./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2238868008 <...> Warning: Permanently added '10.128.1.24' (ED25519) to the list of known hosts. execve("./syz-executor2238868008", ["./syz-executor2238868008"], 0x7ffca2c7f580 /* 10 vars */) = 0 brk(NULL) = 0x55556b6f0000 brk(0x55556b6f0d00) = 0x55556b6f0d00 arch_prctl(ARCH_SET_FS, 0x55556b6f0380) = 0 set_tid_address(0x55556b6f0650) = 296 set_robust_list(0x55556b6f0660, 24) = 0 rseq(0x55556b6f0ca0, 0x20, 0, 0x53053053) = -1 ENOSYS (Function not implemented) prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor2238868008", 4096) = 28 getrandom("\xd1\x37\xc1\x9d\xbf\xa8\xc6\x92", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556b6f0d00 brk(0x55556b711d00) = 0x55556b711d00 brk(0x55556b712000) = 0x55556b712000 mprotect(0x7f4e97bf1000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.czyDf4", 0700) = 0 chmod("./syzkaller.czyDf4", 0777) = 0 chdir("./syzkaller.czyDf4") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556b6f0650) = 297 ./strace-static-x86_64: Process 297 attached [pid 297] set_robust_list(0x55556b6f0660, 24) = 0 [pid 297] chdir("./0") = 0 [pid 297] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 297] setpgid(0, 0) = 0 [pid 297] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 297] write(3, "1000", 4) = 4 [pid 297] close(3) = 0 [pid 297] symlink("/dev/binderfs", "./binderfs") = 0 [pid 297] write(1, "executing program\n", 18executing program ) = 18 [pid 297] memfd_create("syzkaller", 0) = 3 [pid 297] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4e8f73e000 [pid 297] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 262144) = 262144 [pid 297] munmap(0x7f4e8f73e000, 138412032) = 0 [pid 297] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 297] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 297] close(3) = 0 [pid 297] close(4) = 0 [pid 297] mkdir("./file0", 0777) = 0 [ 22.972258][ T28] audit: type=1400 audit(1734087122.900:66): avc: denied { execmem } for pid=296 comm="syz-executor223" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 23.002542][ T297] loop0: detected capacity change from 0 to 512 [ 23.003750][ T28] audit: type=1400 audit(1734087122.900:67): avc: denied { read write } for pid=296 comm="syz-executor223" name="loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 23.011420][ T297] EXT4-fs: Ignoring removed mblk_io_submit option [ 23.040957][ T28] audit: type=1400 audit(1734087122.900:68): avc: denied { open } for pid=296 comm="syz-executor223" path="/dev/loop0" dev="devtmpfs" ino=114 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 23.042155][ T297] EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: comm syz-executor223: inode #1: comm syz-executor223: iget: illegal inode # [ 23.065333][ T28] audit: type=1400 audit(1734087122.900:69): avc: denied { ioctl } for pid=296 comm="syz-executor223" path="/dev/loop0" dev="devtmpfs" ino=114 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 23.079095][ T297] EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz-executor223: error while reading EA inode 1 err=-117 [ 23.104043][ T28] audit: type=1400 audit(1734087122.940:70): avc: denied { mounton } for pid=297 comm="syz-executor223" path="/root/syzkaller.czyDf4/0/file0" dev="sda1" ino=1930 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1 [ 23.116539][ T297] EXT4-fs warning (device loop0): ext4_expand_extra_isize_ea:2809: Unable to expand inode 15. Delete some EAs or run e2fsck. [ 23.153253][ T297] EXT4-fs error (device loop0): ext4_xattr_inode_iget:404: comm syz-executor223: inode #1: comm syz-executor223: iget: illegal inode # [pid 297] mount("/dev/loop0", "./file0", "ext4", MS_NOSYMFOLLOW|MS_NOATIME|MS_I_VERSION|0x200, "journal_ioprio=0x0000000000000005,journal_dev=0x0000000000008000,debug_want_extra_isize=0x0000000000"...) = 0 [pid 297] openat(AT_FDCWD, "./file0", O_RDONLY|O_DIRECTORY) = 3 [pid 297] chdir("./file0") = 0 [pid 297] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 297] ioctl(4, LOOP_CLR_FD) = 0 [pid 297] close(4) = 0 [pid 297] mount("./file0", "./file0", "incremental-fs", 