./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor746976078
<...>
[ 62.218885][ T26] audit: type=1400 audit(1686411863.017:80): avc: denied { rlimitinh } for pid=4839 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 62.238768][ T26] audit: type=1400 audit(1686411863.017:81): avc: denied { siginh } for pid=4839 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 63.193565][ T26] audit: type=1400 audit(1686411864.057:82): avc: denied { read } for pid=4427 comm="syslogd" name="log" dev="sda1" ino=1915 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
Warning: Permanently added '10.128.1.105' (ECDSA) to the list of known hosts.
execve("./syz-executor746976078", ["./syz-executor746976078"], 0x7ffccc479ac0 /* 10 vars */) = 0
brk(NULL) = 0x555555d42000
brk(0x555555d42c40) = 0x555555d42c40
arch_prctl(ARCH_SET_FS, 0x555555d42300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor746976078", 4096) = 27
brk(0x555555d63c40) = 0x555555d63c40
brk(0x555555d64000) = 0x555555d64000
mprotect(0x7fa4b0ec5000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
[ 81.999022][ T26] audit: type=1400 audit(1686411882.857:83): avc: denied { write } for pid=4989 comm="strace-static-x" path="pipe:[30086]" dev="pipefs" ino=30086 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
getpid() = 4992
mkdir("./syzkaller.U21miF", 0700) = 0
chmod("./syzkaller.U21miF", 0777) = 0
chdir("./syzkaller.U21miF") = 0
mkdir("./0", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
[ 82.050100][ T26] audit: type=1400 audit(1686411882.907:84): avc: denied { execmem } for pid=4992 comm="syz-executor746" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d425d0) = 4993
./strace-static-x86_64: Process 4993 attached
[pid 4993] chdir("./0") = 0
[pid 4993] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 4993] setpgid(0, 0) = 0
[pid 4993] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 4993] write(3, "1000", 4) = 4
[pid 4993] close(3) = 0
[pid 4993] symlink("/dev/binderfs", "./binderfs") = 0
[ 82.078105][ T26] audit: type=1400 audit(1686411882.937:85): avc: denied { read write } for pid=4992 comm="syz-executor746" name="loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[pid 4993] memfd_create("syzkaller", 0) = 3
[pid 4993] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa4a8a04000
[ 82.121189][ T4993] memfd_create() without MFD_EXEC nor MFD_NOEXEC_SEAL, pid=4993 'syz-executor746'
[ 82.122000][ T26] audit: type=1400 audit(1686411882.937:86): avc: denied { open } for pid=4992 comm="syz-executor746" path="/dev/loop0" dev="devtmpfs" ino=648 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 82.157699][ T26] audit: type=1400 audit(1686411882.937:87): avc: denied { ioctl } for pid=4992 comm="syz-executor746" path="/dev/loop0" dev="devtmpfs" ino=648 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1
[ 82.185608][ T26] audit: type=1400 audit(1686411883.017:88): avc: denied { append } for pid=4427 comm="syslogd" name="messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 82.208658][ T26] audit: type=1400 audit(1686411883.017:89): avc: denied { open } for pid=4427 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[ 82.231465][ T26] audit: type=1400 audit(1686411883.017:90): avc: denied { getattr } for pid=4427 comm="syslogd" path="/tmp/messages" dev="tmpfs" ino=3 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=file permissive=1
[pid 4993] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216
[pid 4993] munmap(0x7fa4a8a04000, 16777216) = 0
[pid 4993] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 4993] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 4993] close(3) = 0
[pid 4993] mkdir("./file0", 0777) = 0
[ 82.440415][ T4993] loop0: detected capacity change from 0 to 32768
[ 82.461509][ T26] audit: type=1400 audit(1686411883.317:91): avc: denied { mounton } for pid=4993 comm="syz-executor746" path="/root/syzkaller.U21miF/0/file0" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[ 82.468444][ T4993] BTRFS: device fsid e417788f-7a09-42b2-9266-8ddc5d5d35d2 devid 1 transid 8 /dev/loop0 scanned by syz-executor746 (4993)
[ 82.507769][ T4993] BTRFS info (device loop0): using xxhash64 (xxhash64-generic) checksum algorithm
[ 82.517336][ T4993] BTRFS info (device loop0): doing ref verification
[ 82.524032][ T4993] BTRFS info (device loop0): setting nodatasum
[ 82.530269][ T4993] BTRFS info (device loop0): max_inline at 0
[pid 4993] mount("/dev/loop0", "./file0", "btrfs", MS_SYNCHRONOUS|MS_STRICTATIME, "datacow,ref_verify,nodatasum,max_inline=%m-3,noautodefrag,ssd,") = 0
[pid 4993] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[ 82.536361][ T4993] BTRFS info (device loop0): enabling ssd optimizations
[ 82.543363][ T4993] BTRFS info (device loop0): using free space tree
[ 82.568979][ T4993] BTRFS info (device loop0): auto enabling async discard
[pid 4993] chdir("./file0") = 0
[pid 4993] ioctl(4, LOOP_CLR_FD) = 0
[pid 4993] close(4) = 0
[pid 4993] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4
[pid 4993] write(4, "44", 2) = 2
[pid 4993] openat(AT_FDCWD, "memory.events", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5
[pid 4993] exit_group(0) = ?
