./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor693599821 <...> Warning: Permanently added '10.128.10.50' (ED25519) to the list of known hosts. execve("./syz-executor693599821", ["./syz-executor693599821"], 0x7fffb8d486c0 /* 10 vars */) = 0 brk(NULL) = 0x5555570e7000 brk(0x5555570e7d00) = 0x5555570e7d00 arch_prctl(ARCH_SET_FS, 0x5555570e7380) = 0 set_tid_address(0x5555570e7650) = 5838 set_robust_list(0x5555570e7660, 24) = 0 rseq(0x5555570e7ca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor693599821", 4096) = 27 getrandom("\x10\xaf\x3c\x03\xd9\x45\xfd\x19", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555570e7d00 brk(0x555557108d00) = 0x555557108d00 brk(0x555557109000) = 0x555557109000 mprotect(0x7f4776bee000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555570e7650) = 5839 ./strace-static-x86_64: Process 5839 attached [pid 5839] set_robust_list(0x5555570e7660, 24) = 0 [pid 5838] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5839] mkdir("./syzkaller.d32taK", 0700./strace-static-x86_64: Process 5840 attached ) = 0 [pid 5840] set_robust_list(0x5555570e7660, 24 [pid 5838] <... clone resumed>, child_tidptr=0x5555570e7650) = 5840 [pid 5840] <... set_robust_list resumed>) = 0 [pid 5838] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5840] mkdir("./syzkaller.iaRGFz", 0700 [pid 5839] chmod("./syzkaller.d32taK", 0777./strace-static-x86_64: Process 5841 attached [pid 5840] <... mkdir resumed>) = 0 [pid 5839] <... chmod resumed>) = 0 [pid 5840] chmod("./syzkaller.iaRGFz", 0777 [pid 5839] chdir("./syzkaller.d32taK" [pid 5838] <... clone resumed>, child_tidptr=0x5555570e7650) = 5841 [pid 5841] set_robust_list(0x5555570e7660, 24 [pid 5840] <... chmod resumed>) = 0 [pid 5839] <... chdir resumed>) = 0 [pid 5838] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5840] chdir("./syzkaller.iaRGFz" [pid 5839] unshare(CLONE_NEWPID./strace-static-x86_64: Process 5842 attached [pid 5841] <... set_robust_list resumed>) = 0 [pid 5840] <... chdir resumed>) = 0 [pid 5839] <... unshare resumed>) = 0 [pid 5842] set_robust_list(0x5555570e7660, 24 [pid 5840] unshare(CLONE_NEWPID [pid 5842] <... set_robust_list resumed>) = 0 [pid 5841] getrandom( [pid 5840] <... unshare resumed>) = 0 [pid 5842] mkdir("./syzkaller.0weFkJ", 0700 [pid 5840] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5838] <... clone resumed>, child_tidptr=0x5555570e7650) = 5842 [pid 5841] <... getrandom resumed>"\xc7\x13\xd9\xa9\xaf\x07\x74\xf7", 8, GRND_NONBLOCK) = 8 [pid 5838] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5841] getrandom( [pid 5842] <... mkdir resumed>) = 0 [pid 5841] <... getrandom resumed>"\x09\x71\xb4\xe4\x56\x89\x80\x6e", 8, GRND_NONBLOCK) = 8 ./strace-static-x86_64: Process 5844 attached ./strace-static-x86_64: Process 5843 attached [pid 5842] chmod("./syzkaller.0weFkJ", 0777 [pid 5841] mkdir("./syzkaller.RDIgkz", 0700 [pid 5844] set_robust_list(0x5555570e7660, 24 [pid 5843] set_robust_list(0x5555570e7660, 24 [pid 5842] <... chmod resumed>) = 0 [pid 5841] <... mkdir resumed>) = 0 [pid 5840] <... clone resumed>, child_tidptr=0x5555570e7650) = 5843 [pid 5839] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5844] <... set_robust_list resumed>) = 0 [pid 5843] <... set_robust_list resumed>) = 0 [pid 5842] chdir("./syzkaller.0weFkJ" [pid 5844] mkdir("./syzkaller.zInIDD", 0700 [pid 5843] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5842] <... chdir resumed>) = 0 ./strace-static-x86_64: Process 5845 attached [pid 5838] <... clone resumed>, child_tidptr=0x5555570e7650) = 5844 [pid 5841] chmod("./syzkaller.RDIgkz", 0777 [pid 5845] set_robust_list(0x5555570e7660, 24 [pid 5844] <... mkdir resumed>) = 0 [pid 5843] <... prctl resumed>) = 0 [pid 5842] unshare(CLONE_NEWPID [pid 5841] <... chmod resumed>) = 0 [pid 5845] <... set_robust_list resumed>) = 0 [pid 5844] chmod("./syzkaller.zInIDD", 0777 [pid 5843] getppid( [pid 5842] <... unshare resumed>) = 0 [pid 5841] chdir("./syzkaller.RDIgkz" [pid 5839] <... clone resumed>, child_tidptr=0x5555570e7650) = 5845 [pid 5845] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5844] <... chmod resumed>) = 0 [pid 5843] <... getppid resumed>) = 0 [pid 5842] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5841] <... chdir resumed>) = 0 [pid 5845] getppid( [pid 5844] chdir("./syzkaller.zInIDD" [pid 5841] unshare(CLONE_NEWPID./strace-static-x86_64: Process 5846 attached [pid 5845] <... getppid resumed>) = 0 [pid 5844] <... chdir resumed>) = 0 [pid 5843] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, [pid 5841] <... unshare resumed>) = 0 [pid 5846] set_robust_list(0x5555570e7660, 24 [pid 5845] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, [pid 5844] unshare(CLONE_NEWPID [pid 5843] <... prlimit64 resumed>NULL) = 0 [pid 5842] <... clone resumed>, child_tidptr=0x5555570e7650) = 5846 [pid 5846] <... set_robust_list resumed>) = 0 [pid 5845] <... prlimit64 resumed>NULL) = 0 [pid 5844] <... unshare resumed>) = 0 [pid 5843] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, [pid 5846] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5845] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, [pid 5844] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5843] <... prlimit64 resumed>NULL) = 0 [pid 5841] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5848 attached ./strace-static-x86_64: Process 5847 attached [pid 5846] <... prctl resumed>) = 0 [pid 5845] <... prlimit64 resumed>NULL) = 0 [pid 5843] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, [pid 5848] set_robust_list(0x5555570e7660, 24 [pid 5846] getppid( [pid 5845] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, [pid 5844] <... clone resumed>, child_tidptr=0x5555570e7650) = 5847 [pid 5843] <... prlimit64 resumed>NULL) = 0 [pid 5847] set_robust_list(0x5555570e7660, 24 [pid 5848] <... set_robust_list resumed>) = 0 [pid 5846] <... getppid resumed>) = 0 [pid 5845] <... prlimit64 resumed>NULL) = 0 [pid 5847] <... set_robust_list resumed>) = 0 [pid 5843] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, [pid 5848] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5847] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5846] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, [pid 5845] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, [pid 5848] <... prctl resumed>) = 0 [pid 5847] <... prctl resumed>) = 0 [pid 5846] <... prlimit64 resumed>NULL) = 0 [pid 5845] <... prlimit64 resumed>NULL) = 0 [pid 5843] <... prlimit64 resumed>NULL) = 0 [pid 5848] getppid( [pid 5847] getppid( [pid 5846] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, [pid 5845] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, [pid 5848] <... getppid resumed>) = 0 [pid 5847] <... getppid resumed>) = 0 [pid 5846] <... prlimit64 resumed>NULL) = 0 [pid 5845] <... prlimit64 resumed>NULL) = 0 [pid 5843] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, [pid 5848] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, [pid 5847] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, [pid 