./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor759966660 <...> Warning: Permanently added '10.128.0.81' (ED25519) to the list of known hosts. execve("./syz-executor759966660", ["./syz-executor759966660"], 0x7ffd60355040 /* 10 vars */) = 0 brk(NULL) = 0x55555612f000 brk(0x55555612fd00) = 0x55555612fd00 arch_prctl(ARCH_SET_FS, 0x55555612f380) = 0 set_tid_address(0x55555612f650) = 5056 set_robust_list(0x55555612f660, 24) = 0 rseq(0x55555612fca0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor759966660", 4096) = 27 getrandom("\x9e\x77\xb9\xd3\x94\xcd\x02\x9b", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555612fd00 brk(0x555556150d00) = 0x555556150d00 brk(0x555556151000) = 0x555556151000 mprotect(0x7f0ad5276000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mkdir("./syzkaller.nC7fhi", 0700) = 0 chmod("./syzkaller.nC7fhi", 0777) = 0 chdir("./syzkaller.nC7fhi") = 0 mkdir("./0", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5057 attached , child_tidptr=0x55555612f650) = 5057 [pid 5057] set_robust_list(0x55555612f660, 24) = 0 [pid 5057] chdir("./0") = 0 [pid 5057] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5057] setpgid(0, 0) = 0 [pid 5057] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5057] write(3, "1000", 4) = 4 [pid 5057] close(3) = 0 [pid 5057] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5057] memfd_create("syzkaller", 0) = 3 [pid 5057] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0accdc3000 [pid 5057] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576 [pid 5057] munmap(0x7f0accdc3000, 138412032) = 0 [pid 5057] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5057] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5057] close(3) = 0 [pid 5057] mkdir("\x2e\x02", 0777) = 0 [ 56.198075][ T5057] loop0: detected capacity change from 0 to 2048 [ 56.224412][ T5057] UDF-fs: warning (device loop0): udf_load_vrs: No anchor found [ 56.232300][ T5057] UDF-fs: Scanning with blocksize 512 failed [pid 5057] mount("/dev/loop0", "\x2e\x02", "udf", 0, "") = 0 [pid 5057] openat(AT_FDCWD, "\x2e\x02", O_RDONLY|O_DIRECTORY) = 3 [pid 5057] chdir("\x2e\x02") = 0 [pid 5057] ioctl(4, LOOP_CLR_FD) = 0 [pid 5057] close(4) = 0 [pid 5057] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 5057] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 5057] creat("./bus", 000) = 5 [pid 5057] writev(5, [{iov_base="\x06", iov_len=1}], 1) = 1 [ 56.241683][ T5057] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [pid 5057] open("./bus", O_RDONLY) = 6 [pid 5057] sendfile(5, 6, NULL, 140737974943952) = 1048575 [pid 5057] exit_group(0) = ? [pid 5057] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5057, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- umount2("./0", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./0", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555561306f0 /* 4 entries */, 32768) = 104 umount2("./0/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./0/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./0/binderfs") = 0 umount2("\x2e\x2f\x30\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("\x2e\x2f\x30\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x30\x2f\x2e\x02", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x30\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x30\x2f\x2e\x02", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556138730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556138730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x30\x2f\x2e\x02") = 0 getdents64(3, 0x5555561306f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./0") = 0 mkdir("./1", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555612f650) = 5059 ./strace-static-x86_64: Process 5059 attached [pid 5059] set_robust_list(0x55555612f660, 24) = 0 [pid 5059] chdir("./1") = 0 [pid 5059] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5059] setpgid(0, 0) = 