[pid 4993] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4993, si_uid=0, si_status=0, si_utime=6 /* 0.06 s */, si_stime=29 /* 0.29 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x555555d43620 /* 4 entries */, 32768) = 112
umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./0/binderfs") = 0
[ 82.582656][ T26] audit: type=1400 audit(1686411883.437:92): avc: denied { mount } for pid=4993 comm="syz-executor746" name="/" dev="loop0" ino=256 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./0/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./0/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x555555d4b660 /* 2 entries */, 32768) = 48
getdents64(4, 0x555555d4b660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./0/file0") = 0
getdents64(3, 0x555555d43620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./0") = 0
mkdir("./1", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d425d0) = 5024
./strace-static-x86_64: Process 5024 attached
[pid 5024] chdir("./1") = 0
[pid 5024] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5024] setpgid(0, 0) = 0
[pid 5024] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5024] write(3, "1000", 4) = 4
[pid 5024] close(3) = 0
[pid 5024] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5024] memfd_create("syzkaller", 0) = 3
[pid 5024] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa4a8a04000
[pid 5024] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216
[pid 5024] munmap(0x7fa4a8a04000, 16777216) = 0
[pid 5024] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5024] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5024] close(3) = 0
[pid 5024] mkdir("./file0", 0777) = 0
[ 83.157336][ T5024] loop0: detected capacity change from 0 to 32768
[ 83.169700][ T5024] BTRFS: device fsid e417788f-7a09-42b2-9266-8ddc5d5d35d2 devid 1 transid 8 /dev/loop0 scanned by syz-executor746 (5024)
[ 83.186513][ T5024] BTRFS info (device loop0): using xxhash64 (xxhash64-generic) checksum algorithm
[ 83.195939][ T5024] BTRFS info (device loop0): doing ref verification
[pid 5024] mount("/dev/loop0", "./file0", "btrfs", MS_SYNCHRONOUS|MS_STRICTATIME, "datacow,ref_verify,nodatasum,max_inline=%m-3,noautodefrag,ssd,") = 0
[pid 5024] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5024] chdir("./file0") = 0
[pid 5024] ioctl(4, LOOP_CLR_FD) = 0
[pid 5024] close(4) = 0
[pid 5024] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4
[pid 5024] write(4, "44", 2) = 2
[ 83.202580][ T5024] BTRFS info (device loop0): setting nodatasum
[ 83.209040][ T5024] BTRFS info (device loop0): max_inline at 0
[ 83.215166][ T5024] BTRFS info (device loop0): enabling ssd optimizations
[ 83.222138][ T5024] BTRFS info (device loop0): using free space tree
[ 83.243576][ T5024] BTRFS info (device loop0): auto enabling async discard
[ 83.269510][ T5024] FAULT_INJECTION: forcing a failure.
[ 83.269510][ T5024] name failslab, interval 1, probability 0, space 0, times 1
[ 83.282722][ T5024] CPU: 0 PID: 5024 Comm: syz-executor746 Not tainted 6.4.0-rc5-syzkaller-00245-g64569520920a #0
[ 83.293207][ T5024] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[ 83.303317][ T5024] Call Trace:
[ 83.306657][ T5024]
[ 83.309640][ T5024] dump_stack_lvl+0x136/0x150
[ 83.314488][ T5024] should_fail_ex+0x4a3/0x5b0
[ 83.319240][ T5024] should_failslab+0x9/0x20
[ 83.323803][ T5024] __kmem_cache_alloc_node+0x5b/0x3f0
[ 83.329208][ T5024] kmalloc_trace+0x26/0xe0
[ 83.333664][ T5024] btrfs_ref_tree_mod+0x28f/0x1b30
[ 83.338814][ T5024] ? kmem_cache_alloc+0x34b/0x3f0
[ 83.343893][ T5024] btrfs_alloc_tree_block+0xe2d/0x1490
[ 83.349389][ T5024] ? btrfs_alloc_logged_file_extent+0x600/0x600
[ 83.355698][ T5024] ? btrfs_comp_cpu_keys+0x26b/0x300
[ 83.361031][ T5024] __btrfs_cow_block+0x3b2/0x1690
[ 83.366099][ T5024] ? update_ref_for_cow+0xb50/0xb50
[ 83.371343][ T5024] ? btrfs_qgroup_add_swapped_blocks+0x980/0x980
[ 83.377708][ T5024] btrfs_cow_block+0x2fa/0x820
[ 83.382521][ T5024] btrfs_search_slot+0x11c6/0x2da0
[ 83.387663][ T5024] ? split_leaf+0x13e0/0x13e0
[ 83.392368][ T5024] ? find_held_lock+0x2d/0x110
[ 83.397170][ T5024] ? btrfs_create_new_inode+0x70f/0x2800
[ 83.402839][ T5024] ? lock_downgrade+0x690/0x690
[ 83.407730][ T5024] ? do_raw_spin_lock+0x124/0x2b0
[ 83.412800][ T5024] ? spin_bug+0x1c0/0x1c0
[ 83.417170][ T5024] btrfs_insert_empty_items+0xbd/0x1c0
[ 83.422655][ T5024] ? do_raw_spin_unlock+0x175/0x230
[ 83.427897][ T5024] btrfs_create_new_inode+0x851/0x2800
[ 83.433433][ T5024] ? btrfs_link+0x7f0/0x7f0
[ 83.437963][ T5024] ? record_root_in_trans+0x2f7/0x3e0
[ 83.443419][ T5024] btrfs_create_common+0x1d4/0x260
[ 83.448566][ T5024] ? btrfs_tmpfile+0x420/0x420
[ 83.453366][ T5024] ? inode_init_owner+0x2d6/0x3d0
[ 83.458432][ T5024] btrfs_create+0x116/0x160
[ 83.462969][ T5024] ? btrfs_mkdir+0x100/0x100
[ 83.467592][ T5024] lookup_open.isra.0+0x105a/0x1400
[ 83.472827][ T5024] ? link_path_walk.part.0+0xd60/0xd60
[ 83.478332][ T5024] ? rwsem_down_write_slowpath+0x1220/0x1220
[ 83.484360][ T5024] ? __mnt_want_write+0x1fe/0x2e0
[ 83.489427][ T5024] path_openat+0x975/0x2750
[ 83.493975][ T5024] ? path_lookupat+0x840/0x840
[ 83.498779][ T5024] ? find_held_lock+0x2d/0x110
[ 83.503573][ T5024] do_filp_open+0x1ba/0x410
[ 83.508114][ T5024] ? may_open_dev+0xf0/0xf0
[ 83.512653][ T5024] ? find_held_lock+0x2d/0x110
[ 83.517449][ T5024] ? do_raw_spin_lock+0x124/0x2b0
[ 83.522514][ T5024] ? spin_bug+0x1c0/0x1c0
[ 83.526882][ T5024] ? _raw_spin_unlock+0x28/0x40
[ 83.531770][ T5024] ? alloc_fd+0x2e4/0x750
[ 83.536128][ T5024] do_sys_openat2+0x16d/0x4c0
[ 83.540826][ T5024] ? ptrace_stop.part.0+0x60f/0x8e0
[ 83.546054][ T5024] ? build_open_flags+0x720/0x720
[ 83.551103][ T5024] ? ptrace_notify+0xfe/0x140
[ 83.555820][ T5024] ? lock_downgrade+0x690/0x690
[ 83.560707][ T5024] __x64_sys_openat+0x143/0x1f0
[ 83.565589][ T5024] ? __ia32_sys_open+0x1c0/0x1c0
[ 83.570551][ T5024] ? _raw_spin_unlock_irq+0x23/0x50
[ 83.575790][ T5024] ? lockdep_hardirqs_on+0x7d/0x100
[ 83.581027][ T5024] ? _raw_spin_unlock_irq+0x2e/0x50
[ 83.586266][ T5024] ? ptrace_notify+0xfe/0x140
[ 83.590973][ T5024] do_syscall_64+0x39/0xb0
[ 83.595418][ T5024] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 83.601357][ T5024] RIP: 0033:0x7fa4b0e51aa9
[ 83.605798][ T5024] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 83.625431][ T5024] RSP: 002b:00007ffd89067328 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 83.633878][ T5024] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fa4b0e51aa9
[ 83.641873][ T5024] RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
[ 83.649869][ T5024] RBP: 00007ffd89067350 R08: 0000000000000002 R09: 00007ffd89067360
[ 83.657866][ T5024] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
[pid 5024] openat(AT_FDCWD, "memory.events", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5
[pid 5024] exit_group(0) = ?