5846] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, [pid 5843] <... prlimit64 resumed>NULL) = 0 [pid 5848] <... prlimit64 resumed>NULL) = 0 [pid 5847] <... prlimit64 resumed>NULL) = 0 [pid 5846] <... prlimit64 resumed>NULL) = 0 [pid 5845] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, [pid 5843] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, [pid 5848] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, [pid 5847] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, [pid 5846] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, [pid 5845] <... prlimit64 resumed>NULL) = 0 [pid 5843] <... prlimit64 resumed>NULL) = 0 [pid 5848] <... prlimit64 resumed>NULL) = 0 [pid 5847] <... prlimit64 resumed>NULL) = 0 [pid 5846] <... prlimit64 resumed>NULL) = 0 [pid 5845] unshare(CLONE_NEWNS [pid 5848] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, [pid 5847] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, [pid 5846] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, [pid 5843] unshare(CLONE_NEWNS [pid 5848] <... prlimit64 resumed>NULL) = 0 [pid 5847] <... prlimit64 resumed>NULL) = 0 [pid 5846] <... prlimit64 resumed>NULL) = 0 [pid 5845] <... unshare resumed>) = 0 [pid 5841] <... clone resumed>, child_tidptr=0x5555570e7650) = 5848 [pid 5848] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, [pid 5847] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, [pid 5846] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, [pid 5845] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL [pid 5843] <... unshare resumed>) = 0 [pid 5848] <... prlimit64 resumed>NULL) = 0 [pid 5847] <... prlimit64 resumed>NULL) = 0 [pid 5846] <... prlimit64 resumed>NULL) = 0 [pid 5848] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, [pid 5847] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, [pid 5845] <... mount resumed>) = 0 [pid 5843] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL [pid 5848] <... prlimit64 resumed>NULL) = 0 [pid 5847] <... prlimit64 resumed>NULL) = 0 [pid 5846] unshare(CLONE_NEWNS [pid 5848] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, [pid 5847] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, [pid 5845] unshare(CLONE_NEWIPC [pid 5848] <... prlimit64 resumed>NULL) = 0 [pid 5847] <... prlimit64 resumed>NULL) = 0 [pid 5848] unshare(CLONE_NEWNS [pid 5847] unshare(CLONE_NEWNS [pid 5846] <... unshare resumed>) = 0 [pid 5845] <... unshare resumed>) = 0 [pid 5843] <... mount resumed>) = 0 [pid 5843] unshare(CLONE_NEWIPC [pid 5848] <... unshare resumed>) = 0 [pid 5847] <... unshare resumed>) = 0 [pid 5846] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL [pid 5845] unshare(CLONE_NEWCGROUP [pid 5843] <... unshare resumed>) = 0 [pid 5848] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL [pid 5847] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL [pid 5845] <... unshare resumed>) = 0 [pid 5848] <... mount resumed>) = 0 [pid 5847] <... mount resumed>) = 0 [pid 5846] <... mount resumed>) = 0 [pid 5845] unshare(CLONE_NEWUTS [pid 5843] unshare(CLONE_NEWCGROUP [pid 5848] unshare(CLONE_NEWIPC [pid 5847] unshare(CLONE_NEWIPC [pid 5846] unshare(CLONE_NEWIPC [pid 5845] <... unshare resumed>) = 0 [pid 5843] <... unshare resumed>) = 0 [pid 5848] <... unshare resumed>) = 0 [pid 5846] <... unshare resumed>) = 0 [pid 5848] unshare(CLONE_NEWCGROUP [pid 5847] <... unshare resumed>) = 0 [pid 5845] unshare(CLONE_SYSVSEM [pid 5843] unshare(CLONE_NEWUTS [pid 5848] <... unshare resumed>) = 0 [pid 5847] unshare(CLONE_NEWCGROUP [pid 5845] <... unshare resumed>) = 0 [pid 5848] unshare(CLONE_NEWUTS) = 0 [pid 5847] <... unshare resumed>) = 0 [pid 5845] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC [pid 5843] <... unshare resumed>) = 0 [pid 5848] unshare(CLONE_SYSVSEM [pid 5847] unshare(CLONE_NEWUTS [pid 5846] unshare(CLONE_NEWCGROUP [pid 5843] unshare(CLONE_SYSVSEM [pid 5848] <... unshare resumed>) = 0 [pid 5847] <... unshare resumed>) = 0 [pid 5846] <... unshare resumed>) = 0 [pid 5845] <... openat resumed>) = 3 [pid 5843] <... unshare resumed>) = 0 [pid 5848] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC [pid 5847] unshare(CLONE_SYSVSEM [pid 5846] unshare(CLONE_NEWUTS [pid 5845] write(3, "16777216", 8 [pid 5843] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC [pid 5848] <... openat resumed>) = 3 [pid 5847] <... unshare resumed>) = 0 [pid 5846] <... unshare resumed>) = 0 [pid 5845] <... write resumed>) = 8 [pid 5843] <... openat resumed>) = 3 [pid 5848] write(3, "16777216", 8 [pid 5847] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC [pid 5846] unshare(CLONE_SYSVSEM [pid 5845] close(3 [pid 5848] <... write resumed>) = 8 [pid 5848] close(3 [pid 5847] <... openat resumed>) = 3 [pid 5846] <... unshare resumed>) = 0 [pid 5845] <... close resumed>) = 0 [pid 5843] write(3, "16777216", 8 [pid 5848] <... close resumed>) = 0 [pid 5847] write(3, "16777216", 8 [pid 5846] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC [pid 5845] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC [pid 5843] <... write resumed>) = 8 [pid 5848] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC [pid 5847] <... write resumed>) = 8 [pid 5848] <... openat resumed>) = 3 [pid 5847] close(3 [pid 5846] <... openat resumed>) = 3 [pid 5845] <... openat resumed>) = 3 [pid 5843] close(3 [pid 5848] write(3, "536870912", 9 [pid 5847] <... close resumed>) = 0 [pid 5846] write(3, "16777216", 8 [pid 5845] write(3, "536870912", 9 [pid 5843] <... close resumed>) = 0 [pid 5848] <... write resumed>) = 9 [pid 5847] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC [pid 5845] <... write resumed>) = 9 [pid 5848] close(3 [pid 5847] <... openat resumed>) = 3 [pid 5846] <... write resumed>) = 8 [pid 5845] close(3 [pid 5843] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC [pid 5848] <... close resumed>) = 0 [pid 5847] write(3, "536870912", 9 [pid 5846] close(3 [pid 5845] <... close resumed>) = 0 [pid 5843] <... openat resumed>) = 3 [pid 5848] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC [pid 5847] <... write resumed>) = 9 [pid 5846] <... close resumed>) = 0 [pid 5845] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC [pid 5843] write(3, "536870912", 9 [pid 5848] <... openat resumed>) = 3 [pid 5847] close(3 [pid 5846] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC [pid 5843] <... write resumed>) = 9 [pid 5848] write(3, "1024", 4 [pid 5847] <... close resumed>) = 0 [pid 5846] <... openat resumed>) = 3 [pid 5845] <... openat resumed>) = 3 [pid 5843] close(3 [pid 5848] <... write resumed>) = 4 [pid 5847] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC [pid 5846] write(3, "536870912", 9 [pid 5845] write(3, "1024", 4 [pid 5843] <... close resumed>) = 0 [pid 5848] close(3 [pid 5847] <... openat resumed>) = 3 [pid 5846] <... write resumed>) = 9 [pid 5845] <... write resumed>) = 4 [pid 5843] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC [pid 5848] <... close resumed>) = 0 [pid 5847] write(3, "1024", 4 [pid 5846] close(3 [pid 5845] close(3 [pid 5843] <... openat resumed>) = 3 [pid 5848] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC [pid 5847] <... write resumed>) = 4 [pid 5846] <... close resumed>) = 0 [pid 5845] <... close resumed>) = 0 [pid 5848] <... openat resumed>) = 3 [pid 5847] close(3 [pid 5846] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC [pid 5845] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC [pid 5843] write(3, "1024", 4 [pid 5847] <... close resumed>) = 0 [pid 5843] <... write resumed>) = 4 [pid 5845] <... openat resumed>) = 3 [pid 5843] close(3 [pid 5846] <... openat resumed>) = 3 [pid 5843] <... close resumed>) = 0 [pid 5848] write(3, "8192", 4 [pid 5847] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC [pid 5846] write(3, "1024", 4 [pid 5845] write(3, "8192", 4 [pid 5848] <... write resumed>) = 4 [pid 5847] <... openat resumed>) = 3 [pid 5848] close(3 [pid 5847] write(3, "8192", 4 [pid 5845] <... write resumed>) = 4 [pid 5848] <... close resumed>) = 0 [pid 5847] <... write resumed>) = 4 [pid 5845] close(3 [pid 5848] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC [pid 5847] close(3 [pid 5848] <... openat resumed>) = 3 [pid 5847] <... close resumed>) = 0 [pid 5846] <... write resumed>) = 4 [pid 5845] <... close resumed>) = 0 [pid 5843] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC [pid 5846] close(3 [pid 5847] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5846] <... close resumed>) = 0 [pid 5845] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC [pid 5843] <... openat resumed>) = 3 [pid 5846] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC [pid 5845] <... openat resumed>) = 3 [pid 5843] write(3, "8192", 4 [pid 5848] write(3, "1024", 4 [pid 5847] write(3, "1024", 4 [pid 5845] write(3, "1024", 4 [pid 5848] <... write resumed>) = 4 [pid 5847] <... write resumed>) = 4 [pid 5846] <... openat resumed>) = 3 [pid 5843] <... write resumed>) = 4 [pid 5848] close(3 [pid 5847] close(3 [pid 5845] <... write resumed>) = 4 [pid 5848] <... close resumed>) = 0 [pid 5847] <... close resumed>) = 0 [pid 5845] close(3 [pid 5846] write(3, "8192", 4 [pid 5843] close(3 [pid 5846] <... write resumed>) = 4 [pid 5848] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC [pid 5847] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC [pid 5846] close(3 [pid 5845] <... close resumed>) = 0 [pid 5843] <... close resumed>) = 0 [pid 5848] <... openat resumed>) = 3 [pid 5847] <... openat resumed>) = 3 [pid 5845] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC [pid 5846] <... close resumed>) = 0 [pid 5843] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC [pid 5846] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC [pid 5843] <... openat resumed>) = 3 [pid 5847] write(3, "1024", 4 [pid 5846] <... openat resumed>) = 3 [pid 5845] <... openat resumed>) = 3 [pid 5843] write(3, "1024", 4 [pid 5848] write(3, "1024", 4 [pid 5847] <... write resumed>) = 4 [pid 5845] write(3, "1024", 4 [pid 5848] <... write resumed>) = 4 [pid 5847] close(3 [pid 5846] write(3, "1024", 4 [pid 5845] <... write resumed>) = 4 [pid 5843] <... write resumed>) = 4 [pid 5848] close(3 [pid 5847] <... close resumed>) = 0 [pid 5846] <... write resumed>) = 4 [pid 5845] close(3 [pid 5843] close(3 [pid 5848] <... close resumed>) = 0 [pid 5847] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC [pid 5846] close(3 [pid 5845] <... close resumed>) = 0 [pid 5848] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC [pid 5847] <... openat resumed>) = 3 [pid 5845] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC [pid 5843] <... close resumed>) = 0 [pid 5848] <... openat resumed>) = 3 [pid 5843] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC [pid 5846] <... close resumed>) = 0 [pid 5845] <... openat resumed>) = 3 [pid 5846] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC [pid 5843] <... openat resumed>) = 3 [pid 5848] write(3, "1024 1048576 500 1024", 21 [pid 5847] write(3, "1024 1048576 500 1024", 21 [pid 5848] <... write resumed>) = 21 [pid 5847] <... write resumed>) = 21 [pid 5846] <... openat resumed>) = 3 [pid 5845] write(3, "1024 1048576 500 1024", 21 [pid 5843] write(3, "1024", 4 [pid 5848] close(3 [pid 5847] close(3 [pid 5846] write(3, "1024", 4 [pid 5845] <... write resumed>) = 21 [pid 5848] <... close resumed>) = 0 [pid 5847] <... close resumed>) = 0 [pid 5846] <... write resumed>) = 4 [pid 5845] close(3 [pid 5843] <... write resumed>) = 4 [pid 5848] getpid( [pid 5847] getpid( [pid 5846] close(3 [pid 5845] <... close resumed>) = 0 [pid 5843] close(3 [pid 5848] <... getpid resumed>) = 1 [pid 5847] <... getpid resumed>) = 1 [pid 5846] <... close resumed>) = 0 [pid 5845] getpid( [pid 5848] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, [pid 5843] <... close resumed>) = 0 [pid 5846] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC [pid 5843] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC [pid 5848] <... capget resumed>{effective=1< [pid 5845] <... getpid resumed>) = 1 [pid 5848] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 5847] <... capget resumed>{effective=1< [pid 5843] <... openat resumed>) = 3 [pid 5848] <... capset resumed>) = 0 [pid 5847] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 5846] <... openat resumed>) = 3 [pid 5845] <... capget resumed>{effective=1< [pid 5847] <... capset resumed>) = 0 [pid 5845] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 5847] unshare(CLONE_NEWNET [pid 5846] write(3, "1024 1048576 500 1024", 21 [pid 5843] write(3, "1024 1048576 500 1024", 21 [pid 5845] <... capset resumed>) = 0 [pid 5845] unshare(CLONE_NEWNET [pid 5843] <... write resumed>) = 21 [pid 5846] <... write resumed>) = 21 [pid 5843] close(3 [pid 5846] close(3) = 0 [pid 5843] <... close resumed>) = 0 [pid 5843] getpid( [pid 5846] getpid( [pid 5843] <... getpid resumed>) = 1 [pid 5846] <... getpid resumed>) = 1 [pid 5843] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, [pid 5846] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, [pid 5843] <... capget resumed>{effective=1<{effective=1< [pid 5846] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1< [pid 5843] <... capset resumed>) = 0 [pid 5846] <... capset resumed>) = 0 [pid 5843] unshare(CLONE_NEWNET [pid 5846] unshare(CLONE_NEWNET [pid 5848] <... unshare resumed>) = 0 [pid 5848] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC [pid 5847] <... unshare resumed>) = 0 [pid 5848] <... openat resumed>) = 3 [pid 5848] write(3, "0 65535", 7 [pid 5847] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC [pid 5848] <... write resumed>) = 7 [pid 5847] <... openat resumed>) = 3 [pid 5848] close(3) = 0 [pid 5848] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 [pid 5848] write(3, "100000", 6) = 6 [pid 5847] write(3, "0 65535", 7 [pid 5848] close(3) = 0 [pid 5847] <... write resumed>) = 7 [pid 5848] mkdir("./syz-tmp", 0777) = 0 [pid 5847] close(3 [pid 5848] mount("", "./syz-tmp", "tmpfs", 0, NULL [pid 5847] <... close resumed>) = 0 [pid 