 308] close(4) = 0 [pid 308] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 26.816324][ T308] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 26.836327][ T308] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 26.851389][ T308] EXT4-fs (loop0): pa ffff88812449e1f8: logic 256, phys. 385, len 8 [pid 308] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 308] ftruncate(4, 7) = 0 [pid 308] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 308] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 308] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 308] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 308] exit_group(0) = ? [pid 308] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=308, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./5", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./5/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./5/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./5/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./5/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./5/file1/lost+found") = 0 umount2("./5/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./5/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./5/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./5/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file0/file0") = 0 umount2("./5/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./5/file1/file0") = 0 umount2("./5/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file1") = 0 umount2("./5/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file2") = 0 umount2("./5/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file3") = 0 umount2("./5/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/file.cold") = 0 umount2("./5/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/memory.stat") = 0 umount2("./5/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./5/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./5/file1") = -1 EBUSY (Device or resource busy) [ 26.859515][ T308] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 umount2("./5/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./5/file1") = 0 umount2("./5/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./5/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./5/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./5") = 0 mkdir("./6", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3executing program ) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 312 ./strace-static-x86_64: Process 312 attached [pid 312] set_robust_list(0x55558a511660, 24) = 0 [pid 312] chdir("./6") = 0 [pid 312] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 312] setpgid(0, 0) = 0 [pid 312] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 312] write(3, "1000", 4) = 4 [pid 312] close(3) = 0 [pid 312] symlink("/dev/binderfs", "./binderfs") = 0 [pid 312] write(1, "executing program\n", 18) = 18 [pid 312] memfd_create("syzkaller", 0) = 3 [pid 312] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 312] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 312] munmap(0x7f28ea43d000, 138412032) = 0 [pid 312] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 312] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 312] close(3) = 0 [pid 312] close(4) = 0 [pid 312] mkdir("./file1", 0777) = 0 [pid 312] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 312] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 312] chdir("./file1") = 0 [pid 312] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 312] ioctl(4, LOOP_CLR_FD) = 0 [pid 312] close(4) = 0 [pid 312] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 26.890581][ T290] EXT4-fs (loop0): unmounting filesystem. [ 26.912087][ T312] loop0: detected capacity change from 0 to 1024 [ 26.925930][ T312] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [pid 312] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 312] ftruncate(4, 7) = 0 [pid 312] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 312] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 312] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 312] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 312] exit_group(0) = ? [pid 312] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=312, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./6", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./6/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./6/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./6/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./6/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./6/file1/lost+found") = 0 umount2("./6/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./6/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./6/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./6/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file0/file0") = 0 umount2("./6/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./6/file1/file0") = 0 umount2("./6/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file1") = 0 umount2("./6/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file2") = 0 umount2("./6/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file3") = 0 umount2("./6/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/file.cold") = 0 umount2("./6/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/memory.stat") = 0 umount2("./6/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./6/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./6/file1") = -1 EBUSY (Device or resource busy) [ 26.945785][ T312] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 26.960372][ T312] EXT4-fs (loop0): pa ffff88812472d0a8: logic 256, phys. 385, len 8 [ 26.968501][ T312] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 umount2("./6/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./6/file1") = 0 umount2("./6/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./6/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./6/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./6") = 0 mkdir("./7", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 315 ./strace-static-x86_64: Process 315 attached [pid 315] set_robust_list(0x55558a511660, 24) = 0 [pid 315] chdir("./7") = 0 [pid 315] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 315] setpgid(0, 0) = 0 [pid 315] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 315] write(3, "1000", 4) = 4 [pid 315] close(3) = 0 [pid 315] symlink("/dev/binderfs", "./binderfs") = 0 [pid 315] write(1, "executing program\n", 18executing program ) = 18 [pid 315] memfd_create("syzkaller", 0) = 3 [pid 315] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 315] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 315] munmap(0x7f28ea43d000, 138412032) = 0 [pid 315] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [ 26.994783][ T290] EXT4-fs (loop0): unmounting filesystem. [pid 315] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 315] close(3) = 0 [pid 315] close(4) = 0 [pid 315] mkdir("./file1", 0777) = 0 [pid 315] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 315] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 315] chdir("./file1") = 0 [pid 315] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 315] ioctl(4, LOOP_CLR_FD) = 0 [pid 315] close(4) = 0 [pid 315] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 27.018027][ T315] loop0: detected capacity change from 0 to 1024 [ 27.035677][ T315] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [pid 315] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 315] ftruncate(4, 7) = 0 [pid 315] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 315] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 315] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 315] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 315] exit_group(0) = ? [pid 315] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=315, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./7", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./7/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./7/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./7/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./7/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./7/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./7/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./7/file1/lost+found") = 0 umount2("./7/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./7/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./7/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./7/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/file1/file0/file0") = 0 umount2("./7/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./7/file1/file0") = 0 umount2("./7/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/file1/file1") = 0 umount2("./7/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/file1/file2") = 0 umount2("./7/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/file1/file3") = 0 umount2("./7/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/file1/file.cold") = 0 umount2("./7/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 27.055411][ T315] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 27.070058][ T315] EXT4-fs (loop0): pa ffff88812449e150: logic 256, phys. 385, len 8 [ 27.078173][ T315] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 [ 27.108550][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 115750969595360, count = 16 [ 27.124103][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 115750969565550, count = 29811 [ 27.139593][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 115750969565536, count = 16 [ 27.155064][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 435390827168, count = 16 [ 27.169776][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 435390797381, count = 29793 [ 27.184961][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 435390797376, count = 16 [ 27.199952][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 75176748627888, count = 16 [ 27.214928][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 75176748607337, count = 20566 unlink("./7/file1/memory.stat") = 0 umount2("./7/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./7/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./7/file1") = -1 EBUSY (Device or resource busy) umount2("./7/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./7/file1") = 0 umount2("./7/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./7/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./7/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./7") = 0 mkdir("./8", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 318 ./strace-static-x86_64: Process 318 attached [pid 318] set_robust_list(0x55558a511660, 24) = 0 [pid 318] chdir("./8") = 0 [pid 318] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 318] setpgid(0, 0) = 0 [pid 318] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 318] write(3, "1000", 4) = 4 [pid 318] close(3) = 0 [pid 318] symlink("/dev/binderfs", "./binderfs") = 0 [pid 318] write(1, "executing program\n", 18executing program ) = 18 [pid 318] memfd_create("syzkaller", 0) = 3 [pid 318] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 318] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 318] munmap(0x7f28ea43d000, 138412032) = 0 [pid 318] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 318] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 318] close(3) = 0 [pid 318] close(4) = 0 [pid 318] mkdir("./file1", 0777) = 0 [pid 318] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 318] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 318] chdir("./file1") = 0 [pid 318] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 318] ioctl(4, LOOP_CLR_FD) = 0 [pid 318] close(4) = 0 [pid 318] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 27.349809][ T290] EXT4-fs (loop0): unmounting filesystem. [ 27.373195][ T318] loop0: detected capacity change from 0 to 1024 [ 27.385912][ T318] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [pid 318] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 318] ftruncate(4, 7) = 0 [pid 318] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 318] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 318] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 318] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 318] exit_group(0) = ? [pid 318] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=318, si_uid=0, si_status=0, si_utime=0, si_stime=4} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./8", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./8/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./8/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./8/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./8/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./8/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./8/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./8/file1/lost+found") = 0 umount2("./8/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./8/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./8/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./8/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/file1/file0/file0") = 0 umount2("./8/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./8/file1/file0") = 0 umount2("./8/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/file1/file1") = 0 umount2("./8/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/file1/file2") = 0 umount2("./8/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/file1/file3") = 0 umount2("./8/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/file1/file.cold") = 0 umount2("./8/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 27.405398][ T318] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 27.420176][ T318] EXT4-fs (loop0): pa ffff8881247190a8: logic 256, phys. 385, len 8 [ 27.428228][ T318] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 [ 27.457253][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 2564649124240, count = 16 [ 27.472281][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 2564649123955, count = 290 [ 27.487294][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 3846, count = 0 [ 27.501230][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 3840, count = 16 [ 27.515318][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 52781440325632, count = 16 [ 27.530247][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 52781440303104, count = 22529 [ 27.545472][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 175934745372720, count = 16 [ 27.560593][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 175934745370346, count = 2386 unlink("./8/file1/memory.stat") = 0 umount2("./8/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./8/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./8/file1") = -1 EBUSY (Device or resource busy) umount2("./8/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./8/file1") = 