[pid 5024] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5024, si_uid=0, si_status=0, si_utime=6 /* 0.06 s */, si_stime=29 /* 0.29 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x555555d43620 /* 4 entries */, 32768) = 112
umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./1/binderfs") = 0
[ 83.665858][ T5024] R13: 00007ffd89067390 R14: 00007ffd89067370 R15: 0000000000000001
[ 83.673857][ T5024]
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./1/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./1/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./1/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x555555d4b660 /* 2 entries */, 32768) = 48
getdents64(4, 0x555555d4b660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./1/file0") = 0
getdents64(3, 0x555555d43620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./1") = 0
mkdir("./2", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d425d0) = 5052
./strace-static-x86_64: Process 5052 attached
[pid 5052] chdir("./2") = 0
[pid 5052] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5052] setpgid(0, 0) = 0
[pid 5052] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5052] write(3, "1000", 4) = 4
[pid 5052] close(3) = 0
[pid 5052] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5052] memfd_create("syzkaller", 0) = 3
[pid 5052] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa4a8a04000
[pid 5052] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216
[pid 5052] munmap(0x7fa4a8a04000, 16777216) = 0
[pid 5052] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5052] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5052] close(3) = 0
[pid 5052] mkdir("./file0", 0777) = 0
[ 84.157449][ T5052] loop0: detected capacity change from 0 to 32768
[ 84.168721][ T5052] BTRFS: device fsid e417788f-7a09-42b2-9266-8ddc5d5d35d2 devid 1 transid 8 /dev/loop0 scanned by syz-executor746 (5052)
[ 84.185815][ T5052] BTRFS info (device loop0): using xxhash64 (xxhash64-generic) checksum algorithm
[ 84.195467][ T5052] BTRFS info (device loop0): doing ref verification
[pid 5052] mount("/dev/loop0", "./file0", "btrfs", MS_SYNCHRONOUS|MS_STRICTATIME, "datacow,ref_verify,nodatasum,max_inline=%m-3,noautodefrag,ssd,") = 0
[pid 5052] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5052] chdir("./file0") = 0
[pid 5052] ioctl(4, LOOP_CLR_FD) = 0
[pid 5052] close(4) = 0
[pid 5052] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4
[pid 5052] write(4, "44", 2) = 2
[ 84.202379][ T5052] BTRFS info (device loop0): setting nodatasum
[ 84.208724][ T5052] BTRFS info (device loop0): max_inline at 0
[ 84.214901][ T5052] BTRFS info (device loop0): enabling ssd optimizations
[ 84.221860][ T5052] BTRFS info (device loop0): using free space tree
[ 84.241609][ T5052] BTRFS info (device loop0): auto enabling async discard
[ 84.259714][ T5052] FAULT_INJECTION: forcing a failure.
[ 84.259714][ T5052] name failslab, interval 1, probability 0, space 0, times 0
[ 84.272923][ T5052] CPU: 0 PID: 5052 Comm: syz-executor746 Not tainted 6.4.0-rc5-syzkaller-00245-g64569520920a #0
[ 84.283399][ T5052] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[ 84.293506][ T5052] Call Trace:
[ 84.296829][ T5052]
[ 84.299799][ T5052] dump_stack_lvl+0x136/0x150
[ 84.304533][ T5052] should_fail_ex+0x4a3/0x5b0
[ 84.309460][ T5052] should_failslab+0x9/0x20
[ 84.314022][ T5052] __kmem_cache_alloc_node+0x5b/0x3f0
[ 84.319444][ T5052] kmalloc_trace+0x26/0xe0
[ 84.323914][ T5052] btrfs_ref_tree_mod+0x28f/0x1b30
[ 84.329083][ T5052] ? btrfs_alloc_tree_block+0x24f/0x1490
[ 84.334786][ T5052] btrfs_free_tree_block+0x23d/0xb40
[ 84.340120][ T5052] ? btrfs_finish_extent_commit+0x870/0x870
[ 84.346073][ T5052] ? btrfs_tree_mod_log_free_eb+0x2da/0x800
[ 84.352058][ T5052] ? btrfs_mark_buffer_dirty+0x17a/0x250
[ 84.357774][ T5052] __btrfs_cow_block+0xc53/0x1690
[ 84.362860][ T5052] ? update_ref_for_cow+0xb50/0xb50
[ 84.368099][ T5052] ? btrfs_qgroup_add_swapped_blocks+0x980/0x980
[ 84.374461][ T5052] btrfs_cow_block+0x2fa/0x820
[ 84.379261][ T5052] btrfs_search_slot+0x11c6/0x2da0
[ 84.384407][ T5052] ? split_leaf+0x13e0/0x13e0
[ 84.389102][ T5052] ? find_held_lock+0x2d/0x110
[ 84.393897][ T5052] ? btrfs_create_new_inode+0x70f/0x2800
[ 84.399559][ T5052] ? lock_downgrade+0x690/0x690
[ 84.404448][ T5052] ? do_raw_spin_lock+0x124/0x2b0
[ 84.409507][ T5052] ? spin_bug+0x1c0/0x1c0
[ 84.413875][ T5052] btrfs_insert_empty_items+0xbd/0x1c0
[ 84.419367][ T5052] ? do_raw_spin_unlock+0x175/0x230
[ 84.424601][ T5052] btrfs_create_new_inode+0x851/0x2800
[ 84.430104][ T5052] ? btrfs_link+0x7f0/0x7f0
[ 84.434642][ T5052] ? record_root_in_trans+0x2f7/0x3e0
[ 84.440062][ T5052] btrfs_create_common+0x1d4/0x260
[ 84.445206][ T5052] ? btrfs_tmpfile+0x420/0x420
[ 84.450000][ T5052] ? inode_init_owner+0x2d6/0x3d0
[ 84.455066][ T5052] btrfs_create+0x116/0x160
[ 84.459603][ T5052] ? btrfs_mkdir+0x100/0x100