5847] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC) = 3 [pid 5847] write(3, "100000", 6) = 6 [pid 5847] close(3) = 0 [pid 5847] mkdir("./syz-tmp", 0777) = 0 [pid 5848] <... mount resumed>) = 0 [pid 5848] mkdir("./syz-tmp/newroot", 0777 [pid 5847] mount("", "./syz-tmp", "tmpfs", 0, NULL [pid 5848] <... mkdir resumed>) = 0 [pid 5847] <... mount resumed>) = 0 [pid 5848] mkdir("./syz-tmp/newroot/dev", 0700 [pid 5843] <... unshare resumed>) = 0 [pid 5848] <... mkdir resumed>) = 0 [pid 5847] mkdir("./syz-tmp/newroot", 0777) = 0 [pid 5848] mount("/dev", "./syz-tmp/newroot/dev", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0 [pid 5847] mkdir("./syz-tmp/newroot/dev", 0700) = 0 [pid 5843] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC [pid 5847] mount("/dev", "./syz-tmp/newroot/dev", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0 [pid 5843] <... openat resumed>) = 3 [pid 5848] mkdir("./syz-tmp/newroot/proc", 0700 [pid 5843] write(3, "0 65535", 7 [pid 5848] <... mkdir resumed>) = 0 [pid 5843] <... write resumed>) = 7 [pid 5847] mkdir("./syz-tmp/newroot/proc", 0700 [pid 5843] close(3 [pid 5847] <... mkdir resumed>) = 0 [pid 5843] <... close resumed>) = 0 [pid 5848] mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL [pid 5843] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC [pid 5848] <... mount resumed>) = 0 [pid 5847] mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL [pid 5843] <... openat resumed>) = 3 [pid 5843] write(3, "100000", 6) = 6 [pid 5847] <... mount resumed>) = 0 [pid 5843] close(3) = 0 [pid 5848] mkdir("./syz-tmp/newroot/selinux", 0700 [pid 5843] mkdir("./syz-tmp", 0777 [pid 5847] mkdir("./syz-tmp/newroot/selinux", 0700 [pid 5848] <... mkdir resumed>) = 0 [pid 5847] <... mkdir resumed>) = 0 [pid 5846] <... unshare resumed>) = 0 [pid 5845] <... unshare resumed>) = 0 [pid 5843] <... mkdir resumed>) = 0 [pid 5848] mount("/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5847] mount("/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5846] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC [pid 5845] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC [pid 5843] mount("", "./syz-tmp", "tmpfs", 0, NULL [pid 5846] <... openat resumed>) = 3 [pid 5845] <... openat resumed>) = 3 [pid 5846] write(3, "0 65535", 7) = 7 [pid 5843] <... mount resumed>) = 0 [pid 5846] close(3 [pid 5848] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5847] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5846] <... close resumed>) = 0 [pid 5845] write(3, "0 65535", 7 [pid 5843] mkdir("./syz-tmp/newroot", 0777 [pid 5848] mount("/sys/fs/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5847] mount("/sys/fs/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5845] <... write resumed>) = 7 [pid 5846] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC [pid 5845] close(3 [pid 5847] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5846] <... openat resumed>) = 3 [pid 5846] write(3, "100000", 6 [pid 5845] <... close resumed>) = 0 [pid 5848] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5846] <... write resumed>) = 6 [pid 5845] openat(AT_FDCWD, "/proc/sys/fs/mount-max", O_WRONLY|O_CLOEXEC [pid 5846] close(3) = 0 [pid 5843] <... mkdir resumed>) = 0 [pid 5845] <... openat resumed>) = 3 [pid 5846] mkdir("./syz-tmp", 0777) = 0 [pid 5846] mount("", "./syz-tmp", "tmpfs", 0, NULL [pid 5848] mkdir("./syz-tmp/newroot/sys", 0700 [pid 5847] mkdir("./syz-tmp/newroot/sys", 0700 [pid 5845] write(3, "100000", 6 [pid 5843] mkdir("./syz-tmp/newroot/dev", 0700 [pid 5845] <... write resumed>) = 6 [pid 5848] <... mkdir resumed>) = 0 [pid 5846] <... mount resumed>) = 0 [pid 5845] close(3 [pid 5843] <... mkdir resumed>) = 0 [pid 5848] mount("/sys", "./syz-tmp/newroot/sys", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5847] <... mkdir resumed>) = 0 [pid 5845] <... close resumed>) = 0 [pid 5847] mount("/sys", "./syz-tmp/newroot/sys", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5846] mkdir("./syz-tmp/newroot", 0777 [pid 5848] <... mount resumed>) = 0 [pid 5845] mkdir("./syz-tmp", 0777 [pid 5843] mount("/dev", "./syz-tmp/newroot/dev", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5848] mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5847] <... mount resumed>) = 0 [pid 5846] <... mkdir resumed>) = 0 [pid 5848] <... mount resumed>) = 0 [pid 5847] mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5843] <... mount resumed>) = 0 [pid 5847] <... mount resumed>) = 0 [pid 5846] mkdir("./syz-tmp/newroot/dev", 0700) = 0 [pid 5848] mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5847] mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5846] mount("/dev", "./syz-tmp/newroot/dev", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5845] <... mkdir resumed>) = 0 [pid 5843] mkdir("./syz-tmp/newroot/proc", 0700 [pid 5848] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5847] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5846] <... mount resumed>) = 0 [pid 5848] mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5847] mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5845] mount("", "./syz-tmp", "tmpfs", 0, NULL [pid 5843] <... mkdir resumed>) = 0 [pid 5846] mkdir("./syz-tmp/newroot/proc", 0700 [pid 5845] <... mount resumed>) = 0 [pid 5848] <... mount resumed>) = 0 [pid 5847] <... mount resumed>) = 0 [pid 5846] <... mkdir resumed>) = 0 [pid 5845] mkdir("./syz-tmp/newroot", 0777 [pid 5843] mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL [pid 5846] mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL [pid 5848] mkdir("./syz-tmp/newroot/syz-inputs", 0700 [pid 5847] mkdir("./syz-tmp/newroot/syz-inputs", 0700 [pid 5845] <... mkdir resumed>) = 0 [pid 5843] <... mount resumed>) = 0 [pid 5845] mkdir("./syz-tmp/newroot/dev", 0700 [pid 5843] mkdir("./syz-tmp/newroot/selinux", 0700 [pid 5846] <... mount resumed>) = 0 [pid 5845] <... mkdir resumed>) = 0 [pid 5848] <... mkdir resumed>) = 0 [pid 5845] mount("/dev", "./syz-tmp/newroot/dev", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5843] <... mkdir resumed>) = 0 [pid 5848] mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5847] <... mkdir resumed>) = 0 [pid 5846] mkdir("./syz-tmp/newroot/selinux", 0700 [pid 5845] <... mount resumed>) = 0 [pid 5847] mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5845] mkdir("./syz-tmp/newroot/proc", 0700 [pid 5843] mount("/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5846] <... mkdir resumed>) = 0 [pid 5845] <... mkdir resumed>) = 0 [pid 5843] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5848] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5847] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5846] mount("/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5848] mkdir("./syz-tmp/pivot", 0777 [pid 5847] mkdir("./syz-tmp/pivot", 0777 [pid 5846] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5845] mount("syz-proc", "./syz-tmp/newroot/proc", "proc", 0, NULL [pid 