0 [pid 5059] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5059] write(3, "1000", 4) = 4 [pid 5059] close(3) = 0 [pid 5059] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5059] memfd_create("syzkaller", 0) = 3 [pid 5059] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0accdc3000 [pid 5059] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576 [pid 5059] munmap(0x7f0accdc3000, 138412032) = 0 [pid 5059] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5059] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5059] close(3) = 0 [pid 5059] mkdir("\x2e\x02", 0777) = 0 [ 56.737171][ T5059] loop0: detected capacity change from 0 to 2048 [ 56.764847][ T5059] UDF-fs: warning (device loop0): udf_load_vrs: No anchor found [ 56.772571][ T5059] UDF-fs: Scanning with blocksize 512 failed [pid 5059] mount("/dev/loop0", "\x2e\x02", "udf", 0, "") = 0 [pid 5059] openat(AT_FDCWD, "\x2e\x02", O_RDONLY|O_DIRECTORY) = 3 [pid 5059] chdir("\x2e\x02") = 0 [pid 5059] ioctl(4, LOOP_CLR_FD) = 0 [pid 5059] close(4) = 0 [ 56.782325][ T5059] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [pid 5059] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 5059] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 5059] creat("./bus", 000) = 5 [pid 5059] writev(5, [{iov_base="\x06", iov_len=1}], 1) = 1 [pid 5059] open("./bus", O_RDONLY) = 6 [pid 5059] sendfile(5, 6, NULL, 140737974943952) = 1048575 [pid 5059] exit_group(0) = ? [pid 5059] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5059, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- restart_syscall(<... resuming interrupted clone ...>) = 0 umount2("./1", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./1", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555561306f0 /* 4 entries */, 32768) = 104 umount2("./1/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./1/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./1/binderfs") = 0 umount2("\x2e\x2f\x31\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x31\x2f\x2e\x02", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x31\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x31\x2f\x2e\x02", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556138730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556138730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x31\x2f\x2e\x02") = 0 getdents64(3, 0x5555561306f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./1") = 0 mkdir("./2", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5060 attached , child_tidptr=0x55555612f650) = 5060 [pid 5060] set_robust_list(0x55555612f660, 24) = 0 [pid 5060] chdir("./2") = 0 [pid 5060] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5060] setpgid(0, 0) = 0 [pid 5060] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5060] write(3, "1000", 4) = 4 [pid 5060] close(3) = 0 [pid 5060] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5060] memfd_create("syzkaller", 0) = 3 [pid 5060] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0accdc3000 [pid 5060] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576 [pid 5060] munmap(0x7f0accdc3000, 138412032) = 0 [pid 5060] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5060] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5060] close(3) = 0 [pid 5060] mkdir("\x2e\x02", 0777) = 0 [ 57.225777][ T5060] loop0: detected capacity change from 0 to 2048 [ 57.252565][ T5060] UDF-fs: warning (device loop0): udf_load_vrs: No anchor found [ 57.260419][ T5060] UDF-fs: Scanning with blocksize 512 failed [pid 5060] mount("/dev/loop0", "\x2e\x02", "udf", 0, "") = 0 [pid 5060] openat(AT_FDCWD, "\x2e\x02", O_RDONLY|O_DIRECTORY) = 3 [pid 5060] chdir("\x2e\x02") = 0 [pid 5060] ioctl(4, LOOP_CLR_FD) = 0 [pid 5060] close(4) = 0 [pid 5060] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 5060] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 5060] creat("./bus", 000) = 5 [pid 