[ 84.464230][ T5052] lookup_open.isra.0+0x105a/0x1400
[ 84.469469][ T5052] ? link_path_walk.part.0+0xd60/0xd60
[ 84.474968][ T5052] ? rwsem_down_write_slowpath+0x1220/0x1220
[ 84.480988][ T5052] ? __mnt_want_write+0x1fe/0x2e0
[ 84.486051][ T5052] path_openat+0x975/0x2750
[ 84.490597][ T5052] ? path_lookupat+0x840/0x840
[ 84.495400][ T5052] ? find_held_lock+0x2d/0x110
[ 84.500193][ T5052] do_filp_open+0x1ba/0x410
[ 84.504739][ T5052] ? may_open_dev+0xf0/0xf0
[ 84.509282][ T5052] ? find_held_lock+0x2d/0x110
[ 84.514072][ T5052] ? do_raw_spin_lock+0x124/0x2b0
[ 84.519141][ T5052] ? spin_bug+0x1c0/0x1c0
[ 84.523510][ T5052] ? _raw_spin_unlock+0x28/0x40
[ 84.528409][ T5052] ? alloc_fd+0x2e4/0x750
[ 84.532762][ T5052] do_sys_openat2+0x16d/0x4c0
[ 84.537465][ T5052] ? ptrace_stop.part.0+0x60f/0x8e0
[ 84.542691][ T5052] ? build_open_flags+0x720/0x720
[ 84.547744][ T5052] ? ptrace_notify+0xfe/0x140
[ 84.552449][ T5052] ? lock_downgrade+0x690/0x690
[ 84.557336][ T5052] __x64_sys_openat+0x143/0x1f0
[ 84.562213][ T5052] ? __ia32_sys_open+0x1c0/0x1c0
[ 84.567179][ T5052] ? _raw_spin_unlock_irq+0x23/0x50
[ 84.572415][ T5052] ? lockdep_hardirqs_on+0x7d/0x100
[ 84.577651][ T5052] ? _raw_spin_unlock_irq+0x2e/0x50
[ 84.582894][ T5052] ? ptrace_notify+0xfe/0x140
[ 84.587605][ T5052] do_syscall_64+0x39/0xb0
[ 84.592068][ T5052] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 84.598007][ T5052] RIP: 0033:0x7fa4b0e51aa9
[ 84.602442][ T5052] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 84.622076][ T5052] RSP: 002b:00007ffd89067328 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 84.630608][ T5052] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fa4b0e51aa9
[ 84.638604][ T5052] RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
[ 84.646600][ T5052] RBP: 00007ffd89067350 R08: 0000000000000002 R09: 00007ffd89067360
[pid 5052] openat(AT_FDCWD, "memory.events", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5
[pid 5052] exit_group(0) = ?
[pid 5052] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5052, si_uid=0, si_status=0, si_utime=1 /* 0.01 s */, si_stime=29 /* 0.29 s */} ---
umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x555555d43620 /* 4 entries */, 32768) = 112
umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./2/binderfs") = 0
[ 84.654595][ T5052] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
[ 84.662587][ T5052] R13: 00007ffd89067390 R14: 00007ffd89067370 R15: 0000000000000002
[ 84.670593][ T5052]
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./2/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./2/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./2/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x555555d4b660 /* 2 entries */, 32768) = 48
getdents64(4, 0x555555d4b660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./2/file0") = 0
getdents64(3, 0x555555d43620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./2") = 0
mkdir("./3", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d425d0) = 5070
./strace-static-x86_64: Process 5070 attached
[pid 5070] chdir("./3") = 0
[pid 5070] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5070] setpgid(0, 0) = 0
[pid 5070] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5070] write(3, "1000", 4) = 4
[pid 5070] close(3) = 0
[pid 5070] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5070] memfd_create("syzkaller", 0) = 3
[pid 5070] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa4a8a04000
[pid 5070] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216
[pid 5070] munmap(0x7fa4a8a04000, 16777216) = 0
[pid 5070] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5070] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5070] close(3) = 0
[pid 5070] mkdir("./file0", 0777) = 0
[ 85.126810][ T5070] loop0: detected capacity change from 0 to 32768
[ 85.137572][ T5070] BTRFS: device fsid e417788f-7a09-42b2-9266-8ddc5d5d35d2 devid 1 transid 8 /dev/loop0 scanned by syz-executor746 (5070)
[ 85.152761][ T5070] BTRFS info (device loop0): using xxhash64 (xxhash64-generic) checksum algorithm
[ 85.162121][ T5070] BTRFS info (device loop0): doing ref verification
[ 85.168972][ T5070] BTRFS info (device loop0): setting nodatasum
[pid 5070] mount("/dev/loop0", "./file0", "btrfs", MS_SYNCHRONOUS|MS_STRICTATIME, "datacow,ref_verify,nodatasum,max_inline=%m-3,noautodefrag,ssd,") = 0
[pid 5070] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5070] chdir("./file0") = 0
[pid 5070] ioctl(4, LOOP_CLR_FD) = 0
[pid 5070] close(4) = 0
[pid 5070] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4
[pid 5070] write(4, "44", 2) = 2
[ 85.175462][ T5070] BTRFS info (device loop0): max_inline at 0
[ 85.181483][ T5070] BTRFS info (device loop0): enabling ssd optimizations
[ 85.188520][ T5070] BTRFS info (device loop0): using free space tree
[ 85.209493][ T5070] BTRFS info (device loop0): auto enabling async discard
[ 85.226979][ T5070] FAULT_INJECTION: forcing a failure.