0 umount2("./8/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./8/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./8/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./8") = 0 mkdir("./9", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 321 ./strace-static-x86_64: Process 321 attached [pid 321] set_robust_list(0x55558a511660, 24) = 0 [pid 321] chdir("./9") = 0 [pid 321] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 321] setpgid(0, 0) = 0 executing program [pid 321] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 321] write(3, "1000", 4) = 4 [pid 321] close(3) = 0 [pid 321] symlink("/dev/binderfs", "./binderfs") = 0 [pid 321] write(1, "executing program\n", 18) = 18 [pid 321] memfd_create("syzkaller", 0) = 3 [pid 321] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 321] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 321] munmap(0x7f28ea43d000, 138412032) = 0 [pid 321] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 321] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 321] close(3) = 0 [pid 321] close(4) = 0 [pid 321] mkdir("./file1", 0777) = 0 [pid 321] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 321] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 321] chdir("./file1") = 0 [pid 321] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 321] ioctl(4, LOOP_CLR_FD) = 0 [pid 321] close(4) = 0 [pid 321] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 27.678114][ T290] EXT4-fs (loop0): unmounting filesystem. [ 27.699188][ T321] loop0: detected capacity change from 0 to 1024 [ 27.715751][ T321] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [pid 321] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 321] ftruncate(4, 7) = 0 [pid 321] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 321] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 321] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 321] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 321] exit_group(0) = ? [pid 321] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=321, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./9", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./9/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./9/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./9/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./9/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./9/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./9/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./9/file1/lost+found") = 0 umount2("./9/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./9/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./9/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./9/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/file1/file0/file0") = 0 umount2("./9/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./9/file1/file0") = 0 umount2("./9/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/file1/file1") = 0 umount2("./9/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/file1/file2") = 0 umount2("./9/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/file1/file3") = 0 umount2("./9/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/file1/file.cold") = 0 umount2("./9/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 27.736991][ T321] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 27.751688][ T321] EXT4-fs (loop0): pa ffff8881247192a0: logic 256, phys. 385, len 8 [ 27.759753][ T321] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 [ 27.788468][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 145199959378768, count = 16 [ 27.803702][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 145199959377500, count = 1272 [ 27.818939][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 145199959377488, count = 16 [ 27.834075][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 144318559300976, count = 16 [ 27.849292][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 144318559289343, count = 11636 [ 27.864601][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 144318559289328, count = 16 [ 27.880057][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 1408828379520, count = 16 [ 27.895246][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 1408828379072, count = 453 unlink("./9/file1/memory.stat") = 0 umount2("./9/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./9/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./9/file1") = -1 EBUSY (Device or resource busy) umount2("./9/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./9/file1") = 0 umount2("./9/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./9/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./9/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./9") = 0 mkdir("./10", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 324 ./strace-static-x86_64: Process 324 attached [pid 324] set_robust_list(0x55558a511660, 24) = 0 [pid 324] chdir("./10") = 0 [pid 324] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 324] setpgid(0, 0) = 0 [pid 324] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 324] write(3, "1000", 4) = 4 [pid 324] close(3) = 0 [pid 324] symlink("/dev/binderfs", "./binderfs") = 0 [pid 324] write(1, "executing program\n", 18executing program ) = 18 [pid 324] memfd_create("syzkaller", 0) = 3 [pid 324] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 324] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 324] munmap(0x7f28ea43d000, 138412032) = 0 [pid 324] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 324] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 324] close(3) = 0 [pid 324] close(4) = 0 [pid 324] mkdir("./file1", 0777) = 0 [ 28.520171][ T290] EXT4-fs (loop0): unmounting filesystem. [ 28.548105][ T324] loop0: detected capacity change from 0 to 1024 [pid 324] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 324] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 324] chdir("./file1") = 0 [pid 324] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 324] ioctl(4, LOOP_CLR_FD) = 0 [pid 324] close(4) = 0 [pid 324] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [pid 324] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 324] ftruncate(4, 7) = 0 [pid 324] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 324] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 324] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 324] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 324] exit_group(0) = ? [pid 324] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=324, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./10", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./10/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./10/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./10/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./10/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./10/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./10/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./10/file1/lost+found") = 0 umount2("./10/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./10/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./10/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./10/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/file1/file0/file0") = 0 umount2("./10/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./10/file1/file0") = 0 umount2("./10/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/file1/file1") = 