5843] mount("/sys/fs/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5846] mount("/sys/fs/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5847] <... mkdir resumed>) = 0 [pid 5846] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5843] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5843] mkdir("./syz-tmp/newroot/sys", 0700) = 0 [pid 5847] pivot_root("./syz-tmp", "./syz-tmp/pivot" [pid 5846] mkdir("./syz-tmp/newroot/sys", 0700 [pid 5845] <... mount resumed>) = 0 [pid 5846] <... mkdir resumed>) = 0 [pid 5843] mount("/sys", "./syz-tmp/newroot/sys", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL) = 0 [pid 5843] mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5848] <... mkdir resumed>) = 0 [pid 5847] <... pivot_root resumed>) = 0 [pid 5846] mount("/sys", "./syz-tmp/newroot/sys", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5845] mkdir("./syz-tmp/newroot/selinux", 0700 [pid 5848] pivot_root("./syz-tmp", "./syz-tmp/pivot" [pid 5847] chdir("/" [pid 5843] <... mount resumed>) = 0 [pid 5846] <... mount resumed>) = 0 [pid 5847] <... chdir resumed>) = 0 [pid 5845] <... mkdir resumed>) = 0 [pid 5848] <... pivot_root resumed>) = 0 [pid 5847] umount2("./pivot", MNT_DETACH [pid 5845] mount("/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5843] mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5846] mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5848] chdir("/" [pid 5847] <... umount2 resumed>) = 0 [pid 5845] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5843] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5845] mount("/sys/fs/selinux", "./syz-tmp/newroot/selinux", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5846] <... mount resumed>) = 0 [pid 5845] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5845] mkdir("./syz-tmp/newroot/sys", 0700 [pid 5848] <... chdir resumed>) = 0 [pid 5847] chroot("./newroot" [pid 5846] mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5845] <... mkdir resumed>) = 0 [pid 5843] mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5848] umount2("./pivot", MNT_DETACH [pid 5847] <... chroot resumed>) = 0 [pid 5846] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5845] mount("/sys", "./syz-tmp/newroot/sys", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5843] <... mount resumed>) = 0 [pid 5847] chdir("/" [pid 5846] mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5845] <... mount resumed>) = 0 [pid 5848] <... umount2 resumed>) = 0 [pid 5845] mount("/sys/kernel/debug", "./syz-tmp/newroot/sys/kernel/debug", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5848] chroot("./newroot" [pid 5846] <... mount resumed>) = 0 [pid 5845] <... mount resumed>) = 0 [pid 5847] <... chdir resumed>) = 0 [pid 5848] <... chroot resumed>) = 0 [pid 5843] mkdir("./syz-tmp/newroot/syz-inputs", 0700 [pid 5848] chdir("/" [pid 5847] mkdir("/dev/gadgetfs", 0777 [pid 5846] mkdir("./syz-tmp/newroot/syz-inputs", 0700 [pid 5845] mount("/sys/fs/smackfs", "./syz-tmp/newroot/sys/fs/smackfs", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5848] <... chdir resumed>) = 0 [pid 5848] mkdir("/dev/gadgetfs", 0777 [pid 5847] <... mkdir resumed>) = 0 [pid 5845] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5846] <... mkdir resumed>) = 0 [pid 5848] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5847] mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL [pid 5843] <... mkdir resumed>) = 0 [pid 5848] mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL [pid 5846] mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5847] <... mount resumed>) = 0 [pid 5845] mount("/proc/sys/fs/binfmt_misc", "./syz-tmp/newroot/proc/sys/fs/binfmt_misc", NULL, MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5843] mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5846] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5848] <... mount resumed>) = 0 [pid 5847] mkdir("/dev/binderfs", 0777 [pid 5846] mkdir("./syz-tmp/pivot", 0777 [pid 5845] <... mount resumed>) = 0 [pid 5843] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5847] <... mkdir resumed>) = 0 [pid 5848] mkdir("/dev/binderfs", 0777 [pid 5847] mount("binder", "/dev/binderfs", "binder", 0, NULL [pid 5845] mkdir("./syz-tmp/newroot/syz-inputs", 0700 [pid 5843] mkdir("./syz-tmp/pivot", 0777 [pid 5848] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5846] <... mkdir resumed>) = 0 [pid 5846] pivot_root("./syz-tmp", "./syz-tmp/pivot" [pid 5848] mount("binder", "/dev/binderfs", "binder", 0, NULL [pid 5846] <... pivot_root resumed>) = 0 [pid 5843] <... mkdir resumed>) = 0 [pid 5846] chdir("/" [pid 5848] <... mount resumed>) = 0 [pid 5847] <... mount resumed>) = 0 [pid 5845] <... mkdir resumed>) = 0 [pid 5843] pivot_root("./syz-tmp", "./syz-tmp/pivot" [pid 5848] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL [pid 5847] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL [pid 5846] <... chdir resumed>) = 0 [pid 5845] mount("/syz-inputs", "./syz-tmp/newroot/syz-inputs", NULL, MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE, NULL [pid 5848] <... mount resumed>) = -1 EBUSY (Device or resource busy) [pid 5847] <... mount resumed>) = -1 EBUSY (Device or resource busy) [pid 5846] umount2("./pivot", MNT_DETACH [pid 5845] <... mount resumed>) = -1 ENOENT (No such file or directory) [pid 5843] <... pivot_root resumed>) = 0 [pid 5848] mkdir("./0", 0777 [pid 5847] mkdir("./0", 0777 [pid 5846] <... umount2 resumed>) = 0 [pid 5845] mkdir("./syz-tmp/pivot", 0777 [pid 5843] chdir("/" [pid 5848] <... mkdir resumed>) = 0 [pid 5847] <... mkdir resumed>) = 0 [pid 5846] chroot("./newroot" [pid 5845] <... mkdir resumed>) = 0 [pid 5843] <... chdir resumed>) = 0 [pid 5846] <... chroot resumed>) = 0 [pid 5848] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5846] chdir("/" [pid 5847] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5846] <... chdir resumed>) = 0 [pid 5845] pivot_root("./syz-tmp", "./syz-tmp/pivot" [pid 5843] umount2("./pivot", MNT_DETACH./strace-static-x86_64: Process 5856 attached ./strace-static-x86_64: Process 5855 attached [pid 5848] <... clone resumed>, child_tidptr=0x5555570e7650) = 2 [pid 5846] mkdir("/dev/gadgetfs", 0777 [pid 5845] <... pivot_root resumed>) = 0 [pid 5856] set_robust_list(0x5555570e7660, 24 [pid 5855] set_robust_list(0x5555570e7660, 24 [pid 5847] <... clone resumed>, child_tidptr=0x5555570e7650) = 2 [pid 5846] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5843] <... umount2 resumed>) = 0 [pid 5856] <... set_robust_list resumed>) = 0 [pid 5846] mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL [pid 5856] chdir("./0" [pid 5855] <... set_robust_list resumed>) = 0 [pid 5846] <... mount resumed>) = 0 [pid 5845] chdir("/" [pid 5843] chroot("./newroot" [pid 5855] chdir("./0" [pid 5845] <... chdir resumed>) = 0 [pid 5856] <... chdir resumed>) = 0 [pid 5846] mkdir("/dev/binderfs", 0777 [pid 5843] <... chroot resumed>) = 0 [pid 5856] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5846] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5856] <... prctl resumed>) = 0 [pid 