[ 85.226979][ T5070] name failslab, interval 1, probability 0, space 0, times 0
[ 85.239794][ T5070] CPU: 0 PID: 5070 Comm: syz-executor746 Not tainted 6.4.0-rc5-syzkaller-00245-g64569520920a #0
[ 85.250261][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[ 85.260363][ T5070] Call Trace:
[ 85.263680][ T5070]
[ 85.266670][ T5070] dump_stack_lvl+0x136/0x150
[ 85.271404][ T5070] should_fail_ex+0x4a3/0x5b0
[ 85.276240][ T5070] should_failslab+0x9/0x20
[ 85.280811][ T5070] __kmem_cache_alloc_node+0x5b/0x3f0
[ 85.286242][ T5070] kmalloc_trace+0x26/0xe0
[ 85.290726][ T5070] btrfs_ref_tree_mod+0x28f/0x1b30
[ 85.295897][ T5070] ? btrfs_alloc_tree_block+0x24f/0x1490
[ 85.301602][ T5070] btrfs_free_tree_block+0x23d/0xb40
[ 85.306951][ T5070] ? btrfs_finish_extent_commit+0x870/0x870
[ 85.312912][ T5070] ? btrfs_tree_mod_log_free_eb+0x2da/0x800
[ 85.318879][ T5070] ? btrfs_mark_buffer_dirty+0x17a/0x250
[ 85.324582][ T5070] __btrfs_cow_block+0xc53/0x1690
[ 85.329681][ T5070] ? update_ref_for_cow+0xb50/0xb50
[ 85.334971][ T5070] ? btrfs_qgroup_add_swapped_blocks+0x980/0x980
[ 85.341364][ T5070] btrfs_cow_block+0x2fa/0x820
[ 85.346206][ T5070] btrfs_search_slot+0x11c6/0x2da0
[ 85.351369][ T5070] ? split_leaf+0x13e0/0x13e0
[ 85.356099][ T5070] ? find_held_lock+0x2d/0x110
[ 85.360924][ T5070] ? btrfs_create_new_inode+0x70f/0x2800
[ 85.366615][ T5070] ? lock_downgrade+0x690/0x690
[ 85.371527][ T5070] ? do_raw_spin_lock+0x124/0x2b0
[ 85.376619][ T5070] ? spin_bug+0x1c0/0x1c0
[ 85.381017][ T5070] btrfs_insert_empty_items+0xbd/0x1c0
[ 85.386534][ T5070] ? do_raw_spin_unlock+0x175/0x230
[ 85.391802][ T5070] btrfs_create_new_inode+0x851/0x2800
[ 85.397333][ T5070] ? btrfs_link+0x7f0/0x7f0
[ 85.401898][ T5070] ? record_root_in_trans+0x2f7/0x3e0
[ 85.407346][ T5070] btrfs_create_common+0x1d4/0x260
[ 85.412520][ T5070] ? btrfs_tmpfile+0x420/0x420
[ 85.417345][ T5070] ? inode_init_owner+0x2d6/0x3d0
[ 85.422438][ T5070] btrfs_create+0x116/0x160
[ 85.427011][ T5070] ? btrfs_mkdir+0x100/0x100
[ 85.431671][ T5070] lookup_open.isra.0+0x105a/0x1400
[ 85.436949][ T5070] ? link_path_walk.part.0+0xd60/0xd60
[ 85.442505][ T5070] ? rwsem_down_write_slowpath+0x1220/0x1220
[ 85.448567][ T5070] ? __mnt_want_write+0x1fe/0x2e0
[ 85.453660][ T5070] path_openat+0x975/0x2750
[ 85.458237][ T5070] ? path_lookupat+0x840/0x840
[ 85.463085][ T5070] ? find_held_lock+0x2d/0x110
[ 85.467911][ T5070] do_filp_open+0x1ba/0x410
[ 85.472491][ T5070] ? may_open_dev+0xf0/0xf0
[ 85.477066][ T5070] ? find_held_lock+0x2d/0x110
[ 85.481897][ T5070] ? do_raw_spin_lock+0x124/0x2b0
[ 85.487010][ T5070] ? spin_bug+0x1c0/0x1c0
[ 85.491411][ T5070] ? _raw_spin_unlock+0x28/0x40
[ 85.496360][ T5070] ? alloc_fd+0x2e4/0x750
[ 85.500752][ T5070] do_sys_openat2+0x16d/0x4c0
[ 85.505491][ T5070] ? ptrace_stop.part.0+0x60f/0x8e0
[ 85.510753][ T5070] ? build_open_flags+0x720/0x720
[ 85.515832][ T5070] ? ptrace_notify+0xfe/0x140
[ 85.520566][ T5070] ? lock_downgrade+0x690/0x690
[ 85.525500][ T5070] __x64_sys_openat+0x143/0x1f0
[ 85.530393][ T5070] ? __ia32_sys_open+0x1c0/0x1c0
[ 85.535361][ T5070] ? _raw_spin_unlock_irq+0x23/0x50
[ 85.540597][ T5070] ? lockdep_hardirqs_on+0x7d/0x100
[ 85.545826][ T5070] ? _raw_spin_unlock_irq+0x2e/0x50
[ 85.551061][ T5070] ? ptrace_notify+0xfe/0x140
[ 85.555780][ T5070] do_syscall_64+0x39/0xb0
[ 85.560223][ T5070] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 85.566171][ T5070] RIP: 0033:0x7fa4b0e51aa9
[ 85.570607][ T5070] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 85.590242][ T5070] RSP: 002b:00007ffd89067328 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 85.598685][ T5070] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fa4b0e51aa9
[ 85.606689][ T5070] RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
[ 85.614694][ T5070] RBP: 00007ffd89067350 R08: 0000000000000002 R09: 00007ffd89067360
[pid 5070] openat(AT_FDCWD, "memory.events", O_RDWR|O_CREAT|O_NOCTTY|O_TRUNC|O_APPEND|FASYNC|0x18, 000) = 5
[pid 5070] exit_group(0) = ?