5060] writev(5, [{iov_base="\x06", iov_len=1}], 1) = 1 [pid 5060] open("./bus", O_RDONLY) = 6 [ 57.269818][ T5060] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [pid 5060] sendfile(5, 6, NULL, 140737974943952) = 1048575 [pid 5060] exit_group(0) = ? [pid 5060] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5060, si_uid=0, si_status=0, si_utime=0, si_stime=7 /* 0.07 s */} --- umount2("./2", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./2", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555561306f0 /* 4 entries */, 32768) = 104 umount2("./2/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./2/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./2/binderfs") = 0 umount2("\x2e\x2f\x32\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x32\x2f\x2e\x02", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x32\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x32\x2f\x2e\x02", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556138730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556138730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x32\x2f\x2e\x02") = 0 getdents64(3, 0x5555561306f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./2") = 0 mkdir("./3", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5061 attached , child_tidptr=0x55555612f650) = 5061 [pid 5061] set_robust_list(0x55555612f660, 24) = 0 [pid 5061] chdir("./3") = 0 [pid 5061] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5061] setpgid(0, 0) = 0 [pid 5061] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5061] write(3, "1000", 4) = 4 [pid 5061] close(3) = 0 [pid 5061] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5061] memfd_create("syzkaller", 0) = 3 [pid 5061] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0accdc3000 [pid 5061] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576 [pid 5061] munmap(0x7f0accdc3000, 138412032) = 0 [pid 5061] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5061] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5061] close(3) = 0 [pid 5061] mkdir("\x2e\x02", 0777) = 0 [pid 5061] mount("/dev/loop0", "\x2e\x02", "udf", 0, "") = 0 [pid 5061] openat(AT_FDCWD, "\x2e\x02", O_RDONLY|O_DIRECTORY) = 3 [pid 5061] chdir("\x2e\x02") = 0 [pid 5061] ioctl(4, LOOP_CLR_FD) = 0 [pid 5061] close(4) = 0 [ 57.712707][ T5061] loop0: detected capacity change from 0 to 2048 [ 57.730545][ T5061] UDF-fs: warning (device loop0): udf_load_vrs: No anchor found [ 57.738286][ T5061] UDF-fs: Scanning with blocksize 512 failed [ 57.747294][ T5061] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [pid 5061] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 5061] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 5061] creat("./bus", 000) = 5 [pid 5061] writev(5, [{iov_base="\x06", iov_len=1}], 1) = 1 [pid 5061] open("./bus", O_RDONLY) = 6 [pid 5061] sendfile(5, 6, NULL, 140737974943952) = 1048575 [pid 5061] exit_group(0) = ? [pid 5061] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5061, si_uid=0, si_status=0, si_utime=0, si_stime=4 /* 0.04 s */} --- umount2("./3", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./3", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555561306f0 /* 4 entries */, 32768) = 104 umount2("./3/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./3/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./3/binderfs") = 0 umount2("\x2e\x2f\x33\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = 0 umount2("\x2e\x2f\x33\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "\x2e\x2f\x33\x2f\x2e\x02", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_SYMLINK_NOFOLLOW) = 0 umount2("\x2e\x2f\x33\x2f\x2e\x02", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "\x2e\x2f\x33\x2f\x2e\x02", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 newfstatat(4, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(4, 0x555556138730 /* 2 entries */, 32768) = 48 getdents64(4, 0x555556138730 /* 0 