5846] mount("binder", "/dev/binderfs", "binder", 0, NULL [pid 5843] chdir("/" [pid 5856] setpgid(0, 0 [pid 5855] <... chdir resumed>) = 0 [pid 5845] umount2("./pivot", MNT_DETACH [pid 5855] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5856] <... setpgid resumed>) = 0 [pid 5846] <... mount resumed>) = 0 [pid 5843] <... chdir resumed>) = 0 [pid 5855] setpgid(0, 0 [pid 5845] <... umount2 resumed>) = 0 [pid 5856] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5855] <... setpgid resumed>) = 0 [pid 5843] mkdir("/dev/gadgetfs", 0777 [pid 5855] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5845] chroot("./newroot" [pid 5846] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL [pid 5843] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5856] <... openat resumed>) = 3 [pid 5855] <... openat resumed>) = 3 [pid 5845] <... chroot resumed>) = 0 [pid 5845] chdir("/") = 0 [pid 5856] write(3, "1000", 4 [pid 5855] write(3, "1000", 4 [pid 5846] <... mount resumed>) = -1 EBUSY (Device or resource busy) [pid 5845] mkdir("/dev/gadgetfs", 0777 [pid 5843] mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL [pid 5856] <... write resumed>) = 4 [pid 5856] close(3) = 0 [pid 5855] <... write resumed>) = 4 [pid 5845] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5856] symlink("/dev/binderfs", "./binderfs" [pid 5855] close(3 [pid 5845] mount("gadgetfs", "/dev/gadgetfs", "gadgetfs", 0, NULL [pid 5856] <... symlink resumed>) = 0 [pid 5855] <... close resumed>) = 0 [pid 5846] mkdir("./0", 0777 [pid 5845] <... mount resumed>) = 0 [pid 5843] <... mount resumed>) = 0 executing program [pid 5856] write(1, "executing program\n", 18 [pid 5855] symlink("/dev/binderfs", "./binderfs" [pid 5845] mkdir("/dev/binderfs", 0777 [pid 5856] <... write resumed>) = 18 [pid 5855] <... symlink resumed>) = 0 [pid 5846] <... mkdir resumed>) = 0 [pid 5843] mkdir("/dev/binderfs", 0777 [pid 5856] getpid(executing program [pid 5855] write(1, "executing program\n", 18 [pid 5845] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5856] <... getpid resumed>) = 2 [pid 5846] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5843] <... mkdir resumed>) = -1 EEXIST (File exists) [pid 5856] pidfd_open(2, 0 [pid 5855] <... write resumed>) = 18 [pid 5845] mount("binder", "/dev/binderfs", "binder", 0, NULL [pid 5843] mount("binder", "/dev/binderfs", "binder", 0, NULL./strace-static-x86_64: Process 5857 attached [pid 5856] <... pidfd_open resumed>) = 3 [pid 5855] getpid( [pid 5845] <... mount resumed>) = 0 [pid 5857] set_robust_list(0x5555570e7660, 24 [pid 5856] openat(AT_FDCWD, "./binderfs/binder0", O_RDONLY [pid 5855] <... getpid resumed>) = 2 [pid 5846] <... clone resumed>, child_tidptr=0x5555570e7650) = 2 [pid 5843] <... mount resumed>) = 0 [pid 5857] <... set_robust_list resumed>) = 0 [pid 5855] pidfd_open(2, 0) = 3 [pid 5855] openat(AT_FDCWD, "./binderfs/binder0", O_RDONLY [pid 5856] <... openat resumed>) = 4 [pid 5843] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL [pid 5857] chdir("./0" [pid 5855] <... openat resumed>) = 4 [pid 5845] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5855] setns(3, CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWPID [pid 5856] setns(3, CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWPID [pid 5855] <... setns resumed>) = 0 [pid 5843] <... mount resumed>) = -1 EBUSY (Device or resource busy) [pid 5855] umount2(".", MNT_DETACH [pid 5845] mkdir("./0", 0777 [pid 5857] <... chdir resumed>) = 0 [pid 5856] <... setns resumed>) = 0 [pid 5843] mkdir("./0", 0777 [pid 5857] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5856] umount2(".", MNT_DETACH [pid 5857] <... prctl resumed>) = 0 [pid 5856] <... umount2 resumed>) = 0 [pid 5855] <... umount2 resumed>) = 0 [pid 5845] <... mkdir resumed>) = 0 [pid 5843] <... mkdir resumed>) = 0 [pid 5857] setpgid(0, 0) = 0 [pid 5857] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5857] write(3, "1000", 4 [pid 5856] close(3 [pid 5855] close(3 [pid 5845] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5843] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 5857] <... write resumed>) = 4 [pid 5856] <... close resumed>) = 0 [pid 5855] <... close resumed>) = 0 [pid 5857] close(3 [pid 5856] close(4 [pid 5855] close(4./strace-static-x86_64: Process 5859 attached ./strace-static-x86_64: Process 5858 attached [pid 5857] <... close resumed>) = 0 [pid 5843] <... clone resumed>, child_tidptr=0x5555570e7650) = 2 [pid 5858] set_robust_list(0x5555570e7660, 24 [pid 5859] set_robust_list(0x5555570e7660, 24 [pid 5858] <... set_robust_list resumed>) = 0 [pid 5857] symlink("/dev/binderfs", "./binderfs" [pid 5856] <... close resumed>) = 0 [pid 5859] <... set_robust_list resumed>) = 0 [pid 5858] chdir("./0") = 0 [pid 5857] <... symlink resumed>) = 0 [pid 5845] <... clone resumed>, child_tidptr=0x5555570e7650) = 2 [pid 5858] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5858] setpgid(0, 0) = 0 [pid 5859] chdir("./0" [pid 5857] write(1, "executing program\n", 18 [pid 5856] close(5executing program [pid 5859] <... chdir resumed>) = 0 [pid 5858] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5857] <... write resumed>) = 18 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5859] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 5857] getpid( [pid 5856] close(6 [pid 5859] <... prctl resumed>) = 0 [pid 5858] <... openat resumed>) = 3 [pid 5857] <... getpid resumed>) = 2 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5859] setpgid(0, 0 [pid 5857] pidfd_open(2, 0 [pid 5856] close(7 [pid 5859] <... setpgid resumed>) = 0 [pid 5858] write(3, "1000", 4 [pid 5857] <... pidfd_open resumed>) = 3 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5859] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 5858] <... write resumed>) = 4 [pid 5857] openat(AT_FDCWD, "./binderfs/binder0", O_RDONLY [pid 5856] close(8) = -1 EBADF (Bad file descriptor) [pid 5858] close(3 [pid 5856] close(9 [pid 5859] <... openat resumed>) = 3 [pid 5858] <... close resumed>) = 0 [pid 5857] <... openat resumed>) = 4 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5858] symlink("/dev/binderfs", "./binderfs" [pid 5856] close(10) = -1 EBADF (Bad file descriptor) [pid 5858] <... symlink resumed>) = 0 [pid 5856] close(11 [pid 5859] write(3, "1000", 4 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5859] <... write resumed>) = 4 [pid 5857] setns(3, CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWPID [pid 5856] close(12executing program [pid 5859] close(3 [pid 5858] write(1, "executing program\n", 18 [pid 5857] <... setns resumed>) = 0 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5859] <... close resumed>) = 0 [pid 5858] <... write resumed>) = 18 [pid 5857] umount2(".", MNT_DETACH [pid 5859] symlink("/dev/binderfs", "./binderfs" [pid 5858] getpid( [pid 5856] close(13 [pid 5859] <... symlink resumed>) = 0 [pid 5858] <... getpid resumed>) = 2 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5858] pidfd_open(2, 0 [pid 5856] close(14executing program [pid 5859] write(1, "executing program\n", 18 [pid 5858] <... pidfd_open resumed>) = 3 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5859] <... write resumed>) = 18 [pid 5858] openat(AT_FDCWD, "./binderfs/binder0", O_RDONLY [pid 5856] close(15 [pid 5859] getpid( [pid 5858] <... openat resumed>) = 4 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5859] <... getpid resumed>) = 2 [pid 5859] pidfd_open(2, 0 [pid 5856] close(16) = -1 EBADF (Bad file descriptor) [pid 5859] <... pidfd_open resumed>) = 3 [pid 5856] close(17) = -1 EBADF (Bad file descriptor) [pid 5858] setns(3, CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWPID) = 0 [pid 5856] close(18 [pid 5859] openat(AT_FDCWD, "./binderfs/binder0", O_RDONLY [pid 5858] umount2(".", MNT_DETACH [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5856] close(19 [pid 5859] <... openat resumed>) = 4 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5856] close(20 [pid 5859] setns(3, CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWPID [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5856] close(21 [pid 5859] <... setns resumed>) = 0 [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5856] close(22 [pid 5859] umount2(".", MNT_DETACH [pid 5856] <... close resumed>) = -1 EBADF (Bad file descriptor) [pid 5856] close(23) = -1 EBADF (Bad file descriptor) [pid 5856] close(24) = -1 EBADF (Bad file descriptor) [pid 5856] close(25) = -1 EBADF (Bad file descriptor) [pid 5856] close(26) = -1 EBADF (Bad file descriptor) [pid 5856] close(27) = -1 EBADF (Bad file descriptor) [pid 5856] close(28) = -1 EBADF (Bad file descriptor) [pid 5856] close(29) = -1 EBADF (Bad file descriptor) [ 88.601560][ T5855] ================================================================== [ 88.609719][ T5855] BUG: KASAN: slab-use-after-free in binder_remove_device+0xa1/0xe0 [ 88.617747][ T5855] Write of size 8 at addr ffff8880243b2408 by task syz-executor693/5855 [ 88.626197][ T5855] [ 88.628562][ T5855] CPU: 1 UID: 0 PID: 5855 Comm: syz-executor693 Not tainted 6.15.0-rc7-next-20250523-syzkaller #0 PREEMPT(full) [ 88.628587][ T5855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 88.628598][ T5855] Call Trace: [ 88.628605][ T5855] [ 88.628613][ T5855] dump_stack_lvl+0x189/0x250 [ 88.628634][ T5855] ? __virt_addr_valid+0x1c8/0x5c0 [ 88.628653][ T5855] ? rcu_is_watching+0x15/0xb0 [ 88.628669][ T5855] ? __kasan_check_byte+0x12/0x40 [ 88.628702][ T5855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 88.628718][ T5855] ? rcu_is_watching+0x15/0xb0 [ 88.628735][ T5855] ? lock_release+0x4b/0x3e0 [ 88.628762][ T5855] ? __virt_addr_valid+0x1c8/0x5c0 [ 88.628781][ T5855] ? __virt_addr_valid+0x4a5/0x5c0 [ 88.628801][ T5855] print_report+0xd2/0x2b0 [ 88.628825][ T5855] ? binder_remove_device+0xa1/0xe0 [ 88.628843][ T5855] kasan_report+0x118/0x150 [ 88.628862][ T5855] ? binder_remove_device+0xa1/0xe0 [ 88.628882][ T5855] binder_remove_device+0xa1/0xe0 [ 88.628900][ T5855] binderfs_evict_inode+0x16b/0x240 [ 88.628929][ T5855] ? __pfx_binderfs_evict_inode+0x10/0x10 [ 88.628956][ T5855] evict+0x501/0x9c0 [ 88.628985][ T5855] ? __pfx_evict+0x10/0x10 [ 88.629009][ T5855] ? do_raw_spin_unlock+0x122/0x240 [ 88.629032][ T5855] ? _raw_spin_unlock+0x28/0x50 [ 88.629059][ T5855] ? iput+0x6d8/0x9d0 [ 88.629082][ T5855] __dentry_kill+0x209/0x660 [ 88.629113][ T5855] ? shrink_kill+0x8d/0x2c0 [ 88.629135][ T5855] shrink_kill+0xa9/0x2c0 [ 88.629157][ T5855] shrink_dentry_list+0x2e0/0x5e0 [ 88.629183][ T5855] shrink_dcache_parent+0xa1/0x2c0 [ 88.629210][ T5855] ? __pfx_shrink_dcache_parent+0x10/0x10 [ 88.629239][ T5855] do_one_tree+0x23/0xe0 [ 88.629260][ T5855] shrink_dcache_for_umount+0xa0/0x170 [ 88.629282][ T5855] generic_shutdown_super+0x67/0x2c0 [ 88.629305][ T5855] kill_litter_super+0x76/0xb0 [ 88.629330][ T5855] binderfs_kill_super+0x44/0x90 [ 88.629353][ T5855] deactivate_locked_super+0xb9/0x130 [ 88.629376][ T5855] cleanup_mnt+0x425/0x4c0 [ 88.629397][ T5855] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.629417][ T5855] task_work_run+0x1d4/0x260 [ 88.629440][ T5855] ? __pfx_task_work_run+0x10/0x10 [ 88.629464][ T5855] ptrace_notify+0x281/0x2c0 [ 88.629489][ T5855] ? __pfx_ptrace_notify+0x10/0x10 [ 88.629512][ T5855] ? fput_close_sync+0x119/0x200 [ 88.629535][ T5855] ? __pfx_fput_close_sync+0x10/0x10 [ 88.629561][ T5855] syscall_exit_work+0xc6/0x1d0 [ 88.629587][ T5855] do_syscall_64+0x2ad/0x3b0 [ 88.629608][ T5855] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.629626][ T5855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.629644][ T5855] ? clear_bhb_loop+0x60/0xb0 [ 88.629686][ T5855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.629703][ T5855] RIP: 0033:0x7f4776b79a80 [ 88.629720][ T5855] Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d 01 96 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c [ 88.629736][ T5855] RSP: 002b:00007ffe4149d1d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 88.629757][ T5855] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007f4776b79a80 [ 88.629769][ T5855] RDX: 00007f4776b7a959 RSI: 0000000000000002 RDI: 0000000000000004 [ 88.629781][ T5855] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 88.629792][ T5855] R10: 0000000000000000 R11: 0000000000000202 R12: 00007f4776bc91dc [ 88.629803][ T5855] R13: 00007f4776bc40f0 R14: 00007ffe4149d210 R15: 0000000000000000 [ 88.629822][ T5855] [ 88.629829][ T5855] [ 88.971845][ T5855] Allocated by task 5847: [ 88.976185][ T5855] kasan_save_track+0x3e/0x80 [ 88.980887][ T5855] __kasan_kmalloc+0x93/0xb0 [ 88.985569][ T5855] __kmalloc_cache_noprof+0x230/0x3d0 [ 88.990946][ T5855] binderfs_binder_device_create+0x1eb/0xc40 [ 88.996950][ T5855] binderfs_fill_super+0xa0e/0xe90 [ 89.002176][ T5855] get_tree_nodev+0xbb/0x150 [ 89.006778][ T5855] vfs_get_tree+0x92/0x2b0 [ 89.011196][ T5855] do_new_mount+0x24a/0xa40 [ 89.015706][ T5855] __se_sys_mount+0x317/0x410 [ 89.020388][ T5855] do_syscall_64+0xfa/0x3b0 [ 89.024901][ T5855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.030822][ T5855] [ 89.033187][ T5855] Freed by task 24: [ 89.037005][ T5855] kasan_save_track+0x3e/0x80 [ 89.041720][ T5855] kasan_save_free_info+0x46/0x50 [ 89.046759][ T5855] __kasan_slab_free+0x62/0x70 [ 89.051525][ T5855] kfree+0x18e/0x440 [ 89.055701][ T5855] binder_proc_dec_tmpref+0x228/0x4f0 [ 89.061257][ T5855] binder_deferred_func+0x13a5/0x1520 [ 89.066645][ T5855] process_scheduled_works+0xade/0x17b0 [ 89.072204][ T5855] worker_thread+0x8a0/0xda0 [ 89.076963][ T5855] kthread+0x711/0x8a0 [ 89.081064][ T5855] ret_from_fork+0x3fc/0x770 [ 89.085692][ T5855] ret_from_fork_asm+0x1a/0x30 [ 89.090486][ T5855] [ 89.092821][ T5855] The buggy address belongs to the object at ffff8880243b2400 [ 89.092821][ T5855] which belongs to the cache kmalloc-512 of size 512 [ 89.107067][ T5855] The buggy address is located 8 bytes inside of [ 89.107067][ T5855] freed 512-byte region [ffff8880243b2400, ffff8880243b2600) [ 89.120791][ T5855] [ 89.123145][ T5855] The buggy address belongs