[pid 5070] +++ exited with 0 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5070, si_uid=0, si_status=0, si_utime=5 /* 0.05 s */, si_stime=28 /* 0.28 s */} ---
restart_syscall(<... resuming interrupted clone ...>) = 0
umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(3, 0x555555d43620 /* 4 entries */, 32768) = 112
umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}) = 0
unlink("./3/binderfs") = 0
[ 85.622950][ T5070] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
[ 85.630964][ T5070] R13: 00007ffd89067390 R14: 00007ffd89067370 R15: 0000000000000003
[ 85.638981][ T5070]
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
lstat("./3/file0", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
umount2("./3/file0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument)
openat(AT_FDCWD, "./3/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getdents64(4, 0x555555d4b660 /* 2 entries */, 32768) = 48
getdents64(4, 0x555555d4b660 /* 0 entries */, 32768) = 0
close(4) = 0
rmdir("./3/file0") = 0
getdents64(3, 0x555555d43620 /* 0 entries */, 32768) = 0
close(3) = 0
rmdir("./3") = 0
mkdir("./4", 0777) = 0
openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3
ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address)
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555d425d0) = 5088
./strace-static-x86_64: Process 5088 attached
[pid 5088] chdir("./4") = 0
[pid 5088] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 5088] setpgid(0, 0) = 0
[pid 5088] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 5088] write(3, "1000", 4) = 4
[pid 5088] close(3) = 0
[pid 5088] symlink("/dev/binderfs", "./binderfs") = 0
[pid 5088] memfd_create("syzkaller", 0) = 3
[pid 5088] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fa4a8a04000
[pid 5088] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 16777216) = 16777216
[pid 5088] munmap(0x7fa4a8a04000, 16777216) = 0
[pid 5088] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4
[pid 5088] ioctl(4, LOOP_SET_FD, 3) = 0
[pid 5088] close(3) = 0
[pid 5088] mkdir("./file0", 0777) = 0
[ 86.055847][ T5088] loop0: detected capacity change from 0 to 32768
[ 86.066108][ T5088] BTRFS: device fsid e417788f-7a09-42b2-9266-8ddc5d5d35d2 devid 1 transid 8 /dev/loop0 scanned by syz-executor746 (5088)
[ 86.084316][ T5088] BTRFS info (device loop0): using xxhash64 (xxhash64-generic) checksum algorithm
[ 86.093711][ T5088] BTRFS info (device loop0): doing ref verification
[pid 5088] mount("/dev/loop0", "./file0", "btrfs", MS_SYNCHRONOUS|MS_STRICTATIME, "datacow,ref_verify,nodatasum,max_inline=%m-3,noautodefrag,ssd,") = 0
[pid 5088] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3
[pid 5088] chdir("./file0") = 0
[pid 5088] ioctl(4, LOOP_CLR_FD) = 0
[pid 5088] close(4) = 0
[pid 5088] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4
[pid 5088] write(4, "44", 2) = 2
[ 86.100436][ T5088] BTRFS info (device loop0): setting nodatasum
[ 86.107031][ T5088] BTRFS info (device loop0): max_inline at 0
[ 86.113067][ T5088] BTRFS info (device loop0): enabling ssd optimizations
[ 86.120298][ T5088] BTRFS info (device loop0): using free space tree
[ 86.140776][ T5088] BTRFS info (device loop0): auto enabling async discard
[ 86.167458][ T5088] FAULT_INJECTION: forcing a failure.
[ 86.167458][ T5088] name failslab, interval 1, probability 0, space 0, times 0
[ 86.184279][ T5088] CPU: 0 PID: 5088 Comm: syz-executor746 Not tainted 6.4.0-rc5-syzkaller-00245-g64569520920a #0
[ 86.194773][ T5088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[ 86.204890][ T5088] Call Trace:
[ 86.208231][ T5088]
[ 86.211219][ T5088] dump_stack_lvl+0x136/0x150
[ 86.215955][ T5088] should_fail_ex+0x4a3/0x5b0
[ 86.220703][ T5088] should_failslab+0x9/0x20
[ 86.225287][ T5088] kmem_cache_alloc+0x5d/0x3f0
[ 86.230132][ T5088] btrfs_add_delayed_tree_ref+0x241/0xf60
[ 86.235916][ T5088] ? do_raw_spin_unlock+0x175/0x230
[ 86.241269][ T5088] ? btrfs_delete_ref_head+0x2c0/0x2c0
[ 86.246793][ T5088] btrfs_free_tree_block+0x24c/0xb40
[ 86.252142][ T5088] ? btrfs_finish_extent_commit+0x870/0x870
[ 86.258100][ T5088] ? btrfs_tree_mod_log_free_eb+0x2da/0x800
[ 86.264073][ T5088] ? btrfs_mark_buffer_dirty+0x17a/0x250
[ 86.269782][ T5088] __btrfs_cow_block+0xc53/0x1690
[ 86.274885][ T5088] ? update_ref_for_cow+0xb50/0xb50
[ 86.280181][ T5088] ? btrfs_qgroup_add_swapped_blocks+0x980/0x980
[ 86.286577][ T5088] btrfs_cow_block+0x2fa/0x820
[ 86.291419][ T5088] btrfs_search_slot+0x11c6/0x2da0
[ 86.296596][ T5088] ? split_leaf+0x13e0/0x13e0
[ 86.301326][ T5088] ? find_held_lock+0x2d/0x110
[ 86.306153][ T5088] ? btrfs_create_new_inode+0x70f/0x2800
[ 86.311870][ T5088] ? lock_downgrade+0x690/0x690
[ 86.316799][ T5088] ? do_raw_spin_lock+0x124/0x2b0
[ 86.321890][ T5088] ? spin_bug+0x1c0/0x1c0