entries */, 32768) = 0 close(4) = 0 rmdir("\x2e\x2f\x33\x2f\x2e\x02") = 0 getdents64(3, 0x5555561306f0 /* 0 entries */, 32768) = 0 close(3) = 0 rmdir("./3") = 0 mkdir("./4", 0777) = 0 openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 3 ioctl(3, LOOP_CLR_FD) = -1 ENXIO (No such device or address) close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5062 attached [pid 5062] set_robust_list(0x55555612f660, 24) = 0 [pid 5062] chdir("./4" [pid 5056] <... clone resumed>, child_tidptr=0x55555612f650) = 5062 [pid 5062] <... chdir resumed>) = 0 [pid 5062] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5062] setpgid(0, 0) = 0 [pid 5062] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 5062] write(3, "1000", 4) = 4 [pid 5062] close(3) = 0 [pid 5062] symlink("/dev/binderfs", "./binderfs") = 0 [pid 5062] memfd_create("syzkaller", 0) = 3 [pid 5062] mmap(NULL, 138412032, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f0accdc3000 [pid 5062] write(3, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., 1048576) = 1048576 [pid 5062] munmap(0x7f0accdc3000, 138412032) = 0 [pid 5062] openat(AT_FDCWD, "/dev/loop0", O_RDWR) = 4 [pid 5062] ioctl(4, LOOP_SET_FD, 3) = 0 [pid 5062] close(3) = 0 [pid 5062] mkdir("\x2e\x02", 0777) = 0 [ 58.140422][ T5062] loop0: detected capacity change from 0 to 2048 [ 58.170486][ T5062] UDF-fs: warning (device loop0): udf_load_vrs: No anchor found [ 58.178178][ T5062] UDF-fs: Scanning with blocksize 512 failed [pid 5062] mount("/dev/loop0", "\x2e\x02", "udf", 0, "") = 0 [pid 5062] openat(AT_FDCWD, "\x2e\x02", O_RDONLY|O_DIRECTORY) = 3 [pid 5062] chdir("\x2e\x02") = 0 [pid 5062] ioctl(4, LOOP_CLR_FD) = 0 [pid 5062] close(4) = 0 [pid 5062] open("./bus", O_RDWR|O_CREAT|O_NOCTTY|O_SYNC|O_NOATIME|FASYNC, 000) = 4 [pid 5062] mount("/dev/loop0", "./bus", NULL, MS_BIND, NULL) = 0 [pid 5062] creat("./bus", 000) = 5 [pid 5062] writev(5, [{iov_base="\x06", iov_len=1}], 1) = 1 [pid 5062] open("./bus", O_RDONLY) = 6 [ 58.187826][ T5062] UDF-fs: INFO Mounting volume 'LinuxUDF', timestamp 2022/11/22 14:59 (1000) [pid 5062] sendfile(5, 6, NULL, 140737974943952) = 1048575 [pid 5062] exit_group(0) = ? [pid 5062] +++ exited with 0 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5062, si_uid=0, si_status=0, si_utime=0, si_stime=5 /* 0.05 s */} --- umount2("./4", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) openat(AT_FDCWD, "./4", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3 newfstatat(3, "", {st_mode=S_IFDIR|0700, st_size=4096, ...}, AT_EMPTY_PATH) = 0 getdents64(3, 0x5555561306f0 /* 4 entries */, 32768) = 104 umount2("./4/binderfs", MNT_DETACH|UMOUNT_NOFOLLOW) = -1 EINVAL (Invalid argument) newfstatat(AT_FDCWD, "./4/binderfs", {st_mode=S_IFLNK|0777, st_size=13, ...}, AT_SYMLINK_NOFOLLOW) = 0 unlink("./4/binderfs") = 0 [ 58.266313][ T5056] ================================================================== [ 58.274453][ T5056] BUG: KASAN: use-after-free in crc_itu_t+0x1d5/0x2a0 [ 58.281441][ T5056] Read of size 1 at addr ffff8880763be000 by task syz-executor759/5056 [ 58.289668][ T5056] [ 58.291978][ T5056] CPU: 0 PID: 5056 Comm: syz-executor759 Not tainted 6.6.0-syzkaller-16176-g1b907d050735 #0 [ 58.302117][ T5056] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 58.312252][ T5056] Call Trace: [ 58.315514][ T5056] [ 58.318438][ T5056] dump_stack_lvl+0x1e7/0x2d0 [ 58.323314][ T5056] ? nf_tcp_handle_invalid+0x650/0x650 [ 58.328799][ T5056] ? panic+0x850/0x850 [ 58.332866][ T5056] ? _printk+0xd5/0x120 [ 58.337010][ T5056] print_report+0x163/0x540 [ 58.341500][ T5056] ? ktime_get_real_ts64+0x460/0x460 [ 58.346768][ T5056] ? __mutex_lock+0x2ee/0xd60 [ 58.351433][ T5056] ? time64_to_tm+0x331/0x4d0 [ 58.356117][ T5056] ? __virt_addr_valid+0x22f/0x2e0 [ 58.361242][ T5056] ? __phys_addr+0xba/0x170 [ 58.365822][ T5056] ? crc_itu_t+0x1d5/0x2a0 [ 58.370253][ T5056] kasan_report+0x142/0x170 [ 58.374850][ T5056] ? crc_itu_t+0x1d5/0x2a0 [ 58.379262][ T5056] crc_itu_t+0x1d5/0x2a0 [ 58.383500][ T5056] udf_sync_fs+0x1d2/0x380 [ 58.387914][ T5056] ? udf_put_super+0x160/0x160 [ 58.392668][ T5056] ? get_nr_dirty_inodes+0x1c7/0x210 [ 58.397946][ T5056] sync_filesystem+0xec/0x220 [ 58.402730][ T5056] generic_shutdown_super+0x72/0x2c0 [ 58.408030][ T5056] kill_block_super+0x44/0x90 [ 58.412965][ T5056] deactivate_locked_super+0xc1/0x130 [ 58.418335][ T5056] cleanup_mnt+0x426/0x4c0 [ 58.422815][ T5056] ? _raw_spin_unlock_irq+0x23/0x50 [ 58.428005][ T5056] task_work_run+0x24a/0x300 [ 58.432589][ T5056] ? task_work_cancel+0x2b0/0x2b0 [ 58.437627][ T5056] ? lockdep_hardirqs_on+0x98/0x140 [ 58.442823][ T5056] ? __x64_sys_umount+0x126/0x170 [ 58.447853][ T5056] ptrace_notify+0x2cd/0x380 [ 58.453832][ T5056] ? user_path_at_empty+0x4c/0x60 [ 58.458851][ T5056] ? do_notify_parent+0x10c0/0x10c0 [ 58.464043][ T5056] ? __x64_sys_umount+0x126/0x170 [ 58.469063][ T5056] ? path_umount+0xf40/0xf40 [ 58.473671][ T5056] ? syscall_enter_from_user_mode+0x32/0x230 [ 58.479848][ T5056] syscall_exit_to_user_mode+0x15c/0x280 [ 58.485515][ T5056] do_syscall_64+0x50/0x110 [ 58.490028][ T5056] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 58.495922][ T5056] RIP: 0033:0x7f0ad5203487 [ 58.500333][ T5056] Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 [ 58.520042][ T5056] RSP: 002b:00007ffc346c1d08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6 [ 58.528626][ T5056] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f0ad5203487 [ 58.536679][ T5056] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffc346c1dc0 [ 58.544642][ T5056] RBP: 00007ffc346c1dc0 R08: 0000000000000000 R09: 0000000000000000 [ 58.552606][ T5056] R10: 00000000ffffffff R11: 0000000000000202 R12: 00007ffc346c2e30 [ 58.560668][ T5056] R13: 00005555561306c0 R14: 431bde82d7b634db R15: 00007ffc346c2e50 [ 58.568654][ T5056] [ 58.571674][ T5056] [ 58.573990][ T5056] The buggy address belongs to the physical page: [ 58.580396][ T5056] page:ffffea0001d8ef80 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x1 pfn:0x763be [ 58.591160][ T5056] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 58.598263][ T5056] page_type: 0xffffff7f(buddy) [ 58.603127][ T5056] raw: 00fff00000000000 ffffea000041a308 ffffea0001d84308 0000000000000000 [ 58.611762][ T5056] raw: 0000000000000001 0000000000000001 00000000ffffff7f 0000000000000000 [ 58.620340][ T5056] page dumped because: kasan: bad access detected [ 58.626827][ T5056] page_owner tracks the page as freed [ 58.632265][ T5056] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 5060, tgid 5060 (syz-executor759), ts 57214251529, free_ts 57517641357 [ 58.649398][ T5056] post_alloc_hook+0x1e6/0x210 [ 58.654335][ T5056] get_page_from_freelist+0x339a/0x3530 [ 58.659883][ T5056] __alloc_pages+0x255/0x670 [ 58.664546][ T5056] alloc_pages_mpol+0x3de/0x640 [ 58.669406][ T5056] shmem_alloc_and_add_folio+0x24f/0xde0 [ 58.675030][ T5056] shmem_get_folio_gfp+0x7c3/0x1ee0 [ 58.680218][ T5056] shmem_write_begin+0x170/0x4c0 [ 58.685233][ T5056] generic_perform_write+0x31b/0x630 [ 58.690508][ T5056] shmem_file_write_iter+0xfc/0x120 [ 58.695697][ T5056] vfs_write+0x792/0xb20 [ 58.700291][ T5056] ksys_write+0x1a0/0x2c0 [ 58.704612][ T5056] do_syscall_64+0x44/0x110 [ 58.709280][ T5056] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 58.715178][ T5056] page last free stack trace: [ 58.719835][ T5056] free_unref_page_prepare+0x92a/0xa50 [ 58.725281][ T5056] free_unref_page_list+0x596/0x830 [ 58.730464][ T5056] release_pages+0x2113/0x23f0 [ 58.735225][ T5056] __folio_batch_release+0x84/0x100 [ 58.740422][ T5056] shmem_undo_range+0x6aa/0x19c0 [ 58.745395][ T5056] shmem_evict_inode+0x29b/0xa60 [ 58.750322][ T5056] evict+0x2a4/0x620 [ 58.754203][ T5056] __dentry_kill+0x436/0x650 [ 58.758786][ T5056] dentry_kill+0xbb/0x290 [ 58.763195][ T5056] dput+0x21e/0x470 [ 58.766991][ T5056] __fput+0x60b/0xa10 [ 