0, NULL) = 0 [pid 297] exit_group(0) = ? [pid 297] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=297, si_uid=0, si_status=0, si_utime=0, si_stime=11} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x55556b6f16f0 /* 4 entries */, 32768) = 112 umount2("./0/binderfs", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) newfstatat(AT_FDCWD, "./0/file0", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file0", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EBUSY (Device or resource busy) openat(AT_FDCWD, "./0/file0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0755, st_size=1024, ...}, AT_EMPTY_PATH) = 0 [ 23.167101][ T297] EXT4-fs error (device loop0): ext4_xattr_inode_iget:409: comm syz-executor223: error while reading EA inode 1 err=-117 [ 23.179819][ T297] EXT4-fs (loop0): 1 orphan inode deleted [ 23.185358][ T297] EXT4-fs (loop0): mounted filesystem without journal. Quota mode: none. [ 23.194046][ T28] audit: type=1400 audit(1734087123.120:71): avc: denied { mount } for pid=297 comm="syz-executor223" name="/" dev="loop0" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 getdents64(4, 0x55556b6f9730 /* 5 entries */, 32768) = 144 umount2("./0/file0/lost+found", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0/lost+found", {st_mode=S_IFBLK|S_ISVTX|0614, st_rdev=makedev(0, 0xe), ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/file0/lost+found") = 0 umount2("./0/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/file0/file1", {st_mode=S_IFDIR|0700, st_size=60, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("./0/file0/file1", MNT_FORCE|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0/file0/file1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 5 newfstatat(5, "", {st_mode=S_IFDIR|0700, st_size=60, ...}, AT_EMPTY_PATH) = 0 getdents64(5, 0x55556b701770 /* 2 entries */, 32768) = 48 getdents64(5, 0x55556b701770 /* 0 entries */, 32768) = 0 close(5) = 0 rmdir("./0/file0/file1") = 0 [ 23.216535][ T28] audit: type=1400 audit(1734087123.140:72): avc: denied { mounton } for pid=297 comm="syz-executor223" path="/root/syzkaller.czyDf4/0/file0/file0" dev="loop0" ino=12 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 23.217774][ T296] EXT4-fs error (device loop0): htree_dirblock_to_tree:1112: inode #2: block 13: comm syz-executor223: bad entry in directory: rec_len is smaller than minimal - offset=76, inode=0, rec_len=0, size=1024 fake=0 [ 23.241998][ T28] audit: type=1400 audit(1734087123.140:73): avc: denied { write } for pid=297 comm="syz-executor223" name="file0" dev="loop0" ino=12 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 23.283755][ T296] ------------[ cut here ]------------ [ 23.283988][ T28] audit: type=1400 audit(1734087123.140:74): avc: denied { add_name } for pid=297 comm="syz-executor223" name=".index" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=dir permissive=1 [ 23.289057][ T296] kernel BUG at fs/namei.c:2954! [ 23.289390][ T296] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 23.309917][ T28] audit: type=1400 audit(1734087123.140:75): avc: denied { create } for pid=297 comm="syz-executor223" name=".index" scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:unlabeled_t tclass=dir permissive=1 [ 23.314660][ T296] CPU: 0 PID: 296 Comm: syz-executor223 Not tainted 6.1.115-syzkaller-00017-g22b7ded8b55b #0 [ 23.350762][ T296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 [ 23.360643][ T296] RIP: 0010:may_delete+0x6eb/0x6f0 [ 23.365589][ T296] Code: 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c 7f fe ff ff 4c 89 e7 e8 16 6b f3 ff e9 72 fe ff ff e8 0c f9 ab ff 0f 0b e8 05 f9 ab ff <0f> 0b 0f 1f 00 55 48 89 e5 41 56 53 48 89 fb e8 f1 f8 ab ff 4c 8d [ 23.385029][ T296] RSP: 0018:ffffc90000f27b18 EFLAGS: 00010293 [ 23.390930][ T296] RAX: ffffffff81c98dab RBX: ffff88810d878360 RCX: ffff88811daa0000 [ 23.398745][ T296] RDX: 0000000000000000 RSI: 0000000000200000 RDI: 0000000000000000 [ 23.406556][ T296] RBP: ffffc90000f27b80 R08: ffffffff81c9873f R09: 0000000000000003 [ 23.414364][ T296] R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff88810db4e440 [ 23.422177][ T296] R13: 1ffff11021b69c88 R14: ffff88810057c608 R15: dffffc0000000000 [ 23.429985][ T296] FS: 000055556b6f0380(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 23.438753][ T296] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 23.445175][ T296] CR2: 000055556b709778 CR3: 00000001222b6000 CR4: 00000000003506b0 [ 23.452991][ T296] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 23.460799][ T296] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 23.468611][ T296] Call Trace: [ 23.471736][ T296] [ 23.474512][ T296] ? __die_body+0x62/0xb0 [ 23.478681][ T296] ? die+0x88/0xb0 [ 23.482236][ T296] ? do_trap+0x103/0x330 [ 23.486316][ T296] ? may_delete+0x6eb/0x6f0 [ 23.490673][ T296] ? handle_invalid_op+0x95/0xc0 [ 23.495431][ T296] ? may_delete+0x6eb/0x6f0 [ 23.499770][ T296] ? exc_invalid_op+0x32/0x50 [ 23.504283][ T296] ? asm_exc_invalid_op+0x1b/0x20 [ 23.509144][ T296] ? may_delete+0x7f/0x6f0 [ 23.513408][ T296] ? may_delete+0x6eb/0x6f0 [ 23.517734][ T296] ? may_delete+0x6eb/0x6f0 [ 23.522073][ T296] ? may_delete+0x6eb/0x6f0 [ 23.526416][ T296] vfs_rmdir+0x32/0x500 [ 23.530407][ T296] ? generic_shutdown_super+0x2b8/0x370 [ 23.535788][ T296] incfs_kill_sb+0x113/0x230 [ 23.540217][ T296] deactivate_locked_super+0xad/0x110 [ 23.545423][ T296] deactivate_super+0xbe/0xf0 [ 23.549937][ T296] cleanup_mnt+0x485/0x510 [ 23.554207][ T296] __cleanup_mnt+0x19/0x20 [ 23.558441][ T296] task_work_run+0x24d/0x2e0 [ 23.562869][ T296] ? task_work_cancel+0x2e0/0x2e0 [ 23.567729][ T296] ptrace_notify+0x29e/0x350 [ 23.572154][ T296] ? do_notify_parent+0xa20/0xa20 [ 23.577022][ T296] ? user_path_at_empty+0x14e/0x1a0 [ 23.582048][ T296] ? __x64_sys_umount+0x122/0x170 [ 23.586907][ T296] ? path_umount+0xe70/0xe70 [ 23.591338][ T296] syscall_exit_to_user_mode+0x99/0x130 [ 23.596718][ T296] do_syscall_64+0x47/0xb0 [ 23.600968][ T296] ? clear_bhb_loop+0x55/0xb0 [ 23.605482][ T296] entry_SYSCALL_64_after_hwframe+0x68/0xd2 [ 23.611211][ T296] RIP: 0033:0x7f4e97b7e507 [ 23.615463][ T296] Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 [ 23.634903][ T296] RSP: 002b:00007ffdb0588e98 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6 [ 23.643150][ T296] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f4e97b7e507 [ 23.651049][ T296] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffdb0588f50 [ 23.658861][ T296] RBP: 00007ffdb0588f50 R08: 0000000000000000 R09: 0000000000000000 [ 23.666670][ T296] R10: 00000000ffffffff R11: 0000000000000202 R12: 00007ffdb058a040 [ 23.674482][ T296] R13: 000055556b6f9700 R14: 431bde82d7b634db R15: 00007ffdb058b0d0 [ 23.682298][ T296] [ 23.685156][ T296] Modules linked in: [ 23.689114][ T296] ---[ end trace 0000000000000000 ]--- [ 23.694384][ T296] RIP: 0010:may_delete+0x6eb/0x6f0 [ 23.699421][ T296] Code: 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c 7f fe ff ff 4c 89 e7 e8 16 6b f3 ff e9 72 fe ff ff e8 0c f9 ab ff 0f 0b e8 05 f9 ab ff <0f> 0b 0f 1f 00 55 48 89 e5 41 56 53 48 89 fb e8 f1 f8 ab ff 4c 8d [ 23.718802][ T296] RSP: 0018:ffffc90000f27b18 EFLAGS: 00010293 [ 23.724663][ T296] RAX: ffffffff81c98dab RBX: ffff88810d878360 RCX: ffff88811daa0000 [ 23.732553][ T296] RDX: 0000000000000000 RSI: 0000000000200000 RDI: 0000000000000000 [ 23.740315][ T296] RBP: ffffc90000f27b80 R08: ffffffff81c9873f R09: 0000000000000003 [ 23.748140][ T296] R10: ffffffffffffffff R11: dffffc0000000001 R12: ffff88810db4e440 [ 23.755911][ T296] R13: 1ffff11021b69c88 R14: ffff88810057c608 R15: dffffc0000000000 [ 23.763824][ T296] FS: 000055556b6f0380(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 [ 23.772526][ T296] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 23.778950][ T296] CR2: 000055556b709778 CR3: 00000001222b6000 CR4: 00000000003506b0 [ 23.786722][ T296] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 23.794558][ T296] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 23.802359][ T296] Kernel panic - not syncing: Fatal exception [ 23.808617][ T296] Kernel Offset: disabled [ 23.812740][ T296] Rebooting in 86400 seconds..