[ 86.326289][ T5088] btrfs_insert_empty_items+0xbd/0x1c0
[ 86.331802][ T5088] ? do_raw_spin_unlock+0x175/0x230
[ 86.337103][ T5088] btrfs_create_new_inode+0x851/0x2800
[ 86.342629][ T5088] ? btrfs_link+0x7f0/0x7f0
[ 86.347194][ T5088] ? record_root_in_trans+0x2f7/0x3e0
[ 86.352646][ T5088] btrfs_create_common+0x1d4/0x260
[ 86.357816][ T5088] ? btrfs_tmpfile+0x420/0x420
[ 86.362644][ T5088] ? inode_init_owner+0x2d6/0x3d0
[ 86.367736][ T5088] btrfs_create+0x116/0x160
[ 86.372297][ T5088] ? btrfs_mkdir+0x100/0x100
[ 86.376946][ T5088] lookup_open.isra.0+0x105a/0x1400
[ 86.382213][ T5088] ? link_path_walk.part.0+0xd60/0xd60
[ 86.387745][ T5088] ? rwsem_down_write_slowpath+0x1220/0x1220
[ 86.393796][ T5088] ? __mnt_want_write+0x1fe/0x2e0
[ 86.398887][ T5088] path_openat+0x975/0x2750
[ 86.403472][ T5088] ? path_lookupat+0x840/0x840
[ 86.408304][ T5088] ? find_held_lock+0x2d/0x110
[ 86.413124][ T5088] do_filp_open+0x1ba/0x410
[ 86.417694][ T5088] ? may_open_dev+0xf0/0xf0
[ 86.422268][ T5088] ? find_held_lock+0x2d/0x110
[ 86.427098][ T5088] ? do_raw_spin_lock+0x124/0x2b0
[ 86.432187][ T5088] ? spin_bug+0x1c0/0x1c0
[ 86.436583][ T5088] ? _raw_spin_unlock+0x28/0x40
[ 86.441498][ T5088] ? alloc_fd+0x2e4/0x750
[ 86.445880][ T5088] do_sys_openat2+0x16d/0x4c0
[ 86.450607][ T5088] ? ptrace_stop.part.0+0x60f/0x8e0
[ 86.455859][ T5088] ? build_open_flags+0x720/0x720
[ 86.460928][ T5088] ? ptrace_notify+0xfe/0x140
[ 86.465628][ T5088] ? lock_downgrade+0x690/0x690
[ 86.470510][ T5088] __x64_sys_openat+0x143/0x1f0
[ 86.475393][ T5088] ? __ia32_sys_open+0x1c0/0x1c0
[ 86.480376][ T5088] ? _raw_spin_unlock_irq+0x23/0x50
[ 86.485621][ T5088] ? lockdep_hardirqs_on+0x7d/0x100
[ 86.490870][ T5088] ? _raw_spin_unlock_irq+0x2e/0x50
[ 86.496109][ T5088] ? ptrace_notify+0xfe/0x140
[ 86.500833][ T5088] do_syscall_64+0x39/0xb0
[ 86.505274][ T5088] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 86.511204][ T5088] RIP: 0033:0x7fa4b0e51aa9
[ 86.515631][ T5088] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 86.535270][ T5088] RSP: 002b:00007ffd89067328 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 86.543741][ T5088] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fa4b0e51aa9
[ 86.551748][ T5088] RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
[ 86.559752][ T5088] RBP: 00007ffd89067350 R08: 0000000000000002 R09: 00007ffd89067360
[ 86.567751][ T5088] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
[ 86.575753][ T5088] R13: 00007ffd89067390 R14: 00007ffd89067370 R15: 0000000000000004
[ 86.583766][ T5088]
[ 86.588707][ T5088] ------------[ cut here ]------------
[ 86.594503][ T5088] kernel BUG at fs/btrfs/extent-tree.c:3260!
[ 86.600638][ T5088] invalid opcode: 0000 [#1] PREEMPT SMP KASAN
[ 86.606721][ T5088] CPU: 1 PID: 5088 Comm: syz-executor746 Not tainted 6.4.0-rc5-syzkaller-00245-g64569520920a #0
[ 86.617142][ T5088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023
[ 86.627204][ T5088] RIP: 0010:btrfs_free_tree_block+0x266/0xb40
[ 86.633300][ T5088] Code: 00 48 8b 74 24 10 31 d2 4c 89 e7 e8 34 f2 17 00 31 ff 89 c6 89 44 24 10 e8 87 2b 21 fe 8b 44 24 10 85 c0 74 26 e8 5a 2f 21 fe <0f> 0b e8 53 2f 21 fe 48 89 ee 48 c7 c7 fa ff ff ff c6 44 24 58 01
[ 86.652945][ T5088] RSP: 0018:ffffc90003657170 EFLAGS: 00010293
[ 86.659029][ T5088] RAX: 0000000000000000 RBX: ffff88802b4815d0 RCX: 0000000000000000
[ 86.667011][ T5088] RDX: ffff88802282e180 RSI: ffffffff83623856 RDI: 0000000000000005
[ 86.674995][ T5088] RBP: 0000000000000005 R08: 0000000000000005 R09: 0000000000000000
[ 86.682982][ T5088] R10: 00000000fffffff4 R11: ffffffff81d515d5 R12: ffff888070b26dc8
[ 86.690978][ T5088] R13: 1ffff920006cae32 R14: 0000000000000001 R15: ffff88807448c000
[ 86.698964][ T5088] FS: 0000555555d42300(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
[ 86.707904][ T5088] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 86.714498][ T5088] CR2: 0000563cd3777fe0 CR3: 000000007cf5c000 CR4: 00000000003506e0
[ 86.722479][ T5088] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 86.730457][ T5088] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 86.738436][ T5088] Call Trace:
[ 86.741719][ T5088]
[ 86.744651][ T5088] ? die+0x32/0x90
[ 86.748394][ T5088] ? do_trap+0x1b2/0x3f0
[ 86.752656][ T5088] ? btrfs_free_tree_block+0x266/0xb40
[ 86.758155][ T5088] ? btrfs_free_tree_block+0x266/0xb40
[ 86.763626][ T5088] ? do_error_trap+0xb1/0x170
[ 86.768315][ T5088] ? btrfs_free_tree_block+0x266/0xb40
[ 86.773790][ T5088] ? handle_invalid_op+0x2c/0x30
[ 86.778751][ T5088] ? btrfs_free_tree_block+0x266/0xb40
[ 86.784237][ T5088] ? exc_invalid_op+0x2f/0x50
[ 86.788933][ T5088] ? asm_exc_invalid_op+0x1a/0x20
[ 86.794021][ T5088] ? kasan_set_track+0x25/0x30
[ 86.798925][ T5088] ? btrfs_free_tree_block+0x266/0xb40