to the physical page: [ 89.129615][ T5855] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x243b0 [ 89.138873][ T5855] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 89.147667][ T5855] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 89.155851][ T5855] page_type: f5(slab) [ 89.160015][ T5855] raw: 00fff00000000040 ffff88801a441c80 0000000000000000 dead000000000001 [ 89.168604][ T5855] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 89.177281][ T5855] head: 00fff00000000040 ffff88801a441c80 0000000000000000 dead000000000001 [ 89.186128][ T5855] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 89.194814][ T5855] head: 00fff00000000002 ffffea000090ec01 00000000ffffffff 00000000ffffffff [ 89.203490][ T5855] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 89.212164][ T5855] page dumped because: kasan: bad access detected [ 89.218755][ T5855] page_owner tracks the page as allocated [ 89.224496][ T5855] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5206, tgid 5206 (udevadm), ts 34548316419, free_ts 34459597486 [ 89.245722][ T5855] post_alloc_hook+0x240/0x2a0 [ 89.251231][ T5855] get_page_from_freelist+0x21e4/0x22c0 [ 89.256908][ T5855] __alloc_frozen_pages_noprof+0x181/0x370 [ 89.262913][ T5855] alloc_pages_mpol+0x232/0x4a0 [ 89.267974][ T5855] allocate_slab+0x8a/0x3b0 [ 89.272488][ T5855] ___slab_alloc+0xbfc/0x1480 [ 89.277343][ T5855] __kmalloc_cache_noprof+0x296/0x3d0 [ 89.282729][ T5855] kernfs_fop_open+0x397/0xca0 [ 89.287581][ T5855] do_dentry_open+0xdf0/0x1970 [ 89.292474][ T5855] vfs_open+0x3b/0x340 [ 89.296691][ T5855] path_openat+0x2ee5/0x3830 [ 89.301325][ T5855] do_filp_open+0x1fa/0x410 [ 89.306198][ T5855] do_sys_openat2+0x121/0x1c0 [ 89.311116][ T5855] __x64_sys_openat+0x138/0x170 [ 89.316171][ T5855] do_syscall_64+0xfa/0x3b0 [ 89.320888][ T5855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.326973][ T5855] page last free pid 5206 tgid 5206 stack trace: [ 89.333498][ T5855] __free_frozen_pages+0xc71/0xe70 [ 89.338831][ T5855] __put_partials+0x161/0x1c0 [ 89.343710][ T5855] put_cpu_partial+0x17c/0x250 [ 89.348617][ T5855] __slab_free+0x2f7/0x400 [ 89.353146][ T5855] qlist_free_all+0x97/0x140 [ 89.357852][ T5855] kasan_quarantine_reduce+0x148/0x160 [ 89.363554][ T5855] __kasan_slab_alloc+0x22/0x80 [ 89.368428][ T5855] kmem_cache_alloc_noprof+0x1c1/0x3c0 [ 89.373897][ T5855] getname_flags+0xb8/0x540 [ 89.378470][ T5855] do_readlinkat+0xbc/0x500 [ 89.382988][ T5855] __x64_sys_readlink+0x7f/0x90 [ 89.387969][ T5855] do_syscall_64+0xfa/0x3b0 [ 89.392514][ T5855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.398506][ T5855] [ 89.400858][ T5855] Memory state around the buggy address: [ 89.406577][ T5855] ffff8880243b2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 89.414815][ T5855] ffff8880243b2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 89.422879][ T5855] >ffff8880243b2400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.430948][ T5855] ^ [ 89.435386][ T5855] ffff8880243b2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 89.443549][ T5855] ffff8880243b2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [pid 5856] exit_group(0) = ? [ 89.451609][ T5855] ================================================================== [ 89.460319][ T5855] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 89.467743][ T5855] CPU: 1 UID: 0 PID: 5855 Comm: syz-executor693 Not tainted 6.15.0-rc7-next-20250523-syzkaller #0 PREEMPT(full) [ 89.479746][ T5855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 89.489916][ T5855] Call Trace: [ 89.493214][ T5855] [ 89.496166][ T5855] dump_stack_lvl+0x99/0x250 [ 89.500955][ T5855] ? __asan_memcpy+0x40/0x70 [ 89.505562][ T5855] ? __pfx_dump_stack_lvl+0x10/0x10 [ 89.510775][ T5855] ? __pfx__printk+0x10/0x10 [ 89.515472][ T5855] panic+0x2db/0x790 [ 89.519401][ T5855] ? __pfx_panic+0x10/0x10 [ 89.523840][ T5855] ? _raw_spin_unlock_irqrestore+0xa8/0x110 [ 89.529763][ T5855] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 89.535710][ T5855] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 89.542140][ T5855] ? print_memory_metadata+0x314/0x400 [ 89.547705][ T5855] ? binder_remove_device+0xa1/0xe0 [ 89.552928][ T5855] check_panic_on_warn+0x89/0xb0 [ 89.557903][ T5855] ? binder_remove_device+0xa1/0xe0 [ 89.563107][ T5855] end_report+0x78/0x160 [ 89.567458][ T5855] kasan_report+0x129/0x150 [ 89.572094][ T5855] ? binder_remove_device+0xa1/0xe0 [ 89.577327][ T5855] binder_remove_device+0xa1/0xe0 [ 89.582367][ T5855] binderfs_evict_inode+0x16b/0x240 [ 89.587938][ T5855] ? __pfx_binderfs_evict_inode+0x10/0x10 [ 89.593670][ T5855] evict+0x501/0x9c0 [ 89.597581][ T5855] ? __pfx_evict+0x10/0x10 [ 89.602023][ T5855] ? do_raw_spin_unlock+0x122/0x240 [ 89.607376][ T5855] ? _raw_spin_unlock+0x28/0x50 [ 89.612253][ T5855] ? iput+0x6d8/0x9d0 [ 89.616259][ T5855] __dentry_kill+0x209/0x660 [ 89.620870][ T5855] ? shrink_kill+0x8d/0x2c0 [ 89.625410][ T5855] shrink_kill+0xa9/0x2c0 [ 89.629921][ T5855] shrink_dentry_list+0x2e0/0x5e0 [ 89.634997][ T5855] shrink_dcache_parent+0xa1/0x2c0 [ 89.640303][ T5855] ? __pfx_shrink_dcache_parent+0x10/0x10 [ 89.646041][ T5855] do_one_tree+0x23/0xe0 [ 89.650298][ T5855] shrink_dcache_for_umount+0xa0/0x170 [ 89.655782][ T5855] generic_shutdown_super+0x67/0x2c0 [ 89.661116][ T5855] kill_litter_super+0x76/0xb0 [ 89.666013][ T5855] binderfs_kill_super+0x44/0x90 [ 89.670974][ T5855] deactivate_locked_super+0xb9/0x130 [ 89.676452][ T5855] cleanup_mnt+0x425/0x4c0 [ 89.680968][ T5855] ? lockdep_hardirqs_on+0x9c/0x150 [ 89.686285][ T5855] task_work_run+0x1d4/0x260 [ 89.690889][ T5855] ? __pfx_task_work_run+0x10/0x10 [ 89.696103][ T5855] ptrace_notify+0x281/0x2c0 [ 89.700979][ T5855] ? __pfx_ptrace_notify+0x10/0x10 [ 89.706104][ T5855] ? fput_close_sync+0x119/0x200 [ 89.711067][ T5855] ? __pfx_fput_close_sync+0x10/0x10 [ 89.716551][ T5855] syscall_exit_work+0xc6/0x1d0 [ 89.721417][ T5855] do_syscall_64+0x2ad/0x3b0 [ 89.726112][ T5855] ? lockdep_hardirqs_on+0x9c/0x150 [ 89.731350][ T5855] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.737514][ T5855] ? clear_bhb_loop+0x60/0xb0 [ 89.742291][ T5855] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.748288][ T5855] RIP: 0033:0x7f4776b79a80 [ 89.753169][ T5855] Code: ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 80 3d 01 96 07 00 00 74 17 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c [ 89.773219][ T5855] RSP: 002b:00007ffe4149d1d8 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 89.781736][ T5855] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00007f4776b79a80 [ 89.789716][ T5855] RDX: 00007f4776b7a959 RSI: 0000000000000002 RDI: 0000000000000004 [ 89.797786][ T5855] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 89.805772][ T5855] R10: 0000000000000000 R11: 0000000000000202 R12: 00007f4776bc91dc [ 89.813760][ T5855] R13: 00007f4776bc40f0 R14: 00007ffe4149d210 R15: 0000000000000000 [ 89.822011][ T5855] [ 89.825591][ T5855] Kernel Offset: disabled [ 89.829932][ T5855] Rebooting in 86400 seconds..