58.770965][ T5056] task_work_run+0x24a/0x300 [ 58.775547][ T5056] ptrace_notify+0x2cd/0x380 [ 58.780217][ T5056] syscall_exit_to_user_mode+0x15c/0x280 [ 58.785845][ T5056] do_syscall_64+0x50/0x110 [ 58.790337][ T5056] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 58.796310][ T5056] [ 58.798804][ T5056] Memory state around the buggy address: [ 58.804626][ T5056] ffff8880763bdf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.812846][ T5056] ffff8880763bdf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.820979][ T5056] >ffff8880763be000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.829021][ T5056] ^ [ 58.833075][ T5056] ffff8880763be080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.841381][ T5056] ffff8880763be100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 58.849428][ T5056] ================================================================== [ 58.857996][ T5056] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 58.865207][ T5056] CPU: 0 PID: 5056 Comm: syz-executor759 Not tainted 6.6.0-syzkaller-16176-g1b907d050735 #0 [ 58.875367][ T5056] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 58.885412][ T5056] Call Trace: [ 58.888689][ T5056] [ 58.891617][ T5056] dump_stack_lvl+0x1e7/0x2d0 [ 58.896294][ T5056] ? nf_tcp_handle_invalid+0x650/0x650 [ 58.901928][ T5056] ? panic+0x850/0x850 [ 58.905986][ T5056] ? lockdep_hardirqs_on_prepare+0x43c/0x7a0 [ 58.911960][ T5056] ? vscnprintf+0x5d/0x80 [ 58.916278][ T5056] panic+0x349/0x850 [ 58.920429][ T5056] ? check_panic_on_warn+0x21/0xa0 [ 58.925528][ T5056] ? __memcpy_flushcache+0x2b0/0x2b0 [ 58.930810][ T5056] ? _raw_spin_unlock_irqrestore+0x12c/0x140 [ 58.936779][ T5056] ? _raw_spin_unlock+0x40/0x40 [ 58.941620][ T5056] check_panic_on_warn+0x82/0xa0 [ 58.946553][ T5056] ? crc_itu_t+0x1d5/0x2a0 [ 58.950960][ T5056] end_report+0x6e/0x130 [ 58.955193][ T5056] kasan_report+0x153/0x170 [ 58.959690][ T5056] ? crc_itu_t+0x1d5/0x2a0 [ 58.964184][ T5056] crc_itu_t+0x1d5/0x2a0 [ 58.968436][ T5056] udf_sync_fs+0x1d2/0x380 [ 58.972845][ T5056] ? udf_put_super+0x160/0x160 [ 58.977597][ T5056] ? get_nr_dirty_inodes+0x1c7/0x210 [ 58.982869][ T5056] sync_filesystem+0xec/0x220 [ 58.987539][ T5056] generic_shutdown_super+0x72/0x2c0 [ 58.992820][ T5056] kill_block_super+0x44/0x90 [ 58.997517][ T5056] deactivate_locked_super+0xc1/0x130 [ 59.002908][ T5056] cleanup_mnt+0x426/0x4c0 [ 59.007343][ T5056] ? _raw_spin_unlock_irq+0x23/0x50 [ 59.012533][ T5056] task_work_run+0x24a/0x300 [ 59.017127][ T5056] ? task_work_cancel+0x2b0/0x2b0 [ 59.022143][ T5056] ? lockdep_hardirqs_on+0x98/0x140 [ 59.027340][ T5056] ? __x64_sys_umount+0x126/0x170 [ 59.032357][ T5056] ptrace_notify+0x2cd/0x380 [ 59.036943][ T5056] ? user_path_at_empty+0x4c/0x60 [ 59.041959][ T5056] ? do_notify_parent+0x10c0/0x10c0 [ 59.047285][ T5056] ? __x64_sys_umount+0x126/0x170 [ 59.052319][ T5056] ? path_umount+0xf40/0xf40 [ 59.056913][ T5056] ? syscall_enter_from_user_mode+0x32/0x230 [ 59.062983][ T5056] syscall_exit_to_user_mode+0x15c/0x280 [ 59.068701][ T5056] do_syscall_64+0x50/0x110 [ 59.073291][ T5056] entry_SYSCALL_64_after_hwframe+0x63/0x6b [ 59.079200][ T5056] RIP: 0033:0x7f0ad5203487 [ 59.083631][ T5056] Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 c7 c2 b8 ff ff ff f7 d8 64 89 02 b8 [ 59.103834][ T5056] RSP: 002b:00007ffc346c1d08 EFLAGS: 00000202 ORIG_RAX: 00000000000000a6 [ 59.112325][ T5056] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f0ad5203487 [ 59.120283][ T5056] RDX: 0000000000000000 RSI: 000000000000000a RDI: 00007ffc346c1dc0 [ 59.128243][ T5056] RBP: 00007ffc346c1dc0 R08: 0000000000000000 R09: 0000000000000000 [ 59.136205][ T5056] R10: 00000000ffffffff R11: 0000000000000202 R12: 00007ffc346c2e30 [ 59.144163][ T5056] R13: 00005555561306c0 R14: 431bde82d7b634db R15: 00007ffc346c2e50 [ 59.152150][ T5056] [ 59.155348][ T5056] Kernel Offset: disabled [ 59.159657][ T5056] Rebooting in 86400 seconds..