[ 86.804398][ T5088] ? btrfs_free_tree_block+0x266/0xb40
[ 86.809884][ T5088] ? btrfs_finish_extent_commit+0x870/0x870
[ 86.815812][ T5088] ? btrfs_tree_mod_log_free_eb+0x2da/0x800
[ 86.821737][ T5088] ? btrfs_mark_buffer_dirty+0x17a/0x250
[ 86.827404][ T5088] __btrfs_cow_block+0xc53/0x1690
[ 86.832498][ T5088] ? update_ref_for_cow+0xb50/0xb50
[ 86.837754][ T5088] ? btrfs_qgroup_add_swapped_blocks+0x980/0x980
[ 86.844105][ T5088] btrfs_cow_block+0x2fa/0x820
[ 86.848902][ T5088] btrfs_search_slot+0x11c6/0x2da0
[ 86.854047][ T5088] ? split_leaf+0x13e0/0x13e0
[ 86.858740][ T5088] ? find_held_lock+0x2d/0x110
[ 86.863530][ T5088] ? btrfs_create_new_inode+0x70f/0x2800
[ 86.869184][ T5088] ? lock_downgrade+0x690/0x690
[ 86.874061][ T5088] ? do_raw_spin_lock+0x124/0x2b0
[ 86.879115][ T5088] ? spin_bug+0x1c0/0x1c0
[ 86.883472][ T5088] btrfs_insert_empty_items+0xbd/0x1c0
[ 86.888960][ T5088] ? do_raw_spin_unlock+0x175/0x230
[ 86.894208][ T5088] btrfs_create_new_inode+0x851/0x2800
[ 86.899698][ T5088] ? btrfs_link+0x7f0/0x7f0
[ 86.904228][ T5088] ? record_root_in_trans+0x2f7/0x3e0
[ 86.909632][ T5088] btrfs_create_common+0x1d4/0x260
[ 86.914764][ T5088] ? btrfs_tmpfile+0x420/0x420
[ 86.919550][ T5088] ? inode_init_owner+0x2d6/0x3d0
[ 86.924608][ T5088] btrfs_create+0x116/0x160
[ 86.929156][ T5088] ? btrfs_mkdir+0x100/0x100
[ 86.933765][ T5088] lookup_open.isra.0+0x105a/0x1400
[ 86.938992][ T5088] ? link_path_walk.part.0+0xd60/0xd60
[ 86.944475][ T5088] ? rwsem_down_write_slowpath+0x1220/0x1220
[ 86.950482][ T5088] ? __mnt_want_write+0x1fe/0x2e0
[ 86.955528][ T5088] path_openat+0x975/0x2750
[ 86.960570][ T5088] ? path_lookupat+0x840/0x840
[ 86.965350][ T5088] ? find_held_lock+0x2d/0x110
[ 86.970128][ T5088] do_filp_open+0x1ba/0x410
[ 86.974651][ T5088] ? may_open_dev+0xf0/0xf0
[ 86.979174][ T5088] ? find_held_lock+0x2d/0x110
[ 86.983964][ T5088] ? do_raw_spin_lock+0x124/0x2b0
[ 86.989009][ T5088] ? spin_bug+0x1c0/0x1c0
[ 86.993356][ T5088] ? _raw_spin_unlock+0x28/0x40
[ 86.998225][ T5088] ? alloc_fd+0x2e4/0x750
[ 87.002576][ T5088] do_sys_openat2+0x16d/0x4c0
[ 87.007285][ T5088] ? ptrace_stop.part.0+0x60f/0x8e0
[ 87.012498][ T5088] ? build_open_flags+0x720/0x720
[ 87.017530][ T5088] ? ptrace_notify+0xfe/0x140
[ 87.022249][ T5088] ? lock_downgrade+0x690/0x690
[ 87.027130][ T5088] __x64_sys_openat+0x143/0x1f0
[ 87.032000][ T5088] ? __ia32_sys_open+0x1c0/0x1c0
[ 87.036971][ T5088] ? _raw_spin_unlock_irq+0x23/0x50
[ 87.042238][ T5088] ? lockdep_hardirqs_on+0x7d/0x100
[ 87.047464][ T5088] ? _raw_spin_unlock_irq+0x2e/0x50
[ 87.052691][ T5088] ? ptrace_notify+0xfe/0x140
[ 87.057409][ T5088] do_syscall_64+0x39/0xb0
[ 87.061856][ T5088] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 87.067777][ T5088] RIP: 0033:0x7fa4b0e51aa9
[ 87.072223][ T5088] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 87.091843][ T5088] RSP: 002b:00007ffd89067328 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 87.100278][ T5088] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fa4b0e51aa9
[ 87.108277][ T5088] RDX: 000000000000275a RSI: 0000000020000040 RDI: 00000000ffffff9c
[ 87.116256][ T5088] RBP: 00007ffd89067350 R08: 0000000000000002 R09: 00007ffd89067360
[ 87.124242][ T5088] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004
[ 87.132237][ T5088] R13: 00007ffd89067390 R14: 00007ffd89067370 R15: 0000000000000004
[ 87.140221][ T5088]
[ 87.143255][ T5088] Modules linked in:
[ 87.164379][ T5088] ---[ end trace 0000000000000000 ]---
[ 87.174178][ T5088] RIP: 0010:btrfs_free_tree_block+0x266/0xb40
[ 87.180579][ T5088] Code: 00 48 8b 74 24 10 31 d2 4c 89 e7 e8 34 f2 17 00 31 ff 89 c6 89 44 24 10 e8 87 2b 21 fe 8b 44 24 10 85 c0 74 26 e8 5a 2f 21 fe <0f> 0b e8 53 2f 21 fe 48 89 ee 48 c7 c7 fa ff ff ff c6 44 24 58 01
[ 87.223205][ T5088] RSP: 0018:ffffc90003657170 EFLAGS: 00010293
[ 87.229596][ T5088] RAX: 0000000000000000 RBX: ffff88802b4815d0 RCX: 0000000000000000
[ 87.238176][ T5088] RDX: ffff88802282e180 RSI: ffffffff83623856 RDI: 0000000000000005
[ 87.246662][ T5088] RBP: 0000000000000005 R08: 0000000000000005 R09: 0000000000000000
[ 87.255272][ T5088] R10: 00000000fffffff4 R11: ffffffff81d515d5 R12: ffff888070b26dc8
[ 87.271253][ T5088] R13: 1ffff920006cae32 R14: 0000000000000001 R15: ffff88807448c000
[ 87.279744][ T5088] FS: 0000555555d42300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
[ 87.289193][ T5088] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 87.296282][ T5088] CR2: 0000556ec1283150 CR3: 000000007cf5c000 CR4: 00000000003506f0
[ 87.304720][ T5088] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 87.312952][ T5088] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 87.321465][ T5088] Kernel panic - not syncing: Fatal exception
[ 87.327709][ T5088] Kernel Offset: disabled
[ 87.332050][ T5088] Rebooting in 86400 seconds..