0 umount2("./10/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/file1/file2") = 0 umount2("./10/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/file1/file3") = 0 umount2("./10/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/file1/file.cold") = 0 umount2("./10/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/file1/memory.stat") = 0 umount2("./10/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 umount2("./10/file1/bus", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/file1/bus", {st_mode=S_IFREG|000, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/file1/bus") = 0 getdents64(4, 0x55558a51a730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("./10/file1") = -1 EBUSY (Device or resource busy) [ 28.566192][ T324] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 28.586547][ T324] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 28.601390][ T324] EXT4-fs (loop0): pa ffff888124719888: logic 256, phys. 385, len 8 [ 28.609738][ T324] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 umount2("./10/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = 0 rmdir("./10/file1") = 0 umount2("./10/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./10/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./10/binderfs") = 0 getdents64(3, 0x55558a5126f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./10") = 0 mkdir("./11", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55558a511650) = 327 ./strace-static-x86_64: Process 327 attached [pid 327] set_robust_list(0x55558a511660, 24) = 0 [pid 327] chdir("./11") = 0 [pid 327] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 327] setpgid(0, 0) = 0 [pid 327] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 327] write(3, "1000", 4) = 4 [pid 327] close(3) = 0 [pid 327] symlink("/dev/binderfs", "./binderfs") = 0 [pid 327] write(1, "executing program\n", 18executing program ) = 18 [pid 327] memfd_create("syzkaller", 0) = 3 [pid 327] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f28ea43d000 [pid 327] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 524288) = 524288 [pid 327] munmap(0x7f28ea43d000, 138412032) = 0 [pid 327] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 327] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 327] close(3) = 0 [pid 327] close(4) = 0 [pid 327] mkdir("./file1", 0777) = 0 [pid 327] mount("/dev/loop0", "./file1", "ext4", MS_NODEV|MS_NOEXEC|MS_MANDLOCK|MS_STRICTATIME, ",errors=continue") = 0 [pid 327] openat(AT_FDCWD, "./file1", O_RDONLY|O_DIRECTORY) = 3 [pid 327] chdir("./file1") = 0 [pid 327] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 327] ioctl(4, LOOP_CLR_FD) = 0 [pid 327] close(4) = 0 [pid 327] openat(AT_FDCWD, "memory.stat", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 4 [ 28.640774][ T290] EXT4-fs (loop0): unmounting filesystem. [ 28.663623][ T327] loop0: detected capacity change from 0 to 1024 [ 28.676573][ T327] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [pid 327] write(4, "\x23\x21\x20\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 34136651) = 376832 [pid 327] ftruncate(4, 7) = 0 [pid 327] open("./bus", O_RDWR|O_CREAT|O_SYNC|O_DIRECT|O_NOATIME|0x3c, 000) = 5 [pid 327] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 327] openat(AT_FDCWD, "./file1", O_RDWR|O_CREAT, 000) = 6 [pid 327] fallocate(6, 0, 0, 134220898) = -1 ENOSPC (No space left on device) [pid 327] exit_group(0) = ? [pid 327] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=327, si_uid=0, si_status=0, si_utime=0, si_stime=5} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./11", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55558a5126f0 /* 4 entries */, 32768) = 112 umount2("./11/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./11/file1", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./11/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./11/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x55558a51a730 /* 10 entries */, 32768) = 296 umount2("./11/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file1/lost+found", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./11/file1/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11/file1/lost+found", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=11264, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./11/file1/lost+found") = 0 umount2("./11/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file1/file0", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./11/file1/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./11/file1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0755, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55558a522770 /* 4 entries */, 32768) = 112 umount2("./11/file1/file0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file1/file0/file0", {st_mode=S_IFREG|0755, st_size=1050, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/file1/file0/file0") = 0 umount2("./11/file1/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file1/file0/file1", {st_mode=S_IFLNK|0777, st_size=39, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/file1/file0/file1") = 0 getdents64(5, 0x55558a522770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./11/file1/file0") = 0 umount2("./11/file1/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file1/file1", {st_mode=S_IFREG|0755, st_size=360448, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/file1/file1") = 0 umount2("./11/file1/file2", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file1/file2", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/file1/file2") = 0 umount2("./11/file1/file3", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file1/file3", {st_mode=S_IFREG|0755, st_size=9000, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/file1/file3") = 0 umount2("./11/file1/file.cold", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file1/file.cold", {st_mode=S_IFREG|0755, st_size=100, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./11/file1/file.cold") = 0 umount2("./11/file1/memory.stat", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./11/file1/memory.stat", {st_mode=S_IFREG|000, st_size=7, ...}, AT_SYMLINK_NOFOLLOW) = 0 [ 28.696305][ T327] EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:3841: comm syz-executor345: Allocating blocks 497-513 which overlap fs metadata [ 28.710920][ T327] EXT4-fs (loop0): pa ffff888124719540: logic 256, phys. 385, len 8 [ 28.718937][ T327] EXT4-fs error (device loop0): ext4_mb_release_inode_pa:4881: group 0, free 0, pa_free 1 [ 28.746818][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 1657912335, count = 0 [ 28.762007][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 1657912320, count = 16 [ 28.777394][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 259287954137760, count = 16 [ 28.792871][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 259287954122388, count = 15375 [ 28.808234][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 259287954122384, count = 16 [ 28.823716][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 213871852398880, count = 19969 [ 28.839038][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 213871852398880, count = 16 [ 28.854046][ T290] EXT4-fs error (device loop0): ext4_free_blocks:6210: comm syz-executor345: Freeing blocks not in datazone - block = 16930761109760, count = 16 unlink("./11/file1/memory.stat") = 0 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} --- +++